To allow client Web browsers to make connections to security servers, Connection Server instances, remote desktops, and published applications, your firewalls must allow inbound traffic on certain TCP ports.

Horizon Client for Chrome connections must use HTTPS. HTTP connections are not allowed.

By default, when you install a Connection Server instance or security server, the VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall and the firewall is configured to allow inbound traffic to TCP port 8443.

Table 1. Firewall Rules for Client Browser Access

Source

Default Source Port

Protocol

Target

Default Target Port

Notes

Client Web browser

TCP Any

HTTPS

Security server or Connection Server instance

TCP 443

To make the initial connection, the Web browser on a client device connects to a security server or Connection Server instance on TCP port 443.

Client Web browser

TCP Any

HTTPS

Blast Secure Gateway

TCP 8443

After the initial connection is made, the Web browser on a client device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be enabled on a security server or Connection Server instance to allow this second connection to take place.

Blast Secure Gateway

TCP Any

HTTPS

HTML Access Agent

TCP 22443

If the Blast Secure Gateway is enabled, after the user selects a remote desktop or published application, the Blast Secure Gateway connects to the HTML Access Agent on TCP port 22443 on the remote desktop virtual machine or RDS host. This agent component is included when you install Horizon Agent.

Client Web browser

TCP Any

HTTPS

HTML Access Agent

TCP 22443

If the Blast Secure Gateway is not enabled, after the user selects a remote desktop or published application, the Web browser on a client device makes a direct connection to the HTML Access Agent on TCP port 22443 on the remote desktop virtual machine or RDS host. This agent component is included when you install Horizon Agent.