This page is a reference for all of the possible ports and protocols used for communication within a typical Horizon Cloud Service on Microsoft Azure deployment. Use these tables to ensure your network configuration and firewalls will allow the communication traffic that is required for a successful deployment and for day-to-day operations.

The specific ports and protocols required for your particular deployment will in part depend on which features you select to use for your Horizon Cloud Service on Microsoft Azure deployment. If you do not plan to use a specific component or protocol, then its required communication traffic is not necessary for your purposes, and you can ignore the ports associated with that component. As an example, if your end users will only use the Blast Extreme display protocol, then allowing the PCoIP ports is not a requirement.

Important: In addition to the ports and protocols described here, a Horizon Edge deployment and the corresponding day-to-day operations have specific DNS requirements. For details, see Make Appropriate Ports and URLs Reachable to Deploy a Horizon Edge Gateway in Microsoft Azure.

Ports and Protocols Required by Horizon Edge

When you activate Horizon Infrastructure Monitoring , Horizon Edge is deployed and configured in the associated subscription. The following table lists the ports and protocols that are needed during the activation process which deploys the appliance and configures the manager VMs so the appliance can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during steady-state operations of collecting the data the appliance is designed to collect.

Table 1.
Source Target Ports Protocols Purpose
Horizon Edge Unified Access Gateway VMs 9443 HTTPS This port is used by the Edge VM over the Management subnet to configure settings in the Edge's Unified Access Gateway configuration. This port requirement applies when initially deploying a Unified Access Gateway configuration and when editing an Edge to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration also monitor the session statistics from the UAG.
Horizon Edge Domain controller Kerberos: 88

LDAP: 389, 3268

TCP

UDP

Registering your Horizon Cloud NextGen with Domain and for SSO login and periodic discovery of domain controllers.

This port is required for LDAP services when LDAP will be specified in that workflow. LDAP is the default for most tenants.

Target is the server that contains a domain controller role in the Active Directory configuration.

Horizon Edge DNS server 53 TCP

UDP

DNS services.
Horizon Edge *.blob.core.windows.net 443 TCP Used for programmatic access to the Azure Blob Storage and to upload the Edge logs as and when required.
Horizon Edge horizonedgeprod.azurecr.io 443 TCP To download the Docker images to create the edge required modules which are useful for monitoring, SSO, UAG updates, etc.
Horizon Edge *.horizon.vmware.com 443 TCP Appliance used to communicate with the cloud control plane, download configurations for the appliance's module, and update the appliance's module's runtime status. Current concrete endpoints are:

North America:

  • edgehubprodna.azure-devices.net

Europe:

  • edgehubprodeu.azure-devices.net

Australia:

  • edgehubprodap.azure-devices.net

Japan:

  • edgehubprodjp.azure-devices.net
Horizon Edge vmwareprod.wavefront.com 443 TCP Used for sending operation metrics to VMware Tanzu® Observability™ by Wavefront. VMware operators receive the data with which to support customers.

Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Waveftont.

Horizon Edge *.horizon.vmware.com 443 TCP To send events or metrics to Workspace ONE Intelligence for monitoring data.

See Workspace ONE Intelligence.

Current concrete endpoints are:

  • eventproxy.na1.data.vmwservices.com
  • eventproxy.eu1.data.vmwservices.com
  • eventproxy.eu2.data.vmwservices.com
  • eventproxy.uk1.data.vmwservices.com
  • eventproxy.ca1.data.vmwservices.com
  • eventproxy.ap1.data.vmwservices.com
  • eventproxy.au1.data.vmwservices.com
Horizon Edge login.microsoftonline.com 443 TCP Generally used by applications to authenticate against Microsoft Azure service.
Horizon Edge management.azure.com 443 TCP Used for Edge API requests to the Microsoft Azure Resource Manager endpoints for using Microsoft Azure Resource Manager services. Microsoft Azure Resource Manager provides a consistent management layer to perform tasks through Azure PowerShell, Azure CLI, Azure portal, REST API, and client SDKs.
Horizon Edge *.horizon.vmware.com 443 TCP Appliance used to communicate with the cloud control plane and for Day2 operations.
Horizon Edge NTP Server 123 UDP NTP services

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the primary ports and protocols requirements listed in the table above, the ports and protocols in the following tables are related to the gateways that you have configured to operate for ongoing operations after deployment.

For connections configured with Unified Access Gateway instances, traffic must be allowed from the Unified Access Gateway instances to targets listed in the table below.

Table 2. Port Requirements for Traffic from Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway *.horizon.vmware.com 53 or 443 on DMZ network TCP

UDP

Unified Access Gateway needs to be able to resolve these addresses at any time or the user will not be able to launch the session, because the Unified Access Gateway fetches the JWK set from:

cloud-sg-<region>-r-<DC>.horizon.vmware.com.

Current concrete endpoints are as follows:

  • US
    • cloud.horizon.vmware.com

      cloud-sg-us-r-westus2.horizon.vmware.com

      cloud-sg-us-r-eastus2.horizon.vmware.com

    • cloud.horizon.vmware.com

      cloud-sg-us-r-westus2.horizon.vmware.com

      cloud-sg-us-r-eastus2.horizon.vmware.com

  • EU
    • cloud.horizon.vmware.com

      cloud-sg-eu-r-northeurope.horizon.vmware.com cloud-sg-eu-r-germanywestcentral.horizon.vmware.com

  • JP
    • cloud.horizon.vmware.com

      cloud-sg-jp-r-japaneast.horizon.vmware.com

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic are side-channeled in this port. If preferred, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 9427 TCP Optional for CDR and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway NTP Server 123 UDP NTP services

VDI Ports and Protocols Requirements

The following table provides the ports and protocols that are required for the Desktop (VDI) subnets configured in your environment.

Table 3. VDI Ports and Protocols Requirements
Source Target Port Protocol Purpose
Desktop Subnet *.horizon.vmware.com 443 TCP MQTT For agent-related operations, such as certificate signing using VM Hub and renewal. Current concrete endpoints are:

US:

  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-westus2-mqtt.horizon.vmware.com
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2-mqtt.horizon.vmware.com

EU:

  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-northeurope-mqtt.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral-mqtt.horizon.vmware.com

JP:

  • cloud-sg-jp-r-japaneast.horizon.vmware.com
  • cloud-sg-jp-r-japaneast-mqtt.horizon.vmware.com
Desktop Subnet Domain controller 88 TCP

UDP

Kerberos services. The target is the server that contains a domain controller role in an Active Directory configuration. Registering the Edge an Active Directory is a requirement.
Desktop Subnet Domain controller Kerberos: 88

LDAP: 389, 3268

TCP

UDP

This port is required for LDAP services for VM to domain controller connectivity, in case the VDI is unable to reach any domain controller, then session launch will not be possible
Desktop Subnet DNS Server 53 TCP

UDP

DNS Services
Desktop Subnet NTP Server 123 UDP NTP services
Desktop Subnet *.blob.core.windows.net 443 TCP

UDP

DCT log bundle upload. When a customer admin clicks on the dct log collection for any VM after request processing, the bundle will be uploaded from VDI to blob to make that bundle available to download from the Horizon Universal Console.
Desktop Subnet Horizon Edge 31883 TCP MQTT

UDP

Horizon agent running on VM to MQTT running on Edge.
Desktop Subnet Horizon Edge 32443 TCP

UDP

SingleSignOn.
Management Subnet softwareupdate.vmware.com 443 TCP VMware software package server. Used for downloading updates of the agent-related software used in the system's image-related operations.

End-User Connection Traffic Ports and Protocols Requirements

For detailed information about the various Horizon Clients that your end users might use with your Horizon Edge Virtual Appliance, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their virtual desktops and remote applications depends on the choice you make for how your end users will connect.

Table 4. End User Connection Traffic Ports and Protocols
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP To carry CDR, MMR, USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 or 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP To carry CDR, MMR, USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.

Browser Microsoft Azure load balancer for these Unified Access Gateway instances 8443 or 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client).
Horizon Client/Browser *.horizon.vmware.com 443 TCP After login and listing the launch items, when the customer clicks on to launch desktop the redirection of the protocol traffic to UAG happens from one of these URLs based on the customer org location selected at the time of onboarding. Current concrete endpoints are:
  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-jp-r-japaneast.horizon.vmware.com