This page is a reference for all of the possible ports and protocols used for communication within a typical Horizon Cloud Service on Microsoft Azure deployment in Horizon Cloud Service - next-gen. Use these tables to ensure your network configuration and firewalls will allow the communication traffic that is required for a successful deployment and for day-to-day operations.

The specific ports and protocols required for your particular deployment will in part depend on which features you select to use for your Horizon Cloud Service on Microsoft Azure deployment. If you do not plan to use a specific component or protocol, then its required communication traffic is not necessary for your purposes, and you can ignore the ports associated with that component. As an example, if your end users will only use the Blast Extreme display protocol, then allowing the PCoIP ports is not a requirement.

Important: In addition to the ports and protocols described here, a Horizon Edge deployment and the corresponding day-to-day operations have specific DNS requirements. For details, see Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment.

Ports and Protocols Required by Horizon Edge

When you activate Horizon Infrastructure Monitoring, Horizon Edge is deployed and configured in the associated subscription. The following table lists the ports and protocols that are needed during the activation process which deploys the appliance and configures the manager VMs so the appliance can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during steady-state operations of collecting the data the appliance is designed to collect.

Table 1.
Source Target Ports Protocols Purpose
Horizon Edge Unified Access Gateway VMs 9443 HTTPS This port is used by the Edge VM over the Management subnet to configure settings in the Edge's Unified Access Gateway configuration. This port requirement applies when initially deploying a Unified Access Gateway configuration and when editing an Edge to add a Unified Access Gateway configuration or update settings for thatUnified Access Gateway configuration also monitor the session statistics from the Unified Access Gateway.
Horizon Edge Domain controller

Kerberos: 88

LDAP: 389, 3268

LDAPS: 636, 3269

TCP

UDP

Registering your Horizon Cloud NextGen with Domain and for SSO login and periodic discovery of domain controllers.

These ports are required for LDAP or LDAPS services when LDAP/LDAPS will be specified in that workflow. LDAP is the default for most tenants.

Target is the server that contains a domain controller role in the Active Directory configuration.

Horizon Edge AD Certificate Services 135 and a port within the range of 49152 to 65535 RPC/TCP Connecting to the Microsoft Enterprise Certificate Authority (AD CS) to obtain short-lived certificates for True SSO. The Horizon Edge uses TCP port 135 for the initial RPC communication, then a port within the range 49152 - 65535 to communicate with AD CS (Azure Directory Certificate Services).
Horizon Edge DNS server 53 and 853 TCP

UDP

DNS services.
Horizon Edge *.file.core.windows.net 445 TCP Access to fileshares provisioned for the App Volumes workflows of importing packages and replicating the packages across fileshares.
Horizon Edge
  • *.blob.core.windows.net
  • *.blob.storage.azure.net
443 TCP Used for programmatic access to the Azure Blob Storage and to upload the Horizon Edge logs as and when required.

Used for downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such.

Horizon Edge horizonedgeprod.azurecr.io 443 TCP Used for authentication while downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such.
Horizon Edge *.azure-devices.net 443 TCP Appliance used to communicate with the cloud control plane, download configurations for the appliance's module, and update the appliance's module's runtime status. Current concrete endpoints are:

North America:

  • edgehubprodna.azure-devices.net

Europe:

  • edgehubprodeu.azure-devices.net

Japan:

  • edgehubprodjp.azure-devices.net
Horizon Edge vmwareprod.wavefront.com 443 TCP Used for sending operation metrics to VMware Tanzu Observability by Wavefront. VMware operators receive the data with which to support customers.

Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Wavefront.

Horizon Edge *.data.vmwservices.com 443 TCP To send events or metrics to Workspace ONE Intelligence for monitoring data.

See Workspace ONE Intelligence.

Current concrete endpoints are:

  • eventproxy.na1.data.vmwservices.com
  • eventproxy.eu1.data.vmwservices.com
  • eventproxy.eu2.data.vmwservices.com
  • eventproxy.uk1.data.vmwservices.com
  • eventproxy.ca1.data.vmwservices.com
  • eventproxy.ap1.data.vmwservices.com
  • eventproxy.au1.data.vmwservices.com
  • eventproxy.in1.data.vmwservices.com
Horizon Edge login.microsoftonline.com 443 TCP Generally used by applications to authenticate against Microsoft Azure service.
Horizon Edge management.azure.com 443 TCP Used for Edge API requests to the Microsoft Azure Resource Manager endpoints for using Microsoft Azure Resource Manager services. Microsoft Azure Resource Manager provides a consistent management layer to perform tasks through Azure PowerShell, Azure CLI, Azure portal, REST API, and client SDKs.
Horizon Edge *.horizon.vmware.com

Region specific

US

  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-us.horizon.vmware.com

EU

  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-eu.horizon.vmware.com

JP

  • cloud-sg-jp-r-japaneast.horizon.vmware.com
  • cloud-sg-jp.horizon.vmware.com
443 TCP Appliance used to communicate with the cloud control plane and for Day2 operations.
Horizon Edge NTP Server 123 UDP NTP services

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the primary ports and protocols requirements listed in the table above, the ports and protocols in the following tables are related to the gateways that you have configured to operate for ongoing operations after deployment.

For connections configured with Unified Access Gateway instances, traffic must be allowed from the Unified Access Gateway instances to targets listed in the table below.

Table 2. Port Requirements for Traffic from Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway *.horizon.vmware.com 53 or 443 on DMZ network TCP

UDP

Unified Access Gateway needs to be able to resolve these addresses at any time or the user will not be able to launch the session, because the Unified Access Gateway fetches the JWK set from:

cloud-sg-<region>-r-<DC>.horizon.vmware.com.

Current concrete endpoints are as follows:

  • US
    • cloud.horizon.vmware.com

      cloud-sg-us-r-westus2.horizon.vmware.com

      cloud-sg-us-r-eastus2.horizon.vmware.com

    • cloud.horizon.vmware.com

      cloud-sg-us-r-westus2.horizon.vmware.com

      cloud-sg-us-r-eastus2.horizon.vmware.com

  • EU
    • cloud.horizon.vmware.com

      cloud-sg-eu-r-northeurope.horizon.vmware.com cloud-sg-eu-r-germanywestcentral.horizon.vmware.com

  • JP
    • cloud.horizon.vmware.com

      cloud-sg-jp-r-japaneast.horizon.vmware.com

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic are side-channeled in this port. If preferred, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 9427 TCP Optional for CDR and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway time.google.com 123 UDP NTP services
Unified Access Gateway *.blob.core.windows.net *.blob.storage.azure.net 443 TCP Used for programmatic access to the Azure Blob Storage to upload the Unified Access Gateway logs as and when required.

App Volumes Ports and Protocols

To support App Volumes features for use with Horizon Cloud Service on Microsoft Azure, you must configure port 445 for TCP protocol traffic to the tenant (desktops) subnet. Port 445 is the standard SMB port for accessing an SMB file share on Microsoft Windows. The AppStacks are stored in an SMB file share located in the same resource group as the pod manager VMs.

Table 3. Port Requirements for App Volumes
Source Target Port Protocol Purpose
App Volumes agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs *.file.core.windows.net 445 TCP App Volumes application virtualization on the VDI machines and application package capture on the VDI machines depend on access to the fileshares.

VDI Ports and Protocols Requirements

The following table provides the ports and protocols that are required for the desktop (VDI or tenant) subnets configured in your environment.

Table 4. VDI Ports and Protocols Requirements
Source Target Port Protocol Purpose
Desktop (tenant) Subnet *.horizon.vmware.com 443 TCP MQTT For agent-related operations, such as certificate signing using VM Hub and renewal. Current concrete endpoints are:

US:

  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-westus2-mqtt.horizon.vmware.com
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2-mqtt.horizon.vmware.com

EU:

  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-northeurope-mqtt.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral-mqtt.horizon.vmware.com

JP:

  • cloud-sg-jp-r-japaneast.horizon.vmware.com
  • cloud-sg-jp-r-japaneast-mqtt.horizon.vmware.com
Desktop (tenant) Subnet Domain controller 88 TCP

UDP

Kerberos services. The target is the server that contains a domain controller role in an Active Directory configuration. Registering the Edge an Active Directory is a requirement.
Desktop (tenant) Subnet Domain controller

Kerberos: 88

LDAP: 389, 3268

LDAPS: 636, 3269

TCP

UDP

These ports are required for LDAP or LDAPS services for VM to domain controller connectivity, in case the VDI is unable to reach any domain controller, then session launch is not possible.
Desktop (tenant) Subnet DNS Server 53 and 853 TCP

UDP

DNS Services
Desktop (tenant) Subnet NTP Server 123 UDP NTP services
Desktop (tenant) Subnet *.blob.core.windows.net 443 TCP DCT log bundle upload. When a customer admin clicks on the DCT log collection for any VM after request processing, the bundle will be uploaded from VDI to blob to make that bundle available to download from the Horizon Universal Console.
Desktop (tenant) Subnet Horizon Edge 31883 TCP MQTT

UDP

Horizon agent running on VM to MQTT running on Edge.
Desktop (tenant) Subnet Horizon Edge 32443 TCP Single Sign-On when the format of your Microsoft Azure Edge is Edge Gateway (VM).
Desktop (tenant) Subnet Horizon Edge 443 TCP Single Sign-On when the format of your Microsoft Azure Edge is Edge Gateway (AKS).
Desktop (tenant) Subnet and Management Subnet softwareupdate.vmware.com 443 TCP VMware software package server. Used for downloading updates of the agent-related software used in the system's image-related operations and automated agent update process.
Desktop (tenant) Subnet Private Link Endpoint 443 TCP Desktop connectivity to the connection service in the cloud control plane.
Desktop (tenant) Subnet and Management Subnet AD Certificate Services 135 and 445 and a port within the range of 49152 to 6553 RPC/TCP To add desktops to domain.

End-User Connection Traffic Ports and Protocols Requirements

For detailed information about the various Horizon Clients that your end users might use with your Horizon Edge Virtual Appliance, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their virtual desktops and remote applications depends on the choice you make for how your end users will connect.

Table 5. End User Connection Traffic Ports and Protocols
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP To carry CDR, MMR, USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 or 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP To carry CDR, MMR, USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.

Browser Microsoft Azure load balancer for these Unified Access Gateway instances 8443 or 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client).
Horizon Client/Browser *.horizon.vmware.com 443 TCP After login and listing the launch items, when the customer clicks to launch desktop the redirection of the protocol traffic to Unified Access Gateway happens from one of these URLs based on the customer org location selected at the time of onboarding. Current concrete endpoints are:
  • cloud-sg-us-r-westus2.horizon.vmware.com
  • cloud-sg-us-r-eastus2.horizon.vmware.com
  • cloud-sg-eu-r-northeurope.horizon.vmware.com
  • cloud-sg-eu-r-germanywestcentral.horizon.vmware.com
  • cloud-sg-jp-r-japaneast.horizon.vmware.com