This page is a reference for all of the possible ports and protocols used for communication within a typical Horizon Cloud Service on Microsoft Azure deployment. Use these tables to ensure your network configuration and firewalls will allow the communication traffic that is required for a successful deployment and for day-to-day operations.
The specific ports and protocols required for your particular deployment will in part depend on which features you select to use for your Horizon Cloud Service on Microsoft Azure deployment. If you do not plan to use a specific component or protocol, then its required communication traffic is not necessary for your purposes, and you can ignore the ports associated with that component. As an example, if your end users will only use the Blast Extreme display protocol, then allowing the PCoIP ports is not a requirement.
Ports and Protocols Required by Horizon Edge
When you activate Horizon Infrastructure Monitoring , Horizon Edge is deployed and configured in the associated subscription. The following table lists the ports and protocols that are needed during the activation process which deploys the appliance and configures the manager VMs so the appliance can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during steady-state operations of collecting the data the appliance is designed to collect.
| Source | Target | Ports | Protocols | Purpose |
|---|---|---|---|---|
| Horizon Edge | Unified Access Gateway VMs | 9443 | HTTPS | This port is used by the Edge VM over the Management subnet to configure settings in the Edge's Unified Access Gateway configuration. This port requirement applies when initially deploying a Unified Access Gateway configuration and when editing an Edge to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration also monitor the session statistics from the UAG. |
| Horizon Edge | Domain controller | Kerberos: 88 LDAP: 389, 3268 |
TCP UDP |
Registering your Horizon Cloud NextGen with Domain and for SSO login and periodic discovery of domain controllers. This port is required for LDAP services when LDAP will be specified in that workflow. LDAP is the default for most tenants. Target is the server that contains a domain controller role in the Active Directory configuration. |
| Horizon Edge | DNS server | 53 | TCP UDP |
DNS services. |
| Horizon Edge | *.blob.core.windows.net | 443 | TCP | Used for programmatic access to the Azure Blob Storage and to upload the Edge logs as and when required. |
| Horizon Edge | horizonedgeprod.azurecr.io | 443 | TCP | To download the Docker images to create the edge required modules which are useful for monitoring, SSO, UAG updates, etc. |
| Horizon Edge | *.horizon.vmware.com | 443 | TCP | Appliance used to communicate with the cloud control plane, download configurations for the appliance's module, and update the appliance's module's runtime status. Current concrete endpoints are: North America:
Europe:
Australia:
Japan:
|
| Horizon Edge | vmwareprod.wavefront.com | 443 | TCP | Used for sending operation metrics to VMware Tanzu® Observability™ by Wavefront. VMware operators receive the data with which to support customers. Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Waveftont. |
| Horizon Edge | *.horizon.vmware.com | 443 | TCP | To send events or metrics to Workspace ONE Intelligence for monitoring data. See Workspace ONE Intelligence. Current concrete endpoints are:
|
| Horizon Edge | login.microsoftonline.com | 443 | TCP | Generally used by applications to authenticate against Microsoft Azure service. |
| Horizon Edge | management.azure.com | 443 | TCP | Used for Edge API requests to the Microsoft Azure Resource Manager endpoints for using Microsoft Azure Resource Manager services. Microsoft Azure Resource Manager provides a consistent management layer to perform tasks through Azure PowerShell, Azure CLI, Azure portal, REST API, and client SDKs. |
| Horizon Edge | *.horizon.vmware.com | 443 | TCP | Appliance used to communicate with the cloud control plane and for Day2 operations. |
| Horizon Edge | NTP Server | 123 | UDP | NTP services |
Unified Access Gateway VM Ports and Protocols Requirements
In addition to the primary ports and protocols requirements listed in the table above, the ports and protocols in the following tables are related to the gateways that you have configured to operate for ongoing operations after deployment.
For connections configured with Unified Access Gateway instances, traffic must be allowed from the Unified Access Gateway instances to targets listed in the table below.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Unified Access Gateway | *.horizon.vmware.com | 53 or 443 on DMZ network | TCP UDP |
Unified Access Gateway needs to be able to resolve these addresses at any time or the user will not be able to launch the session, because the Unified Access Gateway fetches the JWK set from: cloud-sg-<region>-r-<DC>.horizon.vmware.com. Current concrete endpoints are as follows:
|
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 22443 | TCP UDP |
Blast Extreme By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic are side-channeled in this port. If preferred, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 9427 | TCP | Optional for CDR and multimedia redirection (MMR) traffic. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 32111 | TCP | Optional for USB redirection traffic. |
| Unified Access Gateway | NTP Server | 123 | UDP | NTP services |
VDI Ports and Protocols Requirements
The following table provides the ports and protocols that are required for the Desktop (VDI) subnets configured in your environment.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Desktop Subnet | *.horizon.vmware.com | 443 | TCP MQTT | For agent-related operations, such as certificate signing using VM Hub and renewal. Current concrete endpoints are: US:
EU:
JP:
|
| Desktop Subnet | Domain controller | 88 | TCP UDP |
Kerberos services. The target is the server that contains a domain controller role in an Active Directory configuration. Registering the Edge an Active Directory is a requirement. |
| Desktop Subnet | Domain controller | Kerberos: 88 LDAP: 389, 3268 |
TCP UDP |
This port is required for LDAP services for VM to domain controller connectivity, in case the VDI is unable to reach any domain controller, then session launch will not be possible |
| Desktop Subnet | DNS Server | 53 | TCP UDP |
DNS Services |
| Desktop Subnet | NTP Server | 123 | UDP | NTP services |
| Desktop Subnet | *.blob.core.windows.net | 443 | TCP UDP |
DCT log bundle upload. When a customer admin clicks on the dct log collection for any VM after request processing, the bundle will be uploaded from VDI to blob to make that bundle available to download from the Horizon Universal Console. |
| Desktop Subnet | Horizon Edge | 31883 | TCP MQTT UDP |
Horizon agent running on VM to MQTT running on Edge. |
| Desktop Subnet | Horizon Edge | 32443 | TCP UDP |
SingleSignOn. |
| Management Subnet | softwareupdate.vmware.com | 443 | TCP | VMware software package server. Used for downloading updates of the agent-related software used in the system's image-related operations. |
End-User Connection Traffic Ports and Protocols Requirements
For detailed information about the various Horizon Clients that your end users might use with your Horizon Edge Virtual Appliance, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their virtual desktops and remote applications depends on the choice you make for how your end users will connect.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | To carry CDR, MMR, USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 or 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | UDP | Blast Extreme via the Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 | UDP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport). |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | To carry CDR, MMR, USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 or 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client). |
| Horizon Client/Browser | *.horizon.vmware.com | 443 | TCP | After login and listing the launch items, when the customer clicks on to launch desktop the redirection of the protocol traffic to UAG happens from one of these URLs based on the customer org location selected at the time of onboarding. Current concrete endpoints are:
|
