This page is a reference for all of the possible ports and protocols used for communication within a typical Horizon Cloud Service on Microsoft Azure deployment. Use these tables to ensure your network configuration and firewalls will allow the communication traffic that is required for a successful deployment and for day-to-day operations.
The specific ports and protocols required for your particular deployment will in part depend on which features you select to use for your Horizon Cloud Service on Microsoft Azure deployment. If you do not plan to use a specific component or protocol, then its required communication traffic is not necessary for your purposes, and you can ignore the ports associated with that component. As an example, if your end users will only use the Blast Extreme display protocol, then allowing the PCoIP ports is not a requirement.
Ports and Protocols Required by Horizon Edge
When you activate Horizon Infrastructure Monitoring, Horizon Edge is deployed and configured in the associated subscription. The following table lists the ports and protocols that are needed during the activation process which deploys the appliance and configures the manager VMs so the appliance can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during steady-state operations of collecting the data the appliance is designed to collect.
| Source | Target | Ports | Protocols | Purpose |
|---|---|---|---|---|
| Horizon Edge | Unified Access Gateway VMs | 9443 | HTTPS | This port is used by the Edge VM over the Management subnet to configure settings in the Edge's Unified Access Gateway configuration. This port requirement applies when initially deploying a Unified Access Gateway configuration and when editing an Edge to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration also monitor the session statistics from the UAG. |
| Horizon Edge | Domain controller | Kerberos: 88 LDAP: 389, 3268 LDAPS: 636, 3269 |
TCP UDP |
Registering your Horizon Cloud NextGen with Domain and for SSO login and periodic discovery of domain controllers. These ports are required for LDAP or LDAPS services when LDAP/LDAPS will be specified in that workflow. LDAP is the default for most tenants. Target is the server that contains a domain controller role in the Active Directory configuration. |
| Horizon Edge | AD Certificate Services | 135 and a port within the range of 49152 to 65535 | RPC/TCP | Connecting to the Microsoft Enterprise Certificate Authority (AD CS) to obtain short-lived certificates for True SSO. The Horizon Edge uses TCP port 135 for the initial RPC communication, then a port within the range 49152 - 65535 to communicate with AD CS (Azure Directory Certificate Services). |
| Horizon Edge | DNS server | 53 and 853 | TCP UDP |
DNS services. |
| Horizon Edge | *.file.core.windows.net | 445 | TCP | Access to fileshares provisioned for the App Volumes workflows of importing packages and replicating the packages across fileshares. |
| Horizon Edge |
|
443 | TCP | Used for programmatic access to the Azure Blob Storage and to upload the Horizon Edge logs as and when required. Used for downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such. |
| Horizon Edge | horizonedgeprod.azurecr.io | 443 | TCP | Used for authentication while downloading Docker images to create the required Horizon Edge modules, which are useful for monitoring, SSO, UAG updates, and such. |
| Horizon Edge | *.azure-devices.net | 443 | TCP | Appliance used to communicate with the cloud control plane, download configurations for the appliance's module, and update the appliance's module's runtime status. Current concrete endpoints are: North America:
Europe:
Japan:
|
| Horizon Edge | vmwareprod.wavefront.com | 443 | TCP | Used for sending operation metrics to VMware Tanzu® Observability™ by Wavefront. VMware operators receive the data with which to support customers. Tanzu Observability is a streaming analytics platform. You can send your data to Tanzu Observability and view and interact with the data in custom dashboards. See the documentation for VMware Tanzu Observability by Waveftont. |
| Horizon Edge | *.data.vmwservices.com | 443 | TCP | To send events or metrics to Workspace ONE Intelligence for monitoring data. See Workspace ONE Intelligence. Current concrete endpoints are:
|
| Horizon Edge | login.microsoftonline.com | 443 | TCP | Generally used by applications to authenticate against Microsoft Azure service. |
| Horizon Edge | management.azure.com | 443 | TCP | Used for Edge API requests to the Microsoft Azure Resource Manager endpoints for using Microsoft Azure Resource Manager services. Microsoft Azure Resource Manager provides a consistent management layer to perform tasks through Azure PowerShell, Azure CLI, Azure portal, REST API, and client SDKs. |
| Horizon Edge | *.horizon.vmware.com Region specific US
EU
JP
|
443 | TCP | Appliance used to communicate with the cloud control plane and for Day2 operations. |
| Horizon Edge | NTP Server | 123 | UDP | NTP services |
Unified Access Gateway VM Ports and Protocols Requirements
In addition to the primary ports and protocols requirements listed in the table above, the ports and protocols in the following tables are related to the gateways that you have configured to operate for ongoing operations after deployment.
For connections configured with Unified Access Gateway instances, traffic must be allowed from the Unified Access Gateway instances to targets listed in the table below.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Unified Access Gateway | *.horizon.vmware.com | 53 or 443 on DMZ network | TCP UDP |
Unified Access Gateway needs to be able to resolve these addresses at any time or the user will not be able to launch the session, because the Unified Access Gateway fetches the JWK set from: cloud-sg-<region>-r-<DC>.horizon.vmware.com. Current concrete endpoints are as follows:
|
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 22443 | TCP UDP |
Blast Extreme By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic are side-channeled in this port. If preferred, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 9427 | TCP | Optional for CDR and multimedia redirection (MMR) traffic. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 32111 | TCP | Optional for USB redirection traffic. |
| Unified Access Gateway | NTP Server | 123 | UDP | NTP services |
App Volumes Ports and Protocols
To support App Volumes features for use with Horizon Cloud Service on Microsoft Azure, you must configure port 445 for TCP protocol traffic to the tenant (desktops) subnet. Port 445 is the standard SMB port for accessing an SMB file share on Microsoft Windows. The AppStacks are stored in an SMB file share located in the same resource group as the pod manager VMs.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| App Volumes agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs | *.file.core.windows.net | 445 | TCP | App Volumes application virtualization on the VDI machines and application package capture on the VDI machines depend on access to the fileshares. |
VDI Ports and Protocols Requirements
The following table provides the ports and protocols that are required for the desktop (VDI or tenant) subnets configured in your environment.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Desktop (tenant) Subnet | *.horizon.vmware.com | 443 | TCP MQTT | For agent-related operations, such as certificate signing using VM Hub and renewal. Current concrete endpoints are: US:
EU:
JP:
|
| Desktop (tenant) Subnet | Domain controller | 88 | TCP UDP |
Kerberos services. The target is the server that contains a domain controller role in an Active Directory configuration. Registering the Edge an Active Directory is a requirement. |
| Desktop (tenant) Subnet | Domain controller | Kerberos: 88 LDAP: 389, 3268 LDAPS: 636, 3269 |
TCP UDP |
These ports are required for LDAP or LDAPS services for VM to domain controller connectivity, in case the VDI is unable to reach any domain controller, then session launch is not possible. |
| Desktop (tenant) Subnet | DNS Server | 53 and 853 | TCP UDP |
DNS Services |
| Desktop (tenant) Subnet | NTP Server | 123 | UDP | NTP services |
| Desktop (tenant) Subnet | *.blob.core.windows.net | 443 | TCP | DCT log bundle upload. When a customer admin clicks on the DCT log collection for any VM after request processing, the bundle will be uploaded from VDI to blob to make that bundle available to download from the Horizon Universal Console. |
| Desktop (tenant) Subnet | Horizon Edge | 31883 | TCP MQTT UDP |
Horizon agent running on VM to MQTT running on Edge. |
| Desktop (tenant) Subnet | Horizon Edge | 32443 | TCP | Single Sign On if Horizon Edge is a VM based deployment. |
| Desktop (tenant) Subnet | Horizon Edge | 443 | TCP | Single Sign On if Horizon Edge is an AKS based deployment. |
| Desktop (tenant) Subnet and Management Subnet | softwareupdate.vmware.com | 443 | TCP | VMware software package server. Used for downloading updates of the agent-related software used in the system's image-related operations and automated agent update process. |
| Desktop (tenant) Subnet | Private Link Endpoint | 443 | TCP | Desktop connectivity to the connection service in the cloud control plane. |
End-User Connection Traffic Ports and Protocols Requirements
For detailed information about the various Horizon Clients that your end users might use with your Horizon Edge Virtual Appliance, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their virtual desktops and remote applications depends on the choice you make for how your end users will connect.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | To carry CDR, MMR, USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 or 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | UDP | Blast Extreme via the Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 | UDP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport). |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | To carry CDR, MMR, USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 or 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client). |
| Horizon Client/Browser | *.horizon.vmware.com | 443 | TCP | After login and listing the launch items, when the customer clicks on to launch desktop the redirection of the protocol traffic to UAG happens from one of these URLs based on the customer org location selected at the time of onboarding. Current concrete endpoints are:
|
