Ports and Protocols Required by Key Pod Components for Ongoing Operations

In addition to the DNS requirements, the following tables list ports and protocols that are required for the pod to operate properly for ongoing operations after deployment. Some of these tables also list ports and protocols that are required for specific scenarios or when you have enabled particular features on the pod.

In the Microsoft Azure portal, the pod manager VMs have names that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.

The system's use of a Microsoft Azure load balancer with the pod manager VMs started from manifest 1600, at the September 2019 service release. Therefore, all pods deployed new from manifest 1600 onward have a pod Microsoft Azure load balancer. Pods that were first deployed prior to manifest 1600 and subsequently updated to later manifests also have a pod Microsoft Azure load balancer. The table rows that mention the pod's load balancer apply for all such pods.

Gateway Connector VM Ports and Protocols Requirements

This table applies to the gateway's connector VM that is used when you have deployed the external gateway in a separate VNet. In addition to the DNS requirements, the ports and protocols in the following table are required for the external gateway to operate properly for ongoing operations after deployment.

In the table below, the term connector VM refers to the gateway's connector VM which manages the connection between the cloud management plane and the external gateway. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-ID, where ID is the gateway's deployer ID, and a node part.

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the DNS and above primary ports and protocols requirements, the ports and protocols in the following tables are related to the gateways that you have configured on the pod to operate properly for ongoing operations after deployment.

For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway instances.

Ports and Protocols Required by Universal Broker

To support the use of Universal Broker for the brokering of end-user assignments from a pod, you must configure port 443 as described in the following table. The active pod manager establishes a persistent WebSocket connection with the Universal Broker service through port 443 and receives connection requests from the Universal Broker service through a randomly selected port.

Ports and Protocols Required by the Horizon Edge Virtual Appliance

When you activate Horizon Infrastructure Monitoring for a pod, the Horizon Edge Virtual Appliance is deployed and configured in that pod's subscription. The appliance has a single NIC on the pod's management subnet and an NSG is automatically configured on that NIC. That NSG's rule specifies the traffic allowed into the appliance and out from the appliance. The following table lists the ports and protocols from that NSG that are needed during the activation process, as the appliance is deployed and configures the pod manager VMs so that it can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during the appliance's steady-state operations of collecting the data it is designed to collect in this current service release.

End-User Connection Traffic Ports and Protocols Requirements

To connect to their pod-provisioned virtual desktops and remote applications from their devices, your end users use a compatible installed VMware Horizon Client or their browser (known as the Horizon HTML Access client). The ports which must be opened for traffic from the end users' clients to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

When you choose the deployer option for having an external gateway configuration in the pod's own VNet

The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-podID-uag, where podID is the pod's UUID.

When you choose the deployer option for having an internal Unified Access Gateway configuration

An internal gateway configuration is deployed into the pod's own VNet by default. The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an internal load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the internal gateway's load balancer is located in the resource group named vmw-hcs-podID-uag-internal, where podID is the pod's UUID.

When you choose the deployer options either for having an external gateway configuration in its own VNet and not the pods, or the option to use its own subscription (which is a special sub-case of using its own VNet because VNets do not span subscriptions)

The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet depicts the location of this public load balancer and the Unified Access Gateway instances in the gateway's own VNet. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-ID-uag, where ID is the value show in the Deployer ID field of the pod's details page. As described in the Administration Guide, you get to the pod's details page from the console's Capacity page.

When you have no Unified Access Gateway configurations on the pod

Note: For production environments where the tenant is configured to use single-pod brokering, the best practice for internal end-user connections is to use an internal Unified Access Gateway gateway configuration on the pod. Those connections would go to that gateway configuration in the single-pod brokering scenario.

In a configuration where you have single-pod brokering and Workspace ONE Access integrated with the pod, you typically have your end users connect through Workspace ONE Access. In this scenario, you must configure Workspace ONE Access and the Workspace ONE Access Connector pointing directly to the pod. Your end users are connecting to their pod-provisioned resources using Workspace ONE Access. For this configuration, you upload an SSL certificate to the pod manager VMs using the pod's summary page in the console, as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs. Then you complete the steps to integrate Workspace ONE Access with the pod.

Ports and Protocols Requirements for Traffic from Agents Installed in the Base VM, VDI Desktop VMs, and Farm RDSH VMs

The following ports must allow traffic between the agent-related software that is installed in the base VMs, desktop VMs, and farm RDSH VMs and the pod manager VMs.

Ports and Protocols Required by App Volumes Features

As stated in App Volumes Applications for Horizon Cloud on Microsoft Azure - Overview and Prerequisites, to support the use of the App Volumes features that are supported for use with a Horizon Cloud pod, you must configure port 445 for TCP protocol traffic on the pod's tenant subnet. Port 445 is the standard SMB port for accessing an SMB file share on Microsoft Windows. The AppStacks are stored in an SMB file share located in the same resource group as the pod manager VMs.

Integration with Workspace ONE Assist for Horizon - DNS, Ports, and Protocol Requirements

Workspace ONE Assist for Horizon is a product in the Workspace ONE UEM line of products. As of the August 2021 Horizon Cloud release, when specific requirements are met, you can integrate use of that product with VDI desktops provisioned from your Horizon Cloud tenant's pods. For full details of the requirements, see the Workspace ONE for Horizon and Horizon Cloud document.

Use of the assistance features requires outbound communication between the VDI desktop VMs and the Workspace ONE Assist server which supports the integration with your Horizon Cloud tenant.

DNS Requirements

Ensure that the DNS name of your Workspace ONE Assist server is resolvable and reachable from the pod's tenant subnets on which the VDI desktop VMs will reside. The Workspace ONE for Horizon and Horizon Cloud document provides the DNS names of the Workspace ONE Assist servers.

Ports and Protocol Requirements

Outbound traffic using port 443, TCP and HTTPS, must be allowed from the VDI desktop VMs on which the Workspace ONE Assist for Horizon application is installed.

When Required for An Active Support Request, Temporary Jump Box Ports and Protocols

If you make a support request to VMware and the support team determines the way to service that request is to deploy a temporary jump box VM for SSH communication with the VMware-managed appliances, that jump box requires the ports and protocols described here.

Permission will be requested from you for a support-related jump box deployment. The VMware support team will inform you of the communication requirements, as appropriate for any support situation.

This support-related jump box VM is designed to communicate as a source to the following destinations.

• The pod's pod manager VMs' port 22 using SSH and port 22.
• The Unified Access Gateway VMs' port 9443 using HTTPS.
• The gateway connector VM's port 22 using SSH, in a deployment where the external gateway is deployed in its own VNet.
• The Horizon Edge Virtual Appliance port 22 using SSH, in a deployment with Horizon Infrastructure Monitoring configured.

The nature of the support request and the appliances used in the deployment determine which specific VMware-managed appliance or appliances must be allowed as the target for the communication.

Because these VMs are assigned IP addresses dynamically, the following network rules can provide for the described communications. During the support-request activities, always seek guidance and supervision from VMware Support for requirements for the support-related jump box deployment.

• The management subnet CIDR as both the source and destination, with destination port 22, source port any, and protocol TCP.
• The management subnet CIDR as both the source and destination, with destination port 9443, source port any, and protocol TCP, when a Unified Access Gateway configuration is involved.

True SSO and Certificate Management and Horizon Cloud on Microsoft Azure deployments

The Horizon Cloud pod-provisioned desktop VMs do not communicate directly with the Enrollment Server. The Horizon Cloud on Microsoft Azure deployment's active pod manager VM relays the certificate requests to the Enrollment Server. Once the certificate is obtained, the Horizon agent in the desktop VMs uses that certificate to perform the Certificate Logon operation on behalf of the desktop user.

The request-response architecture is the same for a Horizon Cloud on Microsoft Azure deployment's pod manager VM as it is for a Horizon deployment's Horizon Connection Server. In a Horizon Cloud on Microsoft Azure deployment, the pod manager VMs have connections to the desktop VMs on the primary VM subnet (also called the tenant subnet), and on any additional VM subnets that the VDI administrator might have added using the Edit Pod workflow.

Two classes of certificate will be validated by various components: user certificates and channel certificates. True SSO adds a user certificate that is validated by the authentication server. In this case of a Horizon Cloud on Microsoft Azure deployment, that authentication server is a Microsoft Active Directory server. Because the Microsoft architecture determines which port numbers can be used for this certificate validation, a wide range of port numbers can be used for this validation since the ports are part of the Microsoft architecture itself and not specific to the Horizon Cloud on Microsoft Azure deployment itself.

When using True SSO in a Horizon Cloud on Microsoft Azure deployment, the Horizon agent generates a CSR and sends it to the deployment's active pod manager VM over the communication channel already in place between that pod manager VM and that Horizon agent. The pod manager VM relays the request to the Enrollment Server over a secure SSL-encrypted TCP channel (port 32111 or the port configured by the customer in the Enrollment Server installation). The Enrollment Server generates a CMC request, appends the CSR and the user name as provided by the Pod Manager, signs the CMC using the Enrollment Agent Certificate, and submits it to the Certificate Authority using the MS-DCOM (RPC) protocol.

The Horizon agent receives the certificate, serializes it as a logon credential, and submits it to the Windows logon process. The LSASS Windows component receives the certificate, validates it (checks that it is valid and trusted, and that the local machine holds the private key for the certificate) and then sends it to a Domain Controller (DC). The DC may choose to check the CRL as specified in the user certificate.

Visually Rich Networking Diagrams

For a visually rich depiction of the relationships between these components, ports, and protocols, see the VMware Digital Workspace Tech Zone's network diagrams and descriptions at https://techzone.vmware.com/resource/vmware-horizon-cloud-service-microsoft-azure-network-ports-diagrams.