Horizon Cloud Pod - Ports and Protocols Requirements

Ports and Protocols Required by Key Pod Components for Ongoing Operations

In addition to the DNS requirements, the following tables list ports and protocols that are required for the pod to operate properly for ongoing operations after deployment. Some of these tables also list ports and protocols that are required for specific scenarios or when you have enabled particular features on the pod.

In the tables below, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.

Important: A pod that is enabled for high availability has two manager VMs. A pod that has high availability switched on has only one manager VM. In the tables below, wherever you see the term manager VM, it applies to all of the manager VMs in your high-availability-enabled pod unless otherwise indicated.

The system's use of a Microsoft Azure load balancer with the pod manager VMs started from manifest 1600, at the September 2019 service release. Therefore, all pods deployed new from manifest 1600 onward have a pod Microsoft Azure load balancer. Pods that were first deployed prior to manifest 1600 and subsequently updated to later manifests also have a pod Microsoft Azure load balancer. The table rows that mention the pod's load balancer apply for all such pods.

Table 1. Pod Operations Ports and Protocols
Source	Target	Ports	Protocol	Purpose
Manager VM	Pod's other manager VM	4101	TCP	For a pod that is enabled with high availability, this traffic is JMS routing between the manager VMs.
Manager VM	Unified Access Gateway VMs	9443	HTTPS	This port is used by the pod manager VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration.
Pod's Microsoft Azure load balancer	Manager VM	8080	HTTP	Health checks of the VMs in the load balancer's backend pool. When a pod at this release's manifest version is not enabled with high availability, the load balancer has one manager VM is its backend pool to check.
Manager VM	Domain controller	389	TCP UDP	LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM	Global catalog	3268	TCP	LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM	Domain controller	88	TCP UDP	Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM	DNS server	53	TCP UDP	DNS services.
Manager VM	NTP server	123	UDP	NTP services. Server that provides NTP time synchronization.
Manager VM	True SSO Enrollment Server	32111	TCP	True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods.
Manager VM	Workspace ONE Access service	443	HTTPS	Note: This row is applicable to environments with a single-pod-broker configuration. This information is not for environments with a Universal Broker configuration. In a single-pod-broker configured environment, the Workspace ONE Access Connector communicates with a pod to obtain the end-user entitlements (the assignments). Optional if you are not integrating Workspace ONE Access with the pod. In a single-pod-broker configured environment, this connection is used to create a trust relationship between the pod and the Workspace ONE Access service, where the Workspace ONE Access Connector is synched with the pod. Ensure that the pod can reach the Workspace ONE Access environment you are using on port 443. When you are using the Workspace ONE Access cloud service, see also the list of Workspace ONE Access service IP addresses to which the Workspace ONE Access Connector and the pod must have access in the VMware Knowledge Base article 2149884.
Transient Jump box VM	Manager VM	22	TCP	As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the manager VMs using SSH to the manager VMs' port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates. Note: A pod that is at manifest version 1600 or later and has the high availability feature enabled on it, will have two manager VMs. The preceding paragraph uses the plural word VMs to indicate the jump box VM must communicate with all of the pod's manager VMs, whether the pod has only one or has two.
Transient Jump box VM	Unified Access Gateway VMs	9443	HTTPS	This port is used by the jump box VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration to a pod.

Gateway Connector VM Ports and Protocols Requirements

This table applies to the gateway's connector VM that is used when you have deployed the external gateway in a separate VNet. In addition to the DNS requirements, the ports and protocols in the following table are required for the external gateway to operate properly for ongoing operations after deployment.

In the table below, the term connector VM refers to the gateway's connector VM which manages the connection between the cloud management plane and the external gateway. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-ID, where ID is the gateway's deployer ID, and a node part.

Table 2. Pod Operations Ports and Protocols
Source	Target	Ports	Protocol	Purpose
Connector VM	DNS server	53	TCP UDP	DNS services.
Connector VM	NTP server	123	UDP	NTP services. Server that provides NTP time synchronization.
Transient Jump box VM	Connector VM	22	TCP	As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during deployment of the external gateway and during update processes. Even though ongoing processes do not require these ports, during deployment and update processes, this jump box VM must communicate with the connector VM using SSH to the connector VMs' port 22.

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the DNS and above primary ports and protocols requirements, the ports and protocols in the following tables are related to the gateways that you have configured on the pod to operate properly for ongoing operations after deployment.

For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway instances.

Table 3. Port Requirements for Traffic from the Pod's Unified Access Gateway Instances
Source	Target	Port	Protocol	Purpose
Unified Access Gateway	Pod's Microsoft Azure load balancer	8443	TCP	Login authentication traffic. The traffic from the Unified Access Gateway instances reaches the pod's manager VM through the pod's load balancer.
Unified Access Gateway	Horizon agent in the desktop or farm RDSH VMs	4172	TCP UDP	PCoIP
Unified Access Gateway	Horizon agent in the desktop or farm RDSH VMs	22443	TCP UDP	Blast Extreme By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.
Unified Access Gateway	Horizon agent in the desktop or farm RDSH VMs	9427	TCP	Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic.
Unified Access Gateway	Horizon agent in the desktop or farm RDSH VMs	32111	TCP	Optional for USB redirection traffic.
Unified Access Gateway	Your RADIUS instance	1812	UDP	When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here.

Ports and Protocols Required by Universal Broker

To support the use of Universal Broker for the brokering of end-user assignments from a pod, you must configure port 443 as described in the following table. The active pod manager establishes a persistent WebSocket connection with the Universal Broker service through port 443 and receives connection requests from the Universal Broker service through a randomly selected port.

Table 4. Port Requirements for Universal Broker
Source	Source Port	Target	Target Port	Protocol	Purpose
Active pod manager	Randomly selected from available ports	Universal Broker service	443	HTTPS initially, then WebSocket	Establishes a persistent WebSocket connection with the Universal Broker service

Ports and Protocols Required by the Horizon Edge Virtual Appliance

When you activate Horizon Infrastructure Monitoring for a pod, the Horizon Edge Virtual Appliance is deployed and configured in that pod's subscription. The appliance has a single NIC on the pod's management subnet and an NSG is automatically configured on that NIC. That NSG's rule specify the allowed traffic into the appliance and out from the appliance. The following table lists the ports and protocols from that NSG that are needed during the activation process, as the appliance is deployed and configures the pod manager VMs so that it can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during the appliance's steady-state operations of collecting the data it is designed to collect in this current service release.

Table 5. Port Requirements for the Horizon Edge Virtual Appliance
Source	Target	Ports	Protocol	Purpose
Horizon Edge Virtual Appliance	DNS server	53	TCP	DNS services
Horizon Edge Virtual Appliance	Pod manager VMs	9172	Any	In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect.
Horizon Edge Virtual Appliance	Cloud control plane	443	TCP	In steady-state operations over the management subnet, for the appliance to communicate the monitoring data to the cloud control plane. Also, during deployment of the appliance, this port is used to download specific externally located software components, such as the Microsoft Azure CLI software, that are required for the appliance to perform its configuration of the pod manager VMs for collection of the monitoring data.
Horizon Edge Virtual Appliance	Pod manager VMs	4002	TCP	In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect.

End-User Connection Traffic Ports and Protocols Requirements

For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

When you choose the deployer option for having an external gateway configuration in the pod's own VNet: The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-podID-uag, where podID is the pod's UUID.
When you choose the deployer option for having an internal Unified Access Gateway configuration: An internal gateway configuration is deployed into the pod's own VNet by default. The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an internal load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the internal gateway's load balancer is located in the resource group named vmw-hcs-podID-uag-internal, where podID is the pod's UUID.
When you choose the deployer options either for having an external gateway configuration in its own VNet and not the pods, or the option to use its own subscription (which is a special sub-case of using its own VNet because VNets do not span subscriptions): The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet depicts the location of this public load balancer and the Unified Access Gateway instances in the gateway's own VNet. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-ID-uag, where ID is the value show in the Deployer ID field of the pod's details page. As described in the Administration Guide, you get to the pod's details page from the console's Capacity page.
When you have no Unified Access Gateway configurations on the pod: Note: For production environments where the tenant is configured to use single-pod brokering, the best practice for internal end-user connections is to use an internal Unified Access Gateway gateway configuration on the pod. Those connections would go to that gateway configuration in the single-pod brokering scenario.
In a configuration where you have single-pod brokering and Workspace ONE Access integrated with the pod, you typically have your end users connect through Workspace ONE Access. In this scenario, you must configure Workspace ONE Access and the Workspace ONE Access Connector pointing directly to the pod. Your end users are connecting to their pod-provisioned resources using Workspace ONE Access. For this configuration, you upload an SSL certificate to the pod's manager VMs using the pod's summary page in the console, as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs. Then you complete the steps to integrate Workspace ONE Access with the pod.

Table 6. External End User Connections Ports and Protocols when the Pod Configuration has External Unified Access Gateway instances
Source	Target	Port	Protocol	Purpose
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	443	TCP	Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	4172	TCP UDP	PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	8443 or 443, depending on what is set in your deployment	TCP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client. For a Horizon Cloud pod, this port is selected using the Blast Extreme TCP Port menu in the deployment wizard. Ensure that your networking allows the clients the outbound access to whichever one you specified for the external gateway. This URL is used by the clients to establish the Horizon Blast session to the Unified Access Gateway instances, through the load balancer that sits in front of those instances. Starting with the October 2021 service release, for new deployments of a gateway configuration, the deployer provides the ability select either 8443 or 443 for the Blast Extreme TCP port that the deployer will configure in the corresponding Unified Access Gateway configuration. Previously, the deployer configured 443 by default without providing a choice. If your gateway configuration was deployed prior to the date of the October 2021 service release, that configuration typically has 443 port set in the Blast External URL field in its Unified Access Gateway administration settings. Note: Port 8443 is preferred because it is more efficient, provides better performance, and uses less resources on the Unified Access Gateway instances. Port 443, is less efficient and less performant. Using port 443 will result in CPU congestion in the instances. Port 443 would be used in your deployment only if your organization has set client-side restrictions, such as your organization only permits 443 outbound and not 8443.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	443	UDP	Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	8443	UDP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser	Microsoft Azure load balancer for these Unified Access Gateway instances	443	TCP	Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.
Browser	Microsoft Azure load balancer for these Unified Access Gateway instances	8443 or 443, depending on what was set in your deployment	TCP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client). For a Horizon Cloud pod, this port is selected using the Blast Extreme TCP Port menu in the deployment wizard. Ensure that your networking allows the clients the outbound access to whichever one you specified for the external gateway. This URL is used by the Horizon HTML Access client in the browser to establish the Horizon Blast session to the Unified Access Gateway instances, through the load balancer that sits in front of those instances. Starting with the October 2021 service release, for new deployments of a gateway configuration, the deployer provides the ability select either 8443 or 443 for the Blast Extreme TCP port that the deployer will configure in the corresponding Unified Access Gateway configuration. Previously, the deployer configured 443 by default without providing a choice. If your gateway configuration was deployed prior to the date of the October 2021 service release, that configuration typically has 443 port set in the Blast External URL field in its Unified Access Gateway administration settings. Note: Port 8443 is preferred because it is more efficient, provides better performance, and uses less resources on the Unified Access Gateway instances. Port 443, is less efficient and less performant. Using port 443 will result in CPU congestion in the instances. Port 443 would be used in your deployment only if your organization has set client-side restrictions, such as your organization only permits 443 outbound and not 8443.

Table 7. Internal End User Connections Ports and Protocols when the Pod Configuration has Internal Unified Access Gateway instances
Source	Target	Port	Protocol	Purpose
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	443	TCP	Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	4172	TCP UDP	PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	8443 or 443, depending on what was set in your deployment	TCP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from as Horizon Client. For a Horizon Cloud pod, this port is selected using the Blast Extreme TCP Port menu in the deployment wizard. Ensure that your networking allows the clients the outbound access to whichever one you specified for the external gateway. This URL is used by the clients to establish the Horizon Blast session to the Unified Access Gateway instances, through the load balancer that sits in front of those instances. Starting with the October 2021 service release, for new deployments of a gateway configuration, the deployer provides the ability select either 8443 or 443 for the Blast Extreme TCP port that the deployer will configure in the corresponding Unified Access Gateway configuration. Previously, the deployer configured 443 by default without providing a choice. If your gateway configuration was deployed prior to the date of the October 2021 service release, that configuration typically has 443 port set in the Blast External URL field in its Unified Access Gateway administration settings. Note: Port 8443 is preferred because it is more efficient, provides better performance, and uses less resources on the Unified Access Gateway instances. Port 443, is less efficient and less performant. Using port 443 will result in CPU congestion in the instances. Port 443 would be used in your deployment only if your organization has set client-side restrictions, such as your organization only permits 443 outbound and not 8443.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	443	UDP	Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client	Microsoft Azure load balancer for these Unified Access Gateway instances	8443	UDP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser	Microsoft Azure load balancer for these Unified Access Gateway instances	443	TCP	Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases.
Browser	Microsoft Azure load balancer for these Unified Access Gateway instances	8443 or 443, depending on what was set in your deployment	TCP	Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic from the Horizon HTML Access client (web client). For a Horizon Cloud pod, this port is selected using the Blast Extreme TCP Port menu in the deployment wizard. Ensure that your networking allows the clients the outbound access to whichever one you specified for the external gateway. This URL is used by the Horizon HTML Access client in the browser to establish the Horizon Blast session to the Unified Access Gateway instances, through the load balancer that sits in front of those instances. Starting with the October 2021 service release, for new deployments of a gateway configuration, the deployer provides the ability select either 8443 or 443 for the Blast Extreme TCP port that the deployer will configure in the corresponding Unified Access Gateway configuration. Previously, the deployer configured 443 by default without providing a choice. If your gateway configuration was deployed prior to the date of the October 2021 service release, that configuration typically has 443 port set in the Blast External URL field in its Unified Access Gateway administration settings. Note: Port 8443 is preferred because it is more efficient, provides better performance, and uses less resources on the Unified Access Gateway instances. Port 443, is less efficient and less performant. Using port 443 will result in CPU congestion in the instances. Port 443 would be used in your deployment only if your organization has set client-side restrictions, such as your organization only permits 443 outbound and not 8443.

Table 8. Internal End User Connections Ports and Protocols when using Direct Connections, Such as Over VPN
Source	Target	Port	Protocol	Purpose
Horizon Client	Pod's Microsoft Azure load balancer	443	TCP	Login authentication traffic. The traffic from the clients reaches the pod's manager VMs through the pod's load balancer.
Horizon Client	Horizon agent in the desktop or farm RDSH VMs	4172	TCP UDP	PCoIP
Horizon Client	Horizon agent in the desktop or farm RDSH VMs	22443	TCP UDP	Blast Extreme
Horizon Client	Horizon agent in the desktop or farm RDSH VMs	32111	TCP	USB redirection
Horizon Client	Horizon agent in the desktop or farm RDSH VMs	9427	TCP	Client-drive redirection (CDR) and multimedia redirection (MMR)
Browser	Horizon agent in the desktop or farm RDSH VMs	443	TCP	HTML Access

Ports and Protocols Requirements for Traffic from Agents Installed in the Base VM, VDI Desktop VMs, and Farm RDSH VMs

The following ports must allow traffic between the agent-related software that is installed in the base VMs, desktop VMs, and farm RDSH VMs and the pod's manager VMs.


Source	Target	Port	Protocol	Purpose
Horizon agent in the base imported VM, golden images, desktop VMs, farm RDSH VMs	Manager VM	4001	TCP	Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod. After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection. For example, the Reset Agent Pairing action on the Imported VMs page requires communication over port 4001 for that agent pairing workflow between the base imported VM and the pod. Note: Both ports 4001 and 4002 are required for steady-state operations. There are times when the agent might need to re-key with the pod, so port 4001 must be kept open.
Horizon agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs	Manager VM	4002	TCP	Java Message Service (JMS, SSL), used by the agent in these VMs to communicate with the pod using a secured SSL connection.
FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm RDSH VMs	Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm RDSH VMs	445	TCP	FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities.

Ports and Protocols Required by App Volumes Features

As stated in App Volumes Applications for Horizon Cloud on Microsoft Azure - Overview and Prerequisites, to support the use of the App Volumes features that are supported for use with a Horizon Cloud pod, you must configure port 445 for TCP protocol traffic on the pod's tenant subnet. Port 445 is the standard SMB port for accessing an SMB file share on Microsoft Windows. The AppStacks are stored in an SMB file share located in the same resource group as the pod manager VMs.

Important: If you intend to integrate your Horizon Cloud pod and NSX Cloud version 3.1.1 and later, and you want to use App Volumes assignments, you must manually open this port 445/TCP for the pod's tenant subnet in your NSX firewall rules after you deploy the NSX PCG and before you create your first App Volumes assignment using that pod.

Table 9. Port Requirements for App Volumes
Source	Target	Port	Protocol	Purpose
App Volumes agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs	SMB file share in the pod manager's resource group	445	TCP	On the pod's tenant subnet, for access to the App Volumes AppStacks that are stored in the SMB file share.

Integration with Workspace ONE Assist for Horizon - DNS, Ports, and Protocol Requirements

Workspace ONE Assist for Horizon is a product in the Workspace ONE UEM line of products. As of the August 2021 Horizon Cloud release, when specific requirements are met, you can integrate use of that product with VDI desktops provisioned from your Horizon Cloud tenant's pods. For full details of the requirements, see the Workspace ONE for Horizon and Horizon Cloud document.

Use of the assistance features requires outbound communication between the VDI desktop VMs and the Workspace ONE Assist server which supports the integration with your Horizon Cloud tenant.

DNS Requirements: Ensure that the DNS name of your Workspace ONE Assist server is resolvable and reachable from the pod's tenant subnets on which the VDI desktop VMs will reside. The Workspace ONE for Horizon and Horizon Cloud document provides the DNS names of the Workspace ONE Assist servers.
Ports and Protocol Requirements: Outbound traffic using port 443, TCP and HTTPS, must be allowed from the VDI desktop VMs on which the Workspace ONE Assist for Horizon application is installed.

Visually Rich Networking Diagrams

For a visually rich depiction of the relationships between these components, ports, and protocols, see the VMware Digital Workspace Tech Zone's network diagrams and descriptions at https://techzone.vmware.com/resource/vmware-horizon-cloud-service-microsoft-azure-network-ports-diagrams.