For ongoing Horizon Cloud operations, a pod that is either deployed new in Microsoft Azure starting with the September 2019 release and later, or which is updated to the September 2019 release level, has specific port and protocol requirements that are different from a pod that was deployed previously. Pods deployed new or updated to the September 2019 release have manifest versions of 1600 or later.

Important:

In addition to the ports and protocols described here, you must meet DNS requirements. For details, see DNS Requirements for a Horizon Cloud Pod in Microsoft and Related Service Features.

As part of the pod deployment process, the deployer creates network security groups (NSGs) on the network interfaces (NICs) on all of the deployed VMs. For details about the rules defined in those NSGs, see Default Network Security Group Rules for the VMs in a Horizon Cloud Pod Deployed in Microsoft Azure.

Ports and Protocols Required by Key Pod Components for Ongoing Operations

In addition to the DNS requirements, the following tables list ports and protocols that are required for the pod to operate properly for ongoing operations after deployment. Some of these tables also list ports and protocols that are required for specific scenarios or when you have enabled particular features on the pod.

In the tables below, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.

Important: A pod that is enabled for high availability has two manager VMs. A pod that has high availability switched on has only one manager VM. In the tables below, wherever you see the term manager VM, it applies to all of the manager VMs in your high-availability-enabled pod unless otherwise indicated.

All pods at the September 2019 release's manifest version or later have a pod Microsoft Azure load balancer. The table rows that involve the pod's load balancer apply for all pods at the manifest level of 1600 or later.

Table 1. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Manager VM Pod's other manager VM 4101 TCP For a pod that is enabled with high availability, this traffic is JMS routing between the manager VMs.
Manager VM Unified Access Gateway VMs 9443 HTTPS This port is used by the pod manager VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration.
Pod's Microsoft Azure load balancer Manager VM 8080 HTTP Health checks of the VMs in the load balancer's backend pool. When a pod at this release's manifest version is not enabled with high availability, the load balancer has one manager VM is its backend pool to check.
Manager VM Domain controller 389 TCP

UDP

LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Global catalog 3268 TCP LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Domain controller 88 TCP

UDP

Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM DNS server 53 TCP

UDP

DNS services.
Manager VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Manager VM True SSO Enrollment Server 32111 TCP True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods.
Manager VM Workspace ONE Access service 443 HTTPS
Note: This row is applicable to environments with a single-pod-broker configuration. This information is not for environments with a Universal Broker configuration. In a single-pod-broker configured environment, the Workspace ONE Access Connector communicates with a pod to obtain the end-user entitlements (the assignments).
Optional if you are not integrating Workspace ONE Access with the pod. In a single-pod-broker configured environment, this connection is used to create a trust relationship between the pod and the Workspace ONE Access service, where the Workspace ONE Access Connector is synched with the pod. Ensure that the pod can reach the Workspace ONE Access environment you are using on port 443. When you are using the Workspace ONE Access cloud service, see also the list of Workspace ONE Access service IP addresses to which the Workspace ONE Access Connector and the pod must have access in the VMware Knowledge Base article 2149884.
Transient Jump box VM Manager VM 22 TCP As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the manager VMs using SSH to the manager VMs' port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates.
Note: A pod that is at manifest version 1600 or later and has the high availability feature enabled on it, will have two manager VMs. The preceding paragraph uses the plural word VMs to indicate the jump box VM must communicate with all of the pod's manager VMs, whether the pod has only one or has two.
Transient Jump box VM Unified Access Gateway VMs 9443 HTTPS This port is used by the jump box VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration to a pod.

Gateway Connector VM Ports and Protocols Requirements

This table applies to the gateway's connector VM that is used when you have deployed the external gateway in a separate VNet. In addition to the DNS requirements, the ports and protocols in the following table are required for the external gateway to operate properly for ongoing operations after deployment.

In the table below, the term connector VM refers to the gateway's connector VM which manages the connection between the cloud management plane and the external gateway. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-ID, where ID is the gateway's deployer ID, and a node part.

Table 2. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Connector VM DNS server 53 TCP

UDP

DNS services.
Connector VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Transient Jump box VM Connector VM 22 TCP As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during deployment of the external gateway and during update processes. Even though ongoing processes do not require these ports, during deployment and update processes, this jump box VM must communicate with the connector VM using SSH to the connector VMs' port 22.

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the DNS and above primary ports and protocols requirements, the ports and protocols in the following tables are related to the gateways that you have configured on the pod to operate properly for ongoing operations after deployment.

For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway software.

Table 3. Port Requirements for Traffic from the Pod's Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway Pod's Microsoft Azure load balancer 8443 TCP Login authentication traffic. The traffic from the Unified Access Gateway instances reaches the pod's manager VM through the pod's load balancer.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 4172 TCP

UDP

PCoIP
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 9427 TCP Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway Your RADIUS instance 1812 UDP When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here.

Ports and Protocols Required by Universal Broker

To support the use of Universal Broker for the brokering of end-user assignments from a pod, you must configure port 443 as described in the following table. The active pod manager establishes a persistent WebSocket connection with the Universal Broker service through port 443 and receives connection requests from the Universal Broker service through a randomly selected port.

Table 4. Port Requirements for Universal Broker
Source Source Port Target Target Port Protocol Purpose
Active pod manager Randomly selected from available ports Universal Broker service 443 HTTPS initially, then WebSocket Establishes a persistent WebSocket connection with the Universal Broker service

Ports and Protocols Required by the Horizon Edge Virtual Appliance

When you activate Horizon Infrastructure Monitoring for a pod, the Horizon Edge Virtual Appliance is deployed and configured in that pod's subscription. The appliance has a single NIC on the pod's management subnet and an NSG is automatically configured on that NIC. That NSG's rule specify the allowed traffic into the appliance and out from the appliance. The following table lists the ports and protocols from that NSG that are needed during the activation process, as the appliance is deployed and configures the pod manager VMs so that it can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during the appliance's steady-state operations of collecting the data it is designed to collect in this current service release.

Table 5. Port Requirements for the Horizon Edge Virtual Appliance
Source Target Ports Protocol Purpose
Horizon Edge Virtual Appliance DNS server 53 TCP DNS services
Horizon Edge Virtual Appliance Pod manager VMs 9172 Any In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect.
Horizon Edge Virtual Appliance Cloud control plane 443 TCP In steady-state operations over the management subnet, for the appliance to communicate the monitoring data to the cloud control plane. Also, during deployment of the appliance, this port is used to download specific externally located software components, such as the Microsoft Azure CLI software, that are required for the appliance to perform its configuration of the pod manager VMs for collection of the monitoring data.
Horizon Edge Virtual Appliance Pod manager VMs 4002 TCP In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect.

End-User Connection Traffic Ports and Protocols Requirements

For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

When you choose the deployer option for having an external gateway configuration in the pod's own VNet
The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-podID-uag, where podID is the pod's UUID.
When you choose the deployer option for having an internal Unified Access Gateway configuration
An internal gateway configuration is deployed into the pod's own VNet by default. The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an internal load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the internal gateway's load balancer is located in the resource group named vmw-hcs-podID-uag-internal, where podID is the pod's UUID.
When you choose the deployer options either for having an external gateway configuration in its own VNet and not the pods, or the option to use its own subscription (which is a special sub-case of using its own VNet because VNets do not span subscriptions)
The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet depicts the location of this public load balancer and the Unified Access Gateway instances in the gateway's own VNet. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-ID-uag, where ID is the value show in the Deployer ID field of the pod's details page. As described in the Administration Guide, you get to the pod's details page from the console's Capacity page.
Unsupported for pod manifests 2298 and later: When you have removed the Unified Access Gateway configurations and continue running with zero Unified Access Gateway configurations on the pod
A pod at manifest 2298 or later must have at least one gateway configuration to have supported operations. This scenario is only possible for manifests earlier than 2298.
Attention: In production systems, for internal-user access, the best practice is to use an internal Unified Access Gateway gateway configuration on the pod, and not direct connections to the pod.
In a configuration where you have single-pod brokering and Workspace ONE Access integrated with the pod, you typically have your end users connect through Workspace ONE Access. In this scenario, you must configure Workspace ONE Access and the Workspace ONE Access Connector pointing directly to the pod. Your end users are connecting to their pod-provisioned resources using Workspace ONE Access. For this configuration, you upload an SSL certificate to the pod's manager VMs using the pod's summary page in the console, as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs. Then you complete the steps to integrate Workspace ONE Access with the pod.
Table 6. External End User Connections Ports and Protocols when the Pod Configuration has External Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 7. Internal End User Connections Ports and Protocols when the Pod Configuration has Internal Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 8. Internal End User Connections Ports and Protocols when using Direct Pod Connections, Such as Over VPN
Source Target Port Protocol Purpose
Horizon Client Pod's Microsoft Azure load balancer 443 TCP Login authentication traffic. The traffic from the clients reaches the pod's manager VMs through the pod's load balancer.
Horizon Client Horizon agent in the desktop or farm RDSH VMs 4172 TCP

UDP

PCoIP
Horizon Client Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme
Horizon Client Horizon agent in the desktop or farm RDSH VMs 32111 TCP USB redirection
Horizon Client Horizon agent in the desktop or farm RDSH VMs 9427 TCP Client-drive redirection (CDR) and multimedia redirection (MMR)
Browser Horizon agent in the desktop or farm RDSH VMs 443 TCP HTML Access

Ports and Protocols Requirements for Traffic from the Horizon Agent in the Base VM, VDI Desktop VMs, and Farm RDSH VMs

The following ports must allow traffic between the Horizon agent-related software that is installed in the base VMs, desktop VMs, and farm RDSH VMs and the pod's manager VMs.

Source Target Port Protocol Purpose
Horizon agent in the base imported VM, golden images, desktop VMs, farm RDSH VMs Manager VM 4001 TCP Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod. After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection. For example, the Reset Agent Pairing action on the Imported VMs page requires communication over port 4001 for that agent pairing workflow between the base imported VM and the pod.
Note: Both ports 4001 and 4002 are required for steady-state operations. There are times when the agent might need to re-key with the pod, so port 4001 must be kept open.
Horizon agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs Manager VM 4002 TCP Java Message Service (JMS, SSL), used by the agent in these VMs to communicate with the pod using a secured SSL connection.
FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm RDSH VMs Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm RDSH VMs 445 TCP FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities.
Note: Instead of listing DNS names, IP addresses, ports, and protocols in a Horizon Cloud Knowledge Base (KB) article, we have provided them here as part of the core Horizon Cloud documentation.