For ongoing Horizon Cloud operations, a pod that is either deployed new in Microsoft Azure starting with the September 2019 release and later, or which is updated to the September 2019 release level, has specific port and protocol requirements that are different from a pod that was deployed previously. Pods deployed new or updated to the September 2019 release have manifest versions of 1600 or later.
In addition to the ports and protocols described here, you must meet DNS requirements. For details, see DNS Requirements for a Horizon Cloud Pod in Microsoft and Related Service Features.
As part of the pod deployment process, the deployer creates network security groups (NSGs) on the network interfaces (NICs) on all of the deployed VMs. For details about the rules defined in those NSGs, see Default Network Security Group Rules for the VMs in a Horizon Cloud Pod Deployed in Microsoft Azure.
Ports and Protocols Required by Key Pod Components for Ongoing Operations
In addition to the DNS requirements, the following tables list ports and protocols that are required for the pod to operate properly for ongoing operations after deployment. Some of these tables also list ports and protocols that are required for specific scenarios or when you have enabled particular features on the pod.
In the tables below, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.
All pods at the September 2019 release's manifest version or later have a pod Microsoft Azure load balancer. The table rows that involve the pod's load balancer apply for all pods at the manifest level of 1600 or later.
| Source | Target | Ports | Protocol | Purpose |
|---|---|---|---|---|
| Manager VM | Pod's other manager VM | 4101 | TCP | For a pod that is enabled with high availability, this traffic is JMS routing between the manager VMs. |
| Manager VM | Unified Access Gateway VMs | 9443 | HTTPS | This port is used by the pod manager VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration. |
| Pod's Microsoft Azure load balancer | Manager VM | 8080 | HTTP | Health checks of the VMs in the load balancer's backend pool. When a pod at this release's manifest version is not enabled with high availability, the load balancer has one manager VM is its backend pool to check. |
| Manager VM | Domain controller | 389 | TCP UDP |
LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement. |
| Manager VM | Global catalog | 3268 | TCP | LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement. |
| Manager VM | Domain controller | 88 | TCP UDP |
Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement. |
| Manager VM | DNS server | 53 | TCP UDP |
DNS services. |
| Manager VM | NTP server | 123 | UDP | NTP services. Server that provides NTP time synchronization. |
| Manager VM | True SSO Enrollment Server | 32111 | TCP | True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods. |
| Manager VM | Workspace ONE Access service | 443 | HTTPS |
Note: This row is applicable to environments with a single-pod-broker configuration. This information is not for environments with a Universal Broker configuration. In a single-pod-broker configured environment, the
Workspace ONE Access Connector communicates with a pod to obtain the end-user entitlements (the assignments).
Optional if you are not integrating Workspace ONE Access with the pod. In a single-pod-broker configured environment, this connection is used to create a trust relationship between the pod and the Workspace ONE Access service, where the Workspace ONE Access Connector is synched with the pod. Ensure that the pod can reach the Workspace ONE Access environment you are using on port 443. When you are using the Workspace ONE Access cloud service, see also the list of Workspace ONE Access service IP addresses to which the Workspace ONE Access Connector and the pod must have access in the VMware Knowledge Base article 2149884. |
| Transient Jump box VM | Manager VM | 22 | TCP | As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the manager VMs using SSH to the manager VMs' port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates.
Note: A pod that is at manifest version 1600 or later and has the high availability feature enabled on it, will have two manager VMs. The preceding paragraph uses the plural word VMs to indicate the jump box VM must communicate with all of the pod's manager VMs, whether the pod has only one or has two.
|
| Transient Jump box VM | Unified Access Gateway VMs | 9443 | HTTPS | This port is used by the jump box VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration to a pod. |
Gateway Connector VM Ports and Protocols Requirements
This table applies to the gateway's connector VM that is used when you have deployed the external gateway in a separate VNet. In addition to the DNS requirements, the ports and protocols in the following table are required for the external gateway to operate properly for ongoing operations after deployment.
In the table below, the term connector VM refers to the gateway's connector VM which manages the connection between the cloud management plane and the external gateway. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-ID, where ID is the gateway's deployer ID, and a node part.
| Source | Target | Ports | Protocol | Purpose |
|---|---|---|---|---|
| Connector VM | DNS server | 53 | TCP UDP |
DNS services. |
| Connector VM | NTP server | 123 | UDP | NTP services. Server that provides NTP time synchronization. |
| Transient Jump box VM | Connector VM | 22 | TCP | As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during deployment of the external gateway and during update processes. Even though ongoing processes do not require these ports, during deployment and update processes, this jump box VM must communicate with the connector VM using SSH to the connector VMs' port 22. |
Unified Access Gateway VM Ports and Protocols Requirements
In addition to the DNS and above primary ports and protocols requirements, the ports and protocols in the following tables are related to the gateways that you have configured on the pod to operate properly for ongoing operations after deployment.
For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway software.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Unified Access Gateway | Pod's Microsoft Azure load balancer | 8443 | TCP | Login authentication traffic. The traffic from the Unified Access Gateway instances reaches the pod's manager VM through the pod's load balancer. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 4172 | TCP UDP |
PCoIP |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 22443 | TCP UDP |
Blast Extreme By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 9427 | TCP | Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic. |
| Unified Access Gateway | Horizon agent in the desktop or farm RDSH VMs | 32111 | TCP | Optional for USB redirection traffic. |
| Unified Access Gateway | Your RADIUS instance | 1812 | UDP | When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here. |
Ports and Protocols Required by Universal Broker
To support the use of Universal Broker for the brokering of end-user assignments from a pod, you must configure port 443 as described in the following table. The active pod manager establishes a persistent WebSocket connection with the Universal Broker service through port 443 and receives connection requests from the Universal Broker service through a randomly selected port.
| Source | Source Port | Target | Target Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Active pod manager | Randomly selected from available ports | Universal Broker service | 443 | HTTPS initially, then WebSocket | Establishes a persistent WebSocket connection with the Universal Broker service |
Ports and Protocols Required by the Horizon Edge Virtual Appliance
When you activate Horizon Infrastructure Monitoring for a pod, the Horizon Edge Virtual Appliance is deployed and configured in that pod's subscription. The appliance has a single NIC on the pod's management subnet and an NSG is automatically configured on that NIC. That NSG's rule specify the allowed traffic into the appliance and out from the appliance. The following table lists the ports and protocols from that NSG that are needed during the activation process, as the appliance is deployed and configures the pod manager VMs so that it can collect the monitoring data it is designed to collect from those components. This table also lists the ports and protocols that are needed during the appliance's steady-state operations of collecting the data it is designed to collect in this current service release.
| Source | Target | Ports | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Edge Virtual Appliance | DNS server | 53 | TCP | DNS services |
| Horizon Edge Virtual Appliance | Pod manager VMs | 9172 | Any | In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect. |
| Horizon Edge Virtual Appliance | Cloud control plane | 443 | TCP | In steady-state operations over the management subnet, for the appliance to communicate the monitoring data to the cloud control plane. Also, during deployment of the appliance, this port is used to download specific externally located software components, such as the Microsoft Azure CLI software, that are required for the appliance to perform its configuration of the pod manager VMs for collection of the monitoring data. |
| Horizon Edge Virtual Appliance | Pod manager VMs | 4002 | TCP | In steady-state operations over the management subnet, for the appliance to collect the monitoring data that it is designed to collect. |
End-User Connection Traffic Ports and Protocols Requirements
For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:
- When you choose the deployer option for having an external gateway configuration in the pod's own VNet
-
The deployer deploys
Unified Access Gateway instances in your Microsoft Azure environment, along with a
Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a
public load balancer in Microsoft Azure.
The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named
vmw-hcs-podID-uag, where podID is the pod's UUID. - When you choose the deployer option for having an internal Unified Access Gateway configuration
-
An internal gateway configuration is deployed into the pod's own VNet by default. The deployer deploys
Unified Access Gateway instances in your Microsoft Azure environment, along with a
Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an
internal load balancer in Microsoft Azure.
The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Unified Access Gateway Configurations depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the internal gateway's load balancer is located in the resource group named
vmw-hcs-podID-uag-internal, where podID is the pod's UUID. - When you choose the deployer options either for having an external gateway configuration in its own VNet and not the pods, or the option to use its own subscription (which is a special sub-case of using its own VNet because VNets do not span subscriptions)
-
The deployer deploys
Unified Access Gateway instances in your Microsoft Azure environment, along with a
Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a
public load balancer in Microsoft Azure.
The diagram Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet depicts the location of this public load balancer and the Unified Access Gateway instances in the gateway's own VNet. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named
vmw-hcs-ID-uag, where ID is the value show in the Deployer ID field of the pod's details page. As described in the Administration Guide, you get to the pod's details page from the console's Capacity page. - Unsupported for pod manifests 2298 and later: When you have removed the Unified Access Gateway configurations and continue running with zero Unified Access Gateway configurations on the pod
-
A pod at manifest 2298 or later must have at least one gateway configuration to have supported operations. This scenario is only possible for manifests earlier than 2298.
Attention: In production systems, for internal-user access, the best practice is to use an internal Unified Access Gateway gateway configuration on the pod, and not direct connections to the pod.In a configuration where you have single-pod brokering and Workspace ONE Access integrated with the pod, you typically have your end users connect through Workspace ONE Access. In this scenario, you must configure Workspace ONE Access and the Workspace ONE Access Connector pointing directly to the pod. Your end users are connecting to their pod-provisioned resources using Workspace ONE Access. For this configuration, you upload an SSL certificate to the pod's manager VMs using the pod's summary page in the console, as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs. Then you complete the steps to integrate Workspace ONE Access with the pod.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 4172 | TCP UDP |
PCoIP via PCoIP Secure Gateway on Unified Access Gateway |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | UDP | Blast Extreme via the Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 | UDP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport). |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | HTML Access |
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic. SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 4172 | TCP UDP |
PCoIP via PCoIP Secure Gateway on Unified Access Gateway |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | UDP | Blast Extreme via the Unified Access Gateway for data traffic. |
| Horizon Client | Microsoft Azure load balancer for these Unified Access Gateway instances | 8443 | UDP | Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport). |
| Browser | Microsoft Azure load balancer for these Unified Access Gateway instances | 443 | TCP | HTML Access |
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon Client | Pod's Microsoft Azure load balancer | 443 | TCP | Login authentication traffic. The traffic from the clients reaches the pod's manager VMs through the pod's load balancer. |
| Horizon Client | Horizon agent in the desktop or farm RDSH VMs | 4172 | TCP UDP |
PCoIP |
| Horizon Client | Horizon agent in the desktop or farm RDSH VMs | 22443 | TCP UDP |
Blast Extreme |
| Horizon Client | Horizon agent in the desktop or farm RDSH VMs | 32111 | TCP | USB redirection |
| Horizon Client | Horizon agent in the desktop or farm RDSH VMs | 9427 | TCP | Client-drive redirection (CDR) and multimedia redirection (MMR) |
| Browser | Horizon agent in the desktop or farm RDSH VMs | 443 | TCP | HTML Access |
Ports and Protocols Requirements for Traffic from the Horizon Agent in the Base VM, VDI Desktop VMs, and Farm RDSH VMs
The following ports must allow traffic between the Horizon agent-related software that is installed in the base VMs, desktop VMs, and farm RDSH VMs and the pod's manager VMs.
| Source | Target | Port | Protocol | Purpose |
|---|---|---|---|---|
| Horizon agent in the base imported VM, golden images, desktop VMs, farm RDSH VMs | Manager VM | 4001 | TCP | Java Message Service (JMS, non-SSL), used by the agent in the VM to communicate with the pod as part of the certificate thumbprint verification and exchange to secure an SSL connection to the pod. After the keys are negotiated and exchanged between the VM and the pod manager, the agent uses port 4002 to create a secured SSL connection. For example, the Reset Agent Pairing action on the Imported VMs page requires communication over port 4001 for that agent pairing workflow between the base imported VM and the pod.
Note: Both ports 4001 and 4002 are required for steady-state operations. There are times when the agent might need to re-key with the pod, so port 4001 must be kept open.
|
| Horizon agent in the base imported VM, the golden images, desktop VMs, farm RDSH VMs | Manager VM | 4002 | TCP | Java Message Service (JMS, SSL), used by the agent in these VMs to communicate with the pod using a secured SSL connection. |
| FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm RDSH VMs | Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm RDSH VMs | 445 | TCP | FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities. |
