For ongoing Horizon Cloud operations, a pod that was deployed in Microsoft Azure prior to the September 2019 release has specific port and protocol requirements that are different from a pod that is deployed at the manifest version of the September 2019 release, or which is upgraded to the September 2019 release's manifest version. A pod that was deployed prior to the September 2019 release has a manifest version of 1493.1 or earlier.

Important:

In addition to the ports and protocols described here, you must meet DNS requirements. For details, see DNS Requirements for a Horizon Cloud Pod in Microsoft Azure.

Ports and Protocols Required for Ongoing Operations for a Pod of Manifest Version

In addition to the DNS requirements, the ports and protocols in the following tables are required for the pod to operate properly for ongoing operations after deployment.

Note: In this section's tables, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.
Table 1. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Manager VM Domain controller 389 TCP

UDP

LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Global catalog 3268 TCP LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Domain controller 88 TCP

UDP

Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM DNS server 53 TCP

UDP

DNS services.
Manager VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Manager VM True SSO Enrollment Server 32111 TCP True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods.
Manager VM Workspace ONE Access service 443 HTTPS Optional if you are not using Workspace ONE Access with the pod. Used to create a trust relationship between the pod and the Workspace ONE Access service. Ensure that the pod can reach the Workspace ONE Access environment you are using, either on-premises or the cloud service, on port 443. If you are using the Workspace ONE Access cloud service, see also the list of Workspace ONE Access service IP addresses to which the Workspace ONE Access Connector and the pod must have access in the VMware Knowledge Base article 2149884.
Transient Jump box VM Manager VM 22 TCP As described in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the pod's manager VM using SSH to the manager VM's port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates.

Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html.

Table 2. External End User Connections Ports and Protocols when the Pod Configuration has External Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 3. Internal End User Connections Ports and Protocols when the Pod Configuration has Internal Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 4. Internal End User Connections Ports and Protocols when using Direct Pod Connections, Such as Over VPN
Source Target Port Protocol Purpose
Horizon Client Manager VM 443 TCP Login authentication traffic
Horizon Client Horizon agent in the desktop or farm server VMs 4172 TCP

UDP

PCoIP
Horizon Client Horizon agent in the desktop or farm server VMs 22443 TCP

UDP

Blast Extreme
Horizon Client Horizon agent in the desktop or farm server VMs 32111 TCP USB redirection
Horizon Client Horizon agent in the desktop or farm server VMs 9427 TCP Client-drive redirection (CDR) and multimedia redirection (MMR)
Browser Horizon agent in the desktop or farm server VMs 443 TCP HTML Access

For connections using a pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway software.

Table 5. Port Requirements for Traffic from the Pod's Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway Manager VM 443 TCP Login authentication traffic
Unified Access Gateway Horizon agent in the desktop or farm server VMs 4172 TCP

UDP

PCoIP
Unified Access Gateway Horizon agent in the desktop or farm server VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm server VMs 9427 TCP Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm server VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway Your RADIUS instance 1812 UDP When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here.

The following ports must allow traffic from the Horizon agent-related software that is installed in the desktop VMs and farm server VMs.

Source Target Port Protocol Purpose
Horizon agent in the desktop or farm server VMs Manager VM 4001 TCP Java Message Service (JMS, non-SSL), used by the agent in the VM when the agent is not yet paired with the pod. The agent communicates with the pod to get the information it needs to pair with the pod. After the agent is paired, it uses port 4002 to communicate with the pod.
Horizon agent in the desktop or farm server VMs Manager VM 4002 TCP Java Message Service (JMS, SSL), used by the agent to communicate with the pod when the agent is already paired with the pod.
FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm server VMs Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm server VMs 445 TCP FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities.

As part of the pod deployment process, the deployer creates network security groups (NSGs) on the network interfaces (NICs) on all of the deployed VMs. For details about the rules defined in those NSGs, see the Horizon Cloud Administration Guide.

Note: Instead of listing DNS names, IP addresses, ports, and protocols in a Horizon Cloud Knowledge Base (KB) article, we have provided them here as part of the core Horizon Cloud documentation.