When you are using the Horizon Cloud Connector virtual appliance with your Horizon pod, you must configure your firewalls to allow the appliance to access the Domain Name Service (DNS) addresses it needs. In addition, your proxy settings require configured ports and protocols and DNS must resolve specific names as described in this topic. Then, after the Horizon Cloud Connector virtual appliance is deployed and you have completed the steps to successfully connect the pod to Horizon Cloud, specific ports and protocols are required for ongoing operations between Horizon Cloud and the virtual appliance.

As described in When Onboarding a Horizon Pod to Use Horizon Subscription Licenses or Cloud-Hosted Services with that Pod, the Horizon Cloud Connector virtual appliance is used with VMware Horizon deployments to activate subscription licenses on Horizon and enable use of cloud-hosted services with your Horizon deployments.

Connectivity and DNS Requirements

The steps for connecting Horizon Cloud with your Horizon pod using the Horizon Cloud Connector include the step to use a browser to navigate to the Horizon Cloud Connector appliance's IP address and a login screen will appear. To see that login screen requires Internet connectivity between the Horizon Cloud Connector appliance and the Horizon Cloud cloud control plane. The appliance establishes a connection to the Horizon Cloud cloud control plane initially using HTTPS, and then opens a persistent WebSocket connection, using outbound Internet port 443. For ongoing operations, the connection between the Horizon Cloud Connector appliance and Horizon Cloud requires that outbound Internet connection using port 443 open all the time. You must ensure the following Domain Name Service (DNS) names are resolvable and reachable using the specific ports and protocols as listed according to the tables below.

Important: Horizon Cloud Connector uses SSL certificates signed by DigiCert, an industry-trusted certificate authority (CA). These certificates use CRL (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) queries that refer to specific DNS names on the DigiCert domain. To ensure Horizon Cloud Connector connectivity, you must configure these DNS names to be resolvable and reachable by the virtual appliance. If these DNS names are not reachable, you will not be able to access the Horizon Cloud Connector configuration portal. The specific names are determined by DigiCert, and therefore are not in VMware's control.
Note: If you are going to enable use of Universal Broker with the pod, there might be additional connectivity requirements for that use case. For details, see System Requirements for Universal Broker and its related topics.

Your Welcome to Horizon Service email will indicate which regional control plane instance your tenant account was created in. Due to a known issue that existed when the welcome email was sent to you, the email you received might display the system string names used for the regions instead of human-friendly names. If you see a system string name in your welcome email, you can use the following table to relate what is shown in your email with the regional control plane DNS names.

Table 1. Regions in Your Welcome Email Mapped to Regional Control Plane DNS Names
Your welcome email says Regional DNS Name
USA cloud.horizon.vmware.com
EU_CENTRAL_1 or Europe cloud-eu-central-1.horizon.vmware.com
AP_SOUTHEAST_2 or Australia cloud-ap-southeast-2.horizon.vmware.com
PROD1_NORTHCENTRALUS2_CP1 or USA-2 cloud-us-2.horizon.vmware.com
PROD1_NORTHEUROPE_CP1 or Europe-2 cloud-eu-2.horizon.vmware.com
PROD1_AUSTRALIAEAST_CP1 or Australia-2 cloud-ap-2.horizon.vmware.com
Japan cloud-jp.horizon.vmware.com
Source Destination (DNS name) Port Protocol Purpose
Horizon Cloud Connector One of the following names, depending on which regional Horizon Cloud control plane instance is specified in your Horizon Cloud tenant account. The regional instance is set when the account is created, as described in Onboarding to Horizon Cloud for Microsoft Azure, Horizon On-Premises, and Horizon on VMware Cloud on AWS.
  • cloud.horizon.vmware.com
  • cloud-us-2.horizon.vmware.com
  • cloud-eu-central-1.horizon.vmware.com
  • cloud-eu-2.horizon.vmware.com
  • cloud-ap-southeast-2.horizon.vmware.com
  • cloud-ap-2.horizon.vmware.com
  • cloud-jp.horizon.vmware.com
443 TCP Regional Horizon Cloud control plane instance
  • United States: cloud.horizon.vmware.com, cloud-us-2.horizon.vmware.com
  • Europe: cloud-eu-central-1.horizon.vmware.com, cloud-eu-2.horizon.vmware.com
  • Asia Pacific: cloud-ap-southeast-2.horizon.vmware.com, cloud-ap-2.horizon.vmware.com
  • Japan: cloud-jp.horizon.vmware.com
Horizon Cloud Connector Depending on which regional Horizon Cloud control plane is specified in your Horizon Cloud account:

North America:

  • kinesis.us-east-1.amazonaws.com
  • query-prod-us-east-1.cms.vmware.com


  • kinesis.eu-central-1.amazonaws.com
  • query-prod-eu-central-1.cms.vmware.com


  • kinesis.ap-southeast-2.amazonaws.com
  • query-prod-ap-southeast-2.cms.vmware.com


  • kinesis.ap-northeast-1.amazonaws.com
  • query-prod-ap-northeast-1.cms.vmware.com
443 TCP Cloud Monitoring Service (CMS)
Horizon Cloud Connector


Note: If your organization discourages the use of wildcards in allowable DNS names, you can allow specific names instead. For example, at the time of this writing, the specific DNS names required for certificate validation are:
  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com
  • www.digicert.com/CPS

These DNS names are determined by DigiCert and subject to change. For instructions on how to obtain the specific names required by your certificates, refer to VMware Knowledge Base (KB) article 79859.

80, 443 HTTP, HTTPS CRL or OCSP queries used to obtain validation from the certificate authority, DigiCert

Ports and Protocols Required by the Horizon Cloud Connector Virtual Appliance

For ongoing operations between Horizon Cloud Connector and Horizon Cloud, the ports and protocols in the following table are required.

Table 2. Horizon Cloud Connector Ports
Source Target Port Protocol Description
Horizon Cloud Connector Horizon Cloud 443 HTTPS Used to pair the Horizon Cloud Connector with Horizon Cloud and transfer data.
Horizon Cloud Connector Connection Server 443 HTTPS API calls to Connection Server.
Horizon Cloud Connector Connection Server 4002 TCP Java Message Service (JMS) communication between the Cloud Connector and the Connection Server
New version of the Horizon Cloud Connector appliance Existing version of the Horizon Cloud Connector appliance 22 SSH Listen for requests to start the update process.
Web browser Horizon Cloud Connector 443 HTTPS Listen for the initiation of the pairing process.
Cloud Monitoring Service agent in the desktop or server VMs that are from the cloud-connected Horizon pod on your network Horizon Cloud Connector appliance 11002 TCP For the Cloud Monitoring Service agent on a server or desktop VM to send data to the Horizon Cloud Connector