For ongoing Horizon Cloud operations, a pod that is either deployed new in Microsoft Azure starting with the September 2019 release or which is upgraded to the September 2019 release level has specific port and protocol requirements that are different from a pod that was deployed previously. Pods deployed new or upgraded to the September 2019 release have manifest versions of 1600 or later.

Important:

In addition to the ports and protocols described here, you must meet DNS requirements. For details, see DNS Requirements for a Horizon Cloud Pod in Microsoft Azure.

Ports and Protocols Required for Ongoing Operations

In addition to the DNS requirements, the ports and protocols in the following tables are required for the pod to operate properly for ongoing operations after deployment.

In the tables below, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.

Important: A pod that is enabled for high availability has two manager VMs. A pod that has high availability disabled has only one manager VM. In the tables below, wherever you see the term manager VM, it applies to all of the manager VMs in your high-availability-enabled pod unless otherwise indicated.

All pods at the September 2019 release's manifest version have a pod Microsoft Azure load balancer. The table rows that involve the pod's load balancer apply for all pods at the manifest level of 1600 or later.

Table 1. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Manager VM Pod's other manager VM 4101 TCP For a pod that is enabled with high availability, this traffic is JMS routing between the manager VMs.
Pod's Microsoft Azure load balancer Manager VM 8080 HTTP Health checks of the VMs in the load balancer's backend pool. When a pod at this release's manifest version is not enabled with high availability, the load balancer has one manager VM is its backend pool to check.
Manager VM Domain controller 389 TCP

UDP

LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Global catalog 3268 TCP LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Domain controller 88 TCP

UDP

Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM DNS server 53 TCP

UDP

DNS services.
Manager VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Manager VM True SSO Enrollment Server 32111 TCP True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods.
Manager VM VMware Identity Manager™ service 443 HTTPS Optional if you are not using VMware Identity Manager™ with the pod. Used to create a trust relationship between the pod and the VMware Identity Manager™ service. Ensure that the pod can reach the VMware Identity Manager™ environment you are using, either on-premises or the cloud service, on port 443. If you are using the VMware Identity Manager™ cloud service, see also the list of VMware Identity Manager™ service IP addresses to which the VMware Identity Manager™ Connector and the pod must have access in the VMware Knowledge Base article 2149884.
Transient Jump box VM Manager VM 22 TCP As described above in Ports and Protocols Required by the Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the manager VMs using SSH to the manager VMs' port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Jump Box During Pod Deployments and Pod Updates.
Note: A pod that is at manifest version 1600 or later and has the high availability feature enabled on it, will have two manager VMs. The preceding paragraph uses the plural word VMs to indicate the jump box VM must communicate with all of the pod's manager VMs, whether the pod has only one or has two.

Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

  • When you choose the option for having an external gateway configuration, Unified Access Gateway instances are automatically deployed in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Figure 1 depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. For the deployed pod, the external gateway's load balancer is located in the resource group named vmw-hcs-podID-uag, where podID is the pod's UUID.
  • When you choose the option for having an internal Unified Access Gateway configuration, Unified Access Gateway instances are automatically deployed in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an internal load balancer in Microsoft Azure. The diagram Figure 1 depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. For the deployed pod, the internal gateway's load balancer is located in the resource group named vmw-hcs-podID-uag-internal, where podID is the pod's UUID.
  • When you do not choose either Unified Access Gateway configurations, you can instead have your end users connecting directly to the pod, such as using a VPN. For this configuration, you upload an SSL certificate to the pod's manager VMs using the pod's summary page in the Administration Console, as described in the VMware Horizon Cloud Service Administration Guide.

    In general, uploading an SSL certificate to the pod directly is a recommended practice, because that ensures Horizon Clients that might make direct connections to the pod environment can have trusted connections, and is the supported configuration for using VMware Identity Manager™ with the pod. However, connections direct to the pod using HTML Access (Blast) appear as untrusted connections in the end user's browser. The end-user browsers display the typical untrusted certificate error when they make their connections direct to the pod. To have connections using HTML Access (Blast) avoid the displayed untrusted certificate error, you must have those connections use the load balancer and Unified Access Gateway instances from the pod's Unified Access Gateway configuration. If you do not want to expose your fully qualified domain name to the Internet, you can deploy an internal Unified Access Gateway configuration. This internal Unified Access Gateway configuration uses a Microsoft internal load balancer to which end users who are internal to your corporate network can point their connections.

For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html.

Table 2. External End User Connections Ports and Protocols when the Pod Configuration has External Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 3. Internal End User Connections Ports and Protocols when the Pod Configuration has Internal Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 4. Internal End User Connections Ports and Protocols when using Direct Pod Connections, Such as Over VPN
Source Target Port Protocol Purpose
Horizon Client Pod's Microsoft Azure load balancer 443 TCP Login authentication traffic. The traffic from the clients reaches the pod's manager VMs through the pod's load balancer.
Horizon Client Horizon agent in the desktop or farm server VMs 4172 TCP

UDP

PCoIP
Horizon Client Horizon agent in the desktop or farm server VMs 22443 TCP

UDP

Blast Extreme
Horizon Client Horizon agent in the desktop or farm server VMs 32111 TCP USB redirection
Horizon Client Horizon agent in the desktop or farm server VMs 9427 TCP Client-drive redirection (CDR) and multimedia redirection (MMR)
Browser Horizon agent in the desktop or farm server VMs 443 TCP HTML Access

For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway software.

Table 5. Port Requirements for Traffic from the Pod's Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway Pod's Microsoft Azure load balancer 443 TCP Login authentication traffic. The traffic from the Unified Access Gateway instances reaches the pod's manager VM through the pod's load balancer.
Unified Access Gateway Horizon agent in the desktop or farm server VMs 4172 TCP

UDP

PCoIP
Unified Access Gateway Horizon agent in the desktop or farm server VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm server VMs 9427 TCP Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm server VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway Your RADIUS instance 1812 UDP When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here.

The following ports must allow traffic from the Horizon agent-related software that is installed in the desktop VMs and farm server VMs to the high-availability pod's manager VMs.

Source Target Port Protocol Purpose
Horizon agent in the desktop or farm server VMs Manager VM 4002 TCP Java Message Service (JMS) when using enhanced security (the default)
Horizon agent in the desktop or farm server VMs Manager VM 4001 TCP Java Message Service (JMS), legacy
Horizon agent in the desktop or farm server VMs Manager VM 3099 TCP Desktop message server
FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm server VMs Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm server VMs 445 TCP FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities.

As part of the pod deployment process, the deployer creates network security groups (NSGs) on the network interfaces (NICs) on all of the deployed VMs. For details about the rules defined in those NSGs, see the Horizon Cloud Administration Guide.

Note: Instead of listing DNS names, IP addresses, ports, and protocols in a Horizon Cloud Knowledge Base (KB) article, we have provided them here as part of the core Horizon Cloud documentation.