For ongoing Horizon Cloud operations, a pod that is either deployed new in Microsoft Azure starting with the September 2019 release and later, or which is upgraded to the September 2019 release level, has specific port and protocol requirements that are different from a pod that was deployed previously. Pods deployed new or upgraded to the September 2019 release have manifest versions of 1600 or later.

Important:

In addition to the ports and protocols described here, you must meet DNS requirements. For details, see DNS Requirements for a Horizon Cloud Pod in Microsoft Azure.

Ports and Protocols Required by Key Pod Components for Ongoing Operations

In addition to the DNS requirements, the ports and protocols in the following tables are required for the pod to operate properly for ongoing operations after deployment.

In the tables below, the term manager VM refers to the pod's manager VM. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-podID, where podID is the pod's UUID, and a node part.

Important: A pod that is enabled for high availability has two manager VMs. A pod that has high availability disabled has only one manager VM. In the tables below, wherever you see the term manager VM, it applies to all of the manager VMs in your high-availability-enabled pod unless otherwise indicated.

All pods at the September 2019 release's manifest version or later have a pod Microsoft Azure load balancer. The table rows that involve the pod's load balancer apply for all pods at the manifest level of 1600 or later.

Table 1. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Manager VM Pod's other manager VM 4101 TCP For a pod that is enabled with high availability, this traffic is JMS routing between the manager VMs.
Manager VM Unified Access Gateway VMs 9443 HTTPS This port is used by the pod manager VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration or update settings for that Unified Access Gateway configuration.
Pod's Microsoft Azure load balancer Manager VM 8080 HTTP Health checks of the VMs in the load balancer's backend pool. When a pod at this release's manifest version is not enabled with high availability, the load balancer has one manager VM is its backend pool to check.
Manager VM Domain controller 389 TCP

UDP

LDAP services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Global catalog 3268 TCP LDAP services. Server that contains global catalog role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM Domain controller 88 TCP

UDP

Kerberos services. Server that contains a domain controller role in an Active Directory configuration. Registering the pod with an Active Directory is a requirement.
Manager VM DNS server 53 TCP

UDP

DNS services.
Manager VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Manager VM True SSO Enrollment Server 32111 TCP True SSO Enrollment Server. Optional if you are not using True SSO Enrollment Server capabilities with your pods.
Manager VM Workspace ONE Access service 443 HTTPS Optional if you are not using Workspace ONE Access with the pod. Used to create a trust relationship between the pod and the Workspace ONE Access service. Ensure that the pod can reach the Workspace ONE Access environment you are using, either on-premises or the cloud service, on port 443. If you are using the Workspace ONE Access cloud service, see also the list of Workspace ONE Access service IP addresses to which the Workspace ONE Access Connector and the pod must have access in the VMware Knowledge Base article 2149884.
Transient Jump box VM Manager VM 22 TCP As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during pod deployment and pod update processes. Even though ongoing processes do not require these ports, during pod deployment and pod update processes, this jump box VM must communicate with the manager VMs using SSH to the manager VMs' port 22. For details about the cases for which the jump box VM needs this communication, see Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates.
Note: A pod that is at manifest version 1600 or later and has the high availability feature enabled on it, will have two manager VMs. The preceding paragraph uses the plural word VMs to indicate the jump box VM must communicate with all of the pod's manager VMs, whether the pod has only one or has two.
Transient Jump box VM Unified Access Gateway VMs 9443 HTTPS This port is used by the jump box VM over the management subnet to configure settings in the pod's Unified Access Gateway configuration. This port requirement applies when initially deploying a pod with a Unified Access Gateway configuration and when editing a pod to add a Unified Access Gateway configuration to a pod.

Gateway Connector VM Ports and Protocols Requirements

This table applies to the gateway's connector VM that is used when you have deployed the external gateway in a separate VNet. In addition to the DNS requirements, the ports and protocols in the following table are required for the external gateway to operate properly for ongoing operations after deployment.

In the table below, the term connector VM refers to the gateway's connector VM which manages the connection between the cloud management plane and the external gateway. In the Microsoft Azure portal, this VM has a name that contains a part like vmw-hcs-ID, where ID is the gateway's deployer ID, and a node part.

Table 2. Pod Operations Ports and Protocols
Source Target Ports Protocol Purpose
Connector VM DNS server 53 TCP

UDP

DNS services.
Connector VM NTP server 123 UDP NTP services. Server that provides NTP time synchronization.
Transient Jump box VM Connector VM 22 TCP As described above in Ports and Protocols Required by the Pod Jump Box During Pod Deployments and Pod Updates, a transient jump box is used during deployment of the external gateway and during update processes. Even though ongoing processes do not require these ports, during deployment and update processes, this jump box VM must communicate with the connector VM using SSH to the connector VMs' port 22.

Unified Access Gateway VM Ports and Protocols Requirements

In addition to the DNS and above primary ports and protocols requirements, the ports and protocols in the following tables are related to the gateways that you have configured on the pod to operate properly for ongoing operations after deployment.

For connections using a high-availability-enabled pod configured with Unified Access Gateway instances, traffic must be allowed from the pod's Unified Access Gateway instances to targets as listed in the table below. During pod deployment, a Network Security Group (NSG) is created in your Microsoft Azure environment for use by the pod's Unified Access Gateway software.

Table 3. Port Requirements for Traffic from the Pod's Unified Access Gateway Instances
Source Target Port Protocol Purpose
Unified Access Gateway Pod's Microsoft Azure load balancer 8443 TCP Login authentication traffic. The traffic from the Unified Access Gateway instances reaches the pod's manager VM through the pod's load balancer.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 4172 TCP

UDP

PCoIP
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme

By default, when using Blast Extreme, client-drive redirection (CDR) traffic and USB traffic is side-channeled in this port. If you prefer instead, the CDR traffic can be separated onto the TCP 9427 port and the USB redirection traffic can be separated onto the TCP 32111 port.

Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 9427 TCP Optional for client driver redirection (CDR) and multimedia redirection (MMR) traffic.
Unified Access Gateway Horizon agent in the desktop or farm RDSH VMs 32111 TCP Optional for USB redirection traffic.
Unified Access Gateway Your RADIUS instance 1812 UDP When using RADIUS two-factor authentication with that Unified Access Gateway configuration. The default value for RADIUS is shown here.

End-User Connection Traffic Ports and Protocols Requirements

For detailed information about the various Horizon Clients that your end users might use with your Horizon Cloud pod, see the Horizon Client documentation page at https://docs.vmware.com/en/VMware-Horizon-Client/index.html. Which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications depends on the choice you make for how your end users will connect:

When you choose the deployer option for having an external gateway configuration in the pod's own VNet
The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Gateway Configurations, the External Gateway Deployed into the Same VNet as the Pod, and a Public IP Enabled for the External Gateway's Load Balancer depicts the location of this public load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-podID-uag, where podID is the pod's UUID.
When you choose the deployer option for having an internal Unified Access Gateway configuration
An internal gateway configuration is deployed into the pod's own VNet by default. The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in its backend pool. That load balancer communicates with those instances' NICs on the tenant subnet, and is configured as an internal load balancer in Microsoft Azure. The diagram Illustration of the Horizon Cloud Pod Architecture for a Pod with High Availability Enabled and Configured with Both External and Internal Gateway Configurations, the External Gateway Deployed into the Same VNet as the Pod, and a Public IP Enabled for the External Gateway's Load Balancer depicts the location of this internal load balancer and the Unified Access Gateway instances. When your pod has this configuration, traffic from your end users in your corporate network goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the internal gateway's load balancer is located in the resource group named vmw-hcs-podID-uag-internal, where podID is the pod's UUID.
When you choose the deployer options either for having an external gateway configuration in its own VNet and not the pods, or the option to use its own subscription (which is a special sub-case of using its own VNet because VNets do not span subscriptions)
The deployer deploys Unified Access Gateway instances in your Microsoft Azure environment, along with a Microsoft Azure load balancer resource to those instances in that load balancer's backend pool. That load balancer communicates with those instances' NICs on the DMZ subnet, and is configured as a public load balancer in Microsoft Azure. The diagram Illustration of the External Gateway's Architecture Elements When the External Gateway is Deployed into Its Own VNet, Separate from the Pod's VNet depicts the location of this public load balancer and the Unified Access Gateway instances in the gateway's own VNet. When your pod has this configuration, traffic from your end users on the Internet goes to that load balancer, which distributes the requests to the Unified Access Gateway instances. For this configuration, you must ensure that those end-user connections can reach that load balancer using the ports and protocols listed below. Post-deployment, the external gateway's load balancer is located in the resource group named vmw-hcs-ID-uag, where ID is the value show in the Deployer ID field of the pod's details page. As described in the Administration Guide, you get to the pod's details page from the Administration Console's Capacity page.
When you choose to have zero Unified Access Gateway configurations on the pod, such as when you are integrating Workspace ONE Access with the pod or are allowing internal users to connect directly over VPN
Attention: In production systems, for internal-user access, the best practice is to use an internal Unified Access Gateway gateway configuration on the pod, and not direct connections to the pod.
When Workspace ONE Access is integrated with the pod, you typically have your end users connect through Workspace ONE Access. When Workspace ONE Access is integrated with a Horizon Cloud pod in Microsoft Azure, you must configure it pointing directly to the pod. No Unified Access Gateway configuration is needed on the pod then, when your end users are connecting to their pod-provisioned resources using Workspace ONE Access. For this configuration, you upload an SSL certificate to the pod's manager VMs using the pod's summary page in the Administration Console, as described in the VMware Horizon Cloud Service Administration Guide. Then you complete the steps to integrate Workspace ONE Access with the pod.
Table 4. External End User Connections Ports and Protocols when the Pod Configuration has External Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 5. Internal End User Connections Ports and Protocols when the Pod Configuration has Internal Unified Access Gateway instances
Source Target Port Protocol Purpose
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Login authentication traffic. Can also carry client-drive redirection (CDR), multimedia redirection (MMR), USB redirection, and tunneled RDP traffic.

SSL (HTTPS access) is enabled by default for client connections. Port 80 (HTTP access) can be used in some cases. See the topic Understanding What URL Content Redirection Is in the VMware Horizon Cloud Service Administration Guide.

Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 4172 TCP

UDP

PCoIP via PCoIP Secure Gateway on Unified Access Gateway
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 443 UDP Blast Extreme via the Unified Access Gateway for data traffic.
Horizon Client Microsoft Azure load balancer for these Unified Access Gateway instances 8443 UDP Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).
Browser Microsoft Azure load balancer for these Unified Access Gateway instances 443 TCP HTML Access
Table 6. Internal End User Connections Ports and Protocols when using Direct Pod Connections, Such as Over VPN
Source Target Port Protocol Purpose
Horizon Client Pod's Microsoft Azure load balancer 443 TCP Login authentication traffic. The traffic from the clients reaches the pod's manager VMs through the pod's load balancer.
Horizon Client Horizon agent in the desktop or farm RDSH VMs 4172 TCP

UDP

PCoIP
Horizon Client Horizon agent in the desktop or farm RDSH VMs 22443 TCP

UDP

Blast Extreme
Horizon Client Horizon agent in the desktop or farm RDSH VMs 32111 TCP USB redirection
Horizon Client Horizon agent in the desktop or farm RDSH VMs 9427 TCP Client-drive redirection (CDR) and multimedia redirection (MMR)
Browser Horizon agent in the desktop or farm RDSH VMs 443 TCP HTML Access

Horizon Agent to VDI Desktops and Farms Requred Ports and Protocols

The following ports must allow traffic from the Horizon agent-related software that is installed in the desktop VMs and farm RDSH VMs to the high-availability pod's manager VMs.

Source Target Port Protocol Purpose
Horizon agent in the desktop or farm RDSH VMs Manager VM 4002 TCP Java Message Service (JMS) when using enhanced security (the default)
Horizon agent in the desktop or farm RDSH VMs Manager VM 4001 TCP Java Message Service (JMS), legacy
Horizon agent in the desktop or farm RDSH VMs Manager VM 3099 TCP Desktop message server
FlexEngine agent (the agent for VMware Dynamic Environment Manager) in the desktop or farm RDSH VMs Those file shares that you set up for use by the FlexEngine agent that runs in the desktop or farm RDSH VMs 445 TCP FlexEngine agent access to your SMB file shares, if you are using VMware Dynamic Environment Manager capabilities.

As part of the pod deployment process, the deployer creates network security groups (NSGs) on the network interfaces (NICs) on all of the deployed VMs. For details about the rules defined in those NSGs, see the Horizon Cloud Administration Guide.

Note: Instead of listing DNS names, IP addresses, ports, and protocols in a Horizon Cloud Knowledge Base (KB) article, we have provided them here as part of the core Horizon Cloud documentation.