The connection matrix shows details for connections, including ports used and connectivity type.

Abbreviations used in the connection matrix are as follows.

Management Appliances

Networks

Other

SP - Service Provider

DM - Desktop Manager

RM - Resource Manager

T - Tenant

UP - Upload Server

UAG - Unified Access Gateway

ES - Enrollment Server

T - Tenant Network

SP - Service Provider Network

BB - Backbone Network

I - Public Internet

HYP -Hypervisor

SS - Storage System

NFS - NFS Server

VM - Virtual Desktop VM

EP - End Point Device

AD - Active Directory

MON - Monitoring System

RSA - RSA Authentication Manager

WP = Web Proxy

Source

Destination

Ports In Use

Networks

Description

Connectivity Type

SP

SP

tcp/1098, tcp/1099, tcp/3873

BB, SP

Used for invoking remote APIs via Java RMI. Ports 1098 and 1099 are used for the naming service lookup and port 3873 is used for the actual remote method invocation. Authentication is done via username/password.

Local and Remote

SP

SP

tcp/11211

BB

Used for accessing memcached

Local Only

SP

SP

udp/694

SP

Periodic heartbeat between paired SP appliances (floating IP)

Local Only

SP

SP

tcp/5432

SP

Used to access the DB from the application, also replication

Local and Remote

SP

SP

tcp/22

BB, SP

Provides SSH and SCP capabilities to management appliances for purposes of installation and configuration. Authentication is done using a private/public ssh key registered to the appliance at installation time.

Local and Remote

SP

SP

tcp/20677

BB, SP

Used for proxying traffic between DCs

Local and Remote

SP

RM

tcp/8443

BB, SP

Used for invoking remote APIs via web services. Authentication is done via username/password and SSL certificate validation.

Local and Remote

SP

RM

tcp/22

BB

Provides SSH and SCP capabilities to management appliances for purposes of installation and configuration. Authentication is done using a private/public ssh key registered to the appliance at installation time.

Local Only

SP

T

tcp/1098, tcp/1099, tcp/3873

BB

Used for invoking remote APIs via Java RMI. Ports 1098 and 1099 are used for the naming service lookup and port 3873 is used for the actual remote method invocation. Authentication is done via username/password.

Local Only

SP

T

tcp/8443

BB

Used for invoking remote APIs via web services. Authentication is done via username/password and SSL certificate validation.

Local Only

SP

T

tcp/22

BB

Provides SSH and SCP capabilities to management appliances for purposes of installation and configuration. Authentication is done using a private/public ssh key registered to the appliance at installation time.

Local Only

SP

HYP

tcp/443

SP

Needed for access to the hypervisor management APIs. Authentication is done via username/password.

Local Only

SP

SS

tcp/22, tcp/80, tcp/443

SP

Used to invoke APIs on a storage system. The specific ports will vary depending on the type of storage system being used. Authentication is done via username/password.

Local Only

SP

NFS

tcp/2049

SP

Used to communicate with the NFS server. The SP mounts the NFS shares used to store the appliance template VM images for purposes of manufacturing and configuration. Authentication is done via network identity.

Local Only

SP

AD

tcp/389

SP

Used to authenticate users to the Service Center.

Local and Remote

SP

WP

tcp/443

I

Used for Cloud Monitoring Service (CMS). If an SP appliance cannot access internet directly, you can configure a proxy on the SP to access CMS services (in AWS). The proxy config is in the cloud_config table in the SP FDB.

Remote

RM

SP

tcp/8443

BB

Used for invoking remote APIs via web services. Authentication is done via username/password and SSL certificate validation.

Local Only

RM

SP

tcp/20677

BB

Used for proxying traffic between DCs

Local Only

RM

RM

tcp/11211

BB

Used for accessing memcached

Local Only

RM

T

tcp/8443

BB

Used for invoking remote APIs (state monitoring) via web services. Authentication is done via username/password.

Local Only

RM

HYP

tcp/443

SP

Needed for access to the hypervisor management APIs. Authentication is done via username/password.

Local Only

RM

SS

tcp/22, tcp/80, tcp/443

SP

Used to invoke APIs on a storage system. The specific ports will vary depending on the type of storage system being used. Authentication is done via username/password.

Local Only

RM

NFS

tcp/2049

SP

Used to communicate with the NFS server. The RMgr mounts the NFS shares used to store the tenant VM images for purposes of manufacturing and configuration. Authentication is done via network identity.

Local Only

T/SP

AD

AD servers: tcp/3268

T/SP

Global catalog port on AD servers for LDAP.

(Remote for T) and (Local or Remote for SP)

T/SP

AD

AD servers: tcp/88

T/SP

Kerberos (for new, more secure LDAP communication & password change functionality)

(Remote for T) and (Local or Remote for SP)

T

RM

tcp/6443

BB

Used for connection to Resource Manager proxy (on backbone network) to provide App Volumes with vCenter connectivity.

Local Only

T

T

tcp/4002

T

Handles connections from agents. When agents startup they connect to the message bus on this port on one of the Desktop Managers so that they can receive messages from them.

Local Only

T

T

tcp/4101

BB

Used for router clustering. JMS routers on HA pairs connect to each other on this port so that they can route messages between Desktop Managers and ensure messages reach the agent, regardless of which Desktop Manager the agent is connected to.

Local Only

T

T

tcp/6443

Localhost only

Listens on localhost only for requests to vCenter from App Volumes.

Local Only

T

RM

tcp/6443

BB

Listens on backbone network only, to provide App Volumes on Tenant & Desktop Manager appliances with vCenter connectivity.

T

T

tcp/4001

Localhost only

Listens on localhost only for messages from Desktop Managers.

Local Only

T

T

tcp/6443

Localhost only

Listens on localhost only for requests to vCenter from App Volumes.

Local Only

T

SP

tcp/1098, tcp/1099, tcp/3873

BB

Used for invoking remote APIs via Java RMI. Ports 1098 and 1099 are used for the naming service lookup and port 3873 is used for the actual remote method invocation. Authentication is done via username/password.

Local Only

T

SP

tcp/8443

BB

Used for invoking remote APIs via web services. Authentication is done via username/password and SSL certificate validation.

Local Only

T

SP

tcp/20677

BB

Used for proxying traffic between DCs

Local Only

T

RM

tcp/1098, tcp/1099, tcp/3873

BB

Used for invoking remote APIs via Java RMI. Ports 1098 and 1099 are used for the naming service lookup and port 3873 is used for the actual remote method invocation.

Local Only

T

RM

tcp/8443

BB

Used for invoking remote APIs via web services. Authentication is done via username/password and SSL certificate validation.

Local Only

T

T

udp/694

BB

Periodic heartbeat between paired tenant appliances (floating IP)

Local Only

T

T

tcp/5432

BB

Used to access the DB from the application, also replication

Local Only

T

T

tcp/11211

BB

Used for accessing memcached

Local Only

T

VM

tcp/49152-65535

T

Used for downstream communication between the DaaS Agent (on a Windows 7 and later virtual desktop) and the tenant appliance. A dynamically determined port in the range of 49152-65535 is determined at the time the agent logs on. Authentication is done via a session key exchange between the agent and tenant appliance.

Local Only

T

VM

tcp/1025-5000

T

Used for downstream communication between the DaaS Agent (on a Windows XP virtual desktop) and the tenant appliance. A dynamically determined port in the range of 1025-5000 is determined at the time the agent logs on. Authentication is done via a session key exchange between the agent and tenant appliance.

Local Only

T

VM

tcp/22

T

Required in the customization process for Linux virtual desktop provisioning (not required if not using Linux as a desktop O/S)

Local Only

T

VM

tcp/3389

T

Tenant appliance tests that the desktop is listening on port 3389 for RDP connections.

Local Only

T

VM

tcp/8443, tcp/443

T

For connection between the DaaS tenant appliance to the VMware View connection agent that runs in the desktop.

Local Only

T

AD

tcp/389

T

Used to authenticate users to the User Portal. Additionally the configured user groups and their members are cached in the tenant fabric for performance purposes.

Local and Remote

T

RSA

udp/5500

T

Used for communicating with the RSA Authentication Manager when SecurID is in use by the tenant.

Local and Remote

T

UAG

tcp/443

T

Used for Blast

Remote

T

UAG

tcp/8443

T

Used for Blast

Remote

T

UAG

tcp/4172 udp/4172

T

Used for PCoIP

Remote

T

UAG

tcp/80

T

Redirects to 443

Remote

T

WP

tcp/443

I

Used for Cloud Monitoring Service (CMS).

Remote

VM

T

tcp/3443

T

Listen port for App Volumes Agents.

Local Only

VM

T

tcp/3443

T

Listen port for App Volumes Agents.

Local Only

VM

T

tcp/8443, tcp/443

T

Used for upstream web services communication between the DaaS Agent and the tenant appliance. Authentication is done via username/password and SSL certificate validation.

Local Only

VM

T

udp/5678

T

Used for upstream communication between the DaaS Agent and the tenant appliance. Authentication is done via a session key exchange between the agent and tenant appliance.

Local Only

VM

KMS

tcp/1688

T

Access to the KMS server for purposes of licensing the version of Windows on the virtual desktop

Local Only

UP

NFS

tcp/2049

SP

Used for storing the desktop images uploaded from tenants to NAS. Authentication is done via network identity.

Local Only

ES

T

tcp/32111

T

Used for True SSO.

Remote Only

MON

SP

tcp/5989

BB

Provides access to monitoring information via CIM-XML over https. This is available on all appliances and binds to all network interfaces. Best practice is to limit access on the backbone only. The interface is unauthenticated.

Local Only

MON

RM

tcp/5989

BB

Provides access to monitoring information via CIM-XML over https. This is available on all appliances and binds to all network interfaces. Best practice is to limit access on the backbone only. The interface is unauthenticated.

Local Only

MON

T

tcp/5989

BB

Provides access to monitoring information via CIM-XML over https. This is available on all appliances and binds to all network interfaces. Best practice is to limit access on the backbone only. The interface is unauthenticated.

Local Only

EP

VM

tcp/3389, udp/3389

T

Provides access to the virtual desktop via RDP

Local Only

EP

VM

tcp/1494

T

Provides access to the virtual desktop via HDX

Local Only

EP

VM

tcp/22

T

Provides access to the virtual desktop via NX

Local Only

EP

VM

tcp/4172, udp/4172, tcp/32111

T

Provides access to the virtual desktop via PCoIP

Local Only

EP

VM

tcp/22443

T

Provides access to the virtual desktop via HTML Access (Blast)

Local Only

EP

VM

tcp/42966

T

Provides access to the virtual desktop via RGS

Local Only

EP

VM

tcp/5900

T

Provides access to the virtual desktop via VNC

Local Only