To allow client web browsers to make connections to Connection Server instances, remote desktops, and published applications, your firewalls must allow inbound traffic on certain TCP ports.
HTML Access connections must use HTTPS. HTTP connections are not allowed.
By default, when you install a Connection Server instance, the VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall and the firewall is configured to allow inbound traffic to TCP port 8443.
Source | Default Source Port | Protocol | Target | Default Target Port | Notes |
---|---|---|---|---|---|
Client web browser | TCP Any | HTTPS | Connection Server instance | TCP 443 | To make the initial connection, the web browser on a client device connects to a Connection Server instance on TCP port 443. |
Client web browser | TCP Any | HTTPS | Blast Secure Gateway | TCP 8443 | After the initial connection is made, the web browser on a client device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be enabled on a Connection Server instance to allow this second connection to take place. |
Blast Secure Gateway | TCP Any | HTTPS | HTML Access Agent | TCP 22443 | If the Blast Secure Gateway is enabled, after the user selects a remote desktop or published application, the Blast Secure Gateway connects to the HTML Access Agent on TCP port 22443 on the remote desktop virtual machine or RDS host. This agent component is included when you install Horizon Agent. |
Client web browser | TCP Any | HTTPS | HTML Access Agent | TCP 22443 | If the Blast Secure Gateway is not enabled, after the user selects a remote desktop or published application, the web browser on a client device makes a direct connection to the HTML Access Agent on TCP port 22443 on the remote desktop virtual machine or RDS host. This agent component is included when you install Horizon Agent. |