To allow client Web browsers to use HTML Access to make connections to security servers, View Connection Server instances, and remote desktops, your firewalls must allow inbound traffic on certain TCP ports.

HTML Access connections must use HTTPS. HTTP connections are not allowed.

By default, when you install a View Connection Server instance or security server, the VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall, so that the firewall is automatically configured to allow inbound traffic to TCP port 8443.

Table 1. Firewall Rules for HTML Access

Source

Default Source Port

Protocol

Target

Default Target Port

Notes

Client Web browser

TCP Any

HTTPS

Security server or View Connection Server instance

TCP 443

To make the initial connection to Horizon, the Web browser on a client device connects to a security server or Horizon Connection Server instance on TCP port 443.

Client Web browser

TCP Any

HTTPS

Blast Secure Gateway

TCP 8443

After the initial connection to Horizon is made, the Web browser on a client device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be enabled on a security server or Horizon Connection Server instance to allow this second connection to take place.

Blast Secure Gateway

TCP Any

HTTPS

HTML Access agent

TCP 22443

If the Blast Secure Gateway is enabled, after the user selects a remote desktop, the Blast Secure Gateway connects to the HTML Access agent on TCP port 22443 on the desktop. This agent component is included when you install Horizon Agent.

Client Web browser

TCP Any

HTTPS

HTML Access agent

TCP 22443

If the Blast Secure Gateway is not enabled, after the user selects a View desktop, the Web browser on a client device makes a direct connection to the HTML Access agent on TCP port 22443 on the desktop. This agent component is included when you install Horizon Agent.