To open the default network ports, the Horizon Agent installer optionally configures Windows firewall rules on virtual desktops and RDS hosts.
The Horizon Agent installer configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389.
If you instruct the Horizon Agent installer not to enable Remote Desktop support, it does not open ports 3389 and 32111 and you must open these ports manually.
If you change the RDP port number after installation, you must change the associated firewall rules. If you change a default port after installation, you must manually reconfigure the firewall rules to allow access on the updated port. For more information, see the Horizon Installation and Upgrade document.
On RDS hosts, the Windows firewall rules for Horizon Agent show a block of 256 contiguous UDP ports as open for inbound traffic. This block of ports is for VMware Blast internal use in Horizon Agent. A special Microsoft-signed driver on RDS hosts blocks inbound traffic to these ports from external sources. This driver causes the Windows firewall to treat the ports as closed.
If you use a virtual machine template as a desktop source, firewall exceptions carry over to deployed desktops only if the template is a member of the desktop domain. You can use Microsoft group policy settings to manage local firewall exceptions. For more information, see Microsoft Knowledge Base (KB) article 875357.
The following table lists the TCP and UDP ports that are opened during Horizon Agent installation. Ports are incoming unless otherwise noted.
Protocol | Ports |
---|---|
RDP | TCP port 3389 |
USB redirection and time zone synchronization | TCP port 32111 |
Multimedia redirection (MMR) and client drive redirection (CDR) | TCP port 9427
The following features use this port:
|
PCoIP | For RDS hosts, PCoIP uses TCP port 4172 and UDP port 4172 (bidirectional). For virtual desktops, PCoIP uses port numbers selected from a configurable range. By default, PCoIP uses TCP ports 4172 to 4173 and UDP ports 4172 to 4182. The firewall rules do not specify port numbers. Instead, they dynamically follow the ports opened by each PCoIP server. The selected port numbers are communicated to the client through the connection broker instance. |
VMware Blast | TCP port 22443 UDP port 22443 (bidirectional)
Note: UDP is not used on Linux desktops.
|
HTML Access | TCP port 22443 |
XDMCP | UDP 177
Note: This port is opened for XDMCP access only on Linux desktops running Ubuntu 18.04. Firewall rules block all external host access to this port.
|
X11 | TCP 6100
Note: This port is opened for XServer access only on Linux desktops running Ubuntu 18.04. Firewall rules block all external host access to this port.
|