VMware Horizon uses TrueSSO ports for the communications pathway (port and protocol) and security controls used for the certificate to pass between the connection broker and the virtual desktop or published application for a certificate login associated with the TrueSSO solution.
| Source | Target | Port | Protocol | Description |
|---|---|---|---|---|
| Horizon Client | VMware Identity Manager appliance | TCP 443 | HTTPS | Launch VMware Horizon from VMware Identity Manager appliance which generates SAML assertion and artifact. |
| Horizon Client | Connection broker | TCP 443 | HTTPS | Launch Horizon Client. |
| Connection broker | VMware Identity Manager appliance | TCP 443 | HTTPS | Connection broker performs SAML resolve against VMware Identity Manager. VMware Identity Manager validates artifact and returns assertion. |
| Connection broker | Horizon Enrollment Server | TCP 32111 | Use the Enrollment Server. | |
| Enrollment Server | ADCS | Enrollment Server requests certificate from Microsoft Certificate Authority (CA) to generate a temporary, short-lived certificate. The enrollment service uses TCP 135 RPC for the initial communication with the CA, then a random port from 1024 - 5000 and 49152 -65535. See Certificate Services in https://support.microsoft.com/en-us/help/832017#method4. Enrollment Server also communicates with domain controllers, using all relevant ports to discover a DC and bind to and query the Active Directory. See https://support.microsoft.com/en-us/help/832017#method1 and https://support.microsoft.com/en-us/help/832017#method12. |
||
| Horizon Agent | Connection broker | TCP 4002 | JMS over TLS | Horizon Agent requests and receives a certificate for logon. |
| Virtual desktop or published application | AD DC | Windows validates the authenticity of the certificate with Active Directory. See Microsoft documentation for a list of ports and protocols, as numerous ports might be required. | ||
| Horizon Client | Horizon Agent (protocol session) | TCP/UDP 22443 | Blast | Log on to the Windows desktop or application and a remote session is initiated on Horizon Client. |
| Horizon Client | Horizon Agent (protocol session) | UDP 4172 | PCoIP | Log in to the Windows desktop or application and a remote session is initiated on Horizon Client. |
