VMware Horizon uses TCP and UDP ports for network access between its components.
During installation, VMware Horizon can optionally configure Windows firewall rules to open the ports that are used by default. If you change the default ports after installation, you must manually reconfigure Windows firewall rules to allow access on the updated ports. See "Replacing Default Ports for VMware Horizon Services" in the Horizon Installation and Upgrade document.
For a list of ports that VMware Horizon uses for a certificate login associated with the TrueSSO solution, see VMware Horizon TrueSSO Ports.
| Source | Port | Target | Port | Protocol | Description |
|---|---|---|---|---|---|
| Connection broker or Unified Access Gateway appliance | 55000 | Horizon Agent | 4172 | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used. |
| Connection broker or Unified Access Gateway appliance | 4172 | Horizon Client | * | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used.
Note: Because the target port varies, see the note following this table.
|
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 3389 | TCP | Microsoft RDP traffic to VMware Horizon desktops when tunnel connections are used. |
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 9427 | TCP | Windows multimedia redirection, client drive redirection, Microsoft Teams optimization, HTML5 multimedia redirection, VMware printer redirection, and USB redirection when tunnel connections are used. |
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 32111 | TCP | USB redirection and time zone synchronization when tunnel connections are used. |
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 4172 | TCP | PCoIP if PCoIP Secure Gateway is used. |
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 22443 | TCP | VMware Blast Extreme if Blast Secure Gateway is used. |
| Connection broker or Unified Access Gateway appliance | * | Horizon Agent | 22443 | TCP | HTML Access if Blast Secure Gateway is used. |
| Horizon Agent | 4172 | Horizon Client | * | UDP | PCoIP, if PCoIP Secure Gateway is not used.
Note: Because the target port varies, see the note following this table.
|
| Horizon Agent | 4172 | Connection broker or Unified Access Gateway appliance | 55000 | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used. |
| Horizon Agent | 4172 | Unified Access Gateway appliance | * | UDP | PCoIP. VMware Horizon desktops and applications send PCoIP data back to an Unified Access Gateway appliance from UDP port 4172 . The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this. |
| Horizon Agent (unmanaged) | * | Connection broker instance | 389 | TCP | AD LDS access during unmanaged agent installation.
Note: For other uses of this port, see the note following this table.
|
| Horizon Client | * | Connection broker or Unified Access Gateway appliance | 80 | TCP | TLS (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in VMware Horizon. |
| Horizon Client | * | Connection broker or Unified Access Gateway appliance | 443 | TCP | HTTPS for logging in to VMware Horizon. (This port is also used for tunneling when tunnel connections are used.) |
| Horizon Client | * | Connection broker or Unified Access Gateway appliance | 4172 | TCP and UDP | PCoIP if PCoIP Secure Gateway is used. |
| Horizon Client | * | Horizon Agent | 3389 | TCP | Microsoft RDP traffic to VMware Horizon desktops if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 9427 | TCP | Windows multimedia redirection, client drive redirection, Microsoft Teams optimization, HTML5 multimedia redirection, VMware printer redirection, and USB redirection, if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 32111 | TCP | USB redirection and time zone synchronization if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 4172 | TCP and UDP | PCoIP if PCoIP Secure Gateway is not used.
Note: Because the source port varies, see the note following this table.
|
| Horizon Client | * | Horizon Agent | 22443 | TCP and UDP | VMware Blast |
| Horizon Client | * | Connection broker or Unified Access Gateway appliance | 4172 | TCP and UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used.
Note: Because the source port varies, see the note below this table.
|
| Web Browser | * | Unified Access Gateway appliance | 8443 | TCP | HTML Access. |
| Connection broker | * | Connection broker | 48080 | TCP | For internal communication between Connection broker components. |
| Connection broker | * | vCenter Server | 80 | TCP | SOAP messages if TLS is disabled for access to vCenter Servers. |
| Connection broker | * | vCenter Server | 443 | TCP | SOAP messages if TLS is enabled for access to vCenter Servers. |
| Connection broker | * | Connection broker | 4100 | TCP | JMS inter-router traffic. |
| Connection broker | * | Connection broker | 4101 | TCP | JMS TLS inter-router traffic. |
| Connection broker | * | Connection broker | 8472 | TCP | For inter-pod communication in Cloud Pod Architecture. |
| Connection broker | * | Connection broker | 22389 | TCP | For global LDAP replication in Cloud Pod Architecture. |
| Connection broker | * | Connection broker | 22636 | TCP | For secure global LDAP replication in Cloud Pod Architecture. |
| Connection broker | * | Connection broker | 32111 | TCP | Key sharing traffic. |
| Connection broker | * | Certificate Authority | * | HTTP, HTTPS | CRL or OCSP queries |
| Unified Access Gateway appliance | * | Connection broker or load balancer | 443 | TCP | HTTPS access. Unified Access Gateway appliances connect on TCP port 443 to communicate with a Connection broker instance or load balancer in front of multiple connection broker instances. |
| Horizon Help Desk Tool | * | Horizon Agent | 3389 | TCP | Microsoft RDP traffic to Horizon desktops for Remote Assistance. |
Note: The UDP port number that clients use for PCoIP might change. If port 50002 is in use, the client will pick 50003. If port 50003 is in use, the client will pick port 50004, and so on. You must configure firewalls with
ANY where an asterisk (*) is listed in the table.
Note: Microsoft Windows Server requires a dynamic range of ports to be open between all connection brokers in the
VMware Horizon environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
Note: On a connection broker instance, port 389 is accessible for infrequent, ad hoc connections. It is accessed when installing an unmanaged agent as shown in the table, and also when using an LDAP editor to directly edit the database, and when issuing commands using a tool such as repadmin. A firewall rule is created for these purposes when AD LDS is installed, but it can be disabled if access to the port is not required.
Note: VMware Blast Extreme Adaptive Transport reserves some ports starting from ephemeral port range 49152-65535, by default. See the Knowledge Base article
52558.
