DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls. During installation, View services are set up to listen on certain network ports by default. If necessary, to comply with organization policies or to avoid contention, you can change which port numbers are used.

Important

For additional details and security recommendations, see the View Security document.

To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports. Front-End Firewall Rules summarizes the front-end firewall rules.

Front-End Firewall Rules

Source

Default Port

Protocol

Destination

Default Port

Notes

Horizon Client

TCP Any

HTTP

Security Server

TCP 80

(Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the View Security guide.

Horizon Client

TCP Any

HTTPS

Security server

TCP 443

External client devices connect to a security server within the DMZ on TCP port 443 to communicate with a Connection Server instance and remote desktops and applications.

Horizon Client

TCP Any

UDP Any

PCoIP

Security server

TCP 4172

UDP 4172

External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.

Security Server

UDP 4172

PCoIP

Horizon Client

UDP Any

Security servers send PCoIP data back to an external client device from UDP port 4172. The destination UDP port is the source port from the received UDP packets. Because these packets contain reply data, it is normally unnecessary to add an explicit firewall rule for this traffic.

Horizon Client or Client Web browser

TCP Any

HTTPS

Security server

TCP 8443

UDP 8443

External client devices and external Web clients ( HTML Access) connect to a security server within the DMZ on HTTPS port 8443 to communicate with remote desktops.

To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow remote desktops applications and View Connection Server instances to communicate with each other. Back-End Firewall Rules summarizes the back-end firewall rules.

Back-End Firewall Rules

Source

Default Port

Protocol

Destination

Default Port

Notes

Security server

UDP 500

IPSec

Connection Server

UDP 500

Security servers negotiate IPSec with View Connection Server instances on UDP port 500.

Connection Server

UDP 500

IPSec

Security server

UDP 500

View Connection Server instances respond to security servers on UDP port 500.

Security Server

UDP 4500

NAT-T ISAKMP

Connection Server

UDP 4500

Required if NAT is used between a security server and its paired View Connection Server instance. Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.

Connection Server

UDP 4500

NAT-T ISAKMP

Security server

UDP 4500

View Connection Server instances respond to security servers on UDP port 4500 if NAT is used.

Security server

TCP Any

AJP13

Connection Server

TCP 8009

Security servers connect to View Connection Server instances on TCP port 8009 to forward Web traffic from external client devices.

If you enable IPSec, AJP13 traffic does not use TCP port 8009 after pairing. Instead it flows over either NAT-T (UDP port 4500) or ESP.

Security server

TCP Any

JMS

Connection Server

TCP 4001

Security servers connect to View Connection Server instances on TCP port 4001 to exchange Java Message Service (JMS) traffic.

Security server

TCP Any

JMS

Connection Server

TCP 4002

Security servers connect to View Connection Server instances on TCP port 4002 to exchange secure Java Message Service (JMS) traffic.

Security server

TCP Any

RDP

Remote desktop

TCP 3389

Security servers connect to remote desktops on TCP port 3389 to exchange RDP traffic.

Security server

TCP Any

MMR

Remote desktop

TCP 9427

Security servers connect to remote desktops on TCP port 9427 to receive traffic relating to multimedia redirection (MMR) and client drive redirection.

Security server

TCP Any

UDP 55000

PCoIP

Remote desktop or application

TCP 4172

UDP 4172

Security servers connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.

Remote desktop or application

UDP 4172

PCoIP

Security server

UDP 55000

Remote desktops and applications send PCoIP data back to a security server from UDP port 4172 .

The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

Security server

TCP Any

USB-R

Remote desktop

TCP 32111

Security servers connect to remote desktops on TCP port 32111 to exchange USB redirection traffic between an external client device and the remote desktop.

Security server

TCP or UDP Any

Blast Extreme

Remote desktop or application

TCP or UDP 22443

Security servers connect to remote desktops and applications on TCP and UDP port 22443 to exchange Blast Extreme traffic.

Security server

TCP Any

HTTPS

Remote desktop

TCP 22443

If you use HTML Access, security servers connect to remote desktops on HTTPS port 22443 to communicate with the Blast Extreme agent.

Security server

ESP

Connection Server

Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified.

Connection Server

ESP

Security server

Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified.