DMZ-based Access Point appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Access Point services are set up to listen on certain network ports by default.

A DMZ-based Access Point appliance deployment usually includes two firewalls.

An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.

A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

As an example, the following figure illustrates the protocols that each View component uses for communication. This configuration might be used in a typical WAN deployment if you are using Access Point appliances with the View component of VMware Horizon.

View Components and Protocols with Access Point
Several protocols are used in a View setup.

Firewall policy strictly controls inbound communications from DMZ services, which greatly reduces the risk of compromising your internal network.

The following figure shows an example of a configuration that includes front-end and back-end firewalls.

Dual Firewall Topology
In the DMZ, use front-end and back-end firewalls.

To allow external client devices to connect to an Access Point appliance within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports.

Front-End Firewall Rules

Source

Default Port

Protocol

Destination

Destination Port

Notes

Horizon Client

TCP Any

HTTP

Access Point appliance

TCP 80

(Optional) External client devices connect to an Access Point appliance within the DMZ on TCP port 80 and are automatically directed to HTTPS.

Horizon Client or Client Web browser

TCP Any

HTTPS

Access Point appliance

TCP 443

UDP 443 (for Blast)

External client devices and external Web clients (HTML Access) connect to an Access Point appliance within the DMZ on TCP port 443.

Horizon Client

TCP Any

UDP Any

PCoIP

Access Point appliance

TCP 4172

UDP 4172

External client devices connect to an Access Point appliance within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.

Access Point appliance

UDP 4172

PCoIP

Horizon Client

UDP Any

Access Point appliances send PCoIP data back to an external client device from UDP port 4172. The destination UDP port is the source port from the received UDP packets. Because these packets contain reply data, it is normally unnecessary to add an explicit firewall rule for this traffic.

To allow an Access Point appliance to communicate with a Horizon server or load balancer that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow remote desktops, applications and Horizon servers to communicate with each other.

Back-End Firewall Rules

Source Port

Default Port

Protocol

Destination

Destination Port

Notes

Access Point appliance

TCP Any

HTTPS

Horizon server or load balancer

TCP 443

Access Point appliances connect on TCP port 443 to communicate with a Horizon server or load balancer in front of multiple Horizon server instances.

Access Point appliance

TCP Any

RDP

Remote desktop

TCP 3389

Access Point appliances connect to remote desktops on TCP port 3389 to exchange RDP traffic.

Access Point appliance

TCP Any

MMR or CDR

Remote desktop

TCP 9427

Access Point appliances connect to remote desktops on TCP port 9427 to receive MMR (multimedia redirection) or CDR (client drive redirection) traffic.

Access Point appliance

TCP Any

UDP Any

PCoIP

Remote desktop or application

TCP 4172

UDP 4172

Access Point appliances connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.

Remote desktop or application

UDP 4172

PCoIP

Access Point appliance

UDP Any

Remote desktops and applications send PCoIP data back to an Access Point appliance from UDP port 4172 .

The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

Access Point appliance

TCP Any

USB-R

Remote desktop

TCP 32111

Access Point appliances connect to remote desktops on TCP port 32111 to exchange USB redirection traffic between an external client device and the remote desktop.

Access Point appliance

TCP or UDP Any

Blast Extreme

Remote desktop or application

TCP or UDP 22443

Access Point appliances connect to remote desktops and applications on TCP and UDP port 22443 to exchange Blast Extreme traffic.

Access Point appliance

TCP Any

HTTPS

Remote desktop

TCP 22443

If you use HTML Access, Access Point appliances connect to remote desktops on HTTPS port 22443 to communicate with the VMware Blast agent.

Note

Access Point optionally listens on TCP port 9443 for the admin REST API traffic and optionally sends Syslog events on a default UDP port of 514. If there is a firewall in place for this communication, these ports must not be blocked.