DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls.

To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports. Front-End Firewall Rules summarizes the front-end firewall rules.

Front-End Firewall Rules

Source

Protocol

Port

Destination

Notes

Any

HTTP

80

Security server

External client devices use port 80 to connect to a security server within the DMZ when SSL is disabled.

Any

HTTPS

443

Security server

External client devices use port 443 to connect to a security server within the DMZ when SSL is enabled (the default).

Any

PCoIP

TCP 4172

UDP 4172

Security server

External client devices use TCP port 4172 to a security server within the DMZ when SSL is enabled and also use UDP port 4172 in both directions.

To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server instances to communicate with each other. Back-End Firewall Rules summarizes the back-end firewall rules.

Back-End Firewall Rules

Source

Protocol

Port

Destination

Notes

Security server

HTTP

80

Transfer Server

Security servers can use port 80 to download View desktop data to local mode desktops from the Transfer Server and to replicate data to the Transfer Server.

Security server

HTTPS

443

Transfer Server

If you configure View Connection Server to use SSL for local mode operations and desktop provisioning, security servers use port 443 for downloads and replication between local mode desktops and the Transfer Server.

Security server

AJP13

8009

View Connection Server

Security servers use port 8009 to transmit AJP13-forwarded Web traffic to View Connection Server instances.

Security server

JMS

4001

View Connection Server

Security servers use port 4001 to transmit Java Message Service (JMS) traffic to View Connection Server instances.

Security server

RDP

3389

View desktop

Security servers use port 3389 to transmit RDP traffic to View desktops.

Note

For MMR, TCP port 9427 is used alongside RDP.

Security server

PCoIP

TCP 4172

UDP 4172

View desktop

Security servers use TCP port 4172 to transmit PCoIP traffic to View desktops, and security servers use UDP port 4172 to transmit PCoIP traffic in both directions.

Security Server

PCoIP or RDP

TCP 32111

View desktop

For USB redirection, TCP port 32111 is used alongside PCoIP or RDP from the client to the View desktop.

Groups of View Connection Server instances use additional TCP ports to communicate with each other. For example, View Connection Server instances use port 4100 to transmit JMS inter-router (JMSIR) traffic to each other. Firewalls are generally not used between the View Connection Server instances in a group.