DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls. During installation, Horizon View services are set up to listen on certain network ports by default. If necessary, to comply with organization policies or to avoid contention, you can change which port numbers are used.

Important

For additional details and security recommendations, see the VMware Horizon View Security document.

To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports. Front-End Firewall Rules summarizes the front-end firewall rules.

Front-End Firewall Rules

Source

Default Port

Protocol

Destination

Default Port

Notes

View Client

TCP Any

HTTP

Security Server

TCP 80

(Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the VMware Horizon View Security guide.

View Client

TCP Any

HTTPS

Security server

TCP 443

External client devices connect to a security server within the DMZ on TCP port 443 to communicate with a Connection Server instance and View desktops.

View Client

TCP Any

UDP Any

PCoIP

Security server

TCP 4172

UDP 4172

External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a View desktop over PCoIP.

Security Server

UDP 4172

PCoIP

View Client

UDP Any

Security servers send PCoIP data back to an external client device from UDP port 4172. The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

Client Web browser

TCP Any

HTTPS

Security server

TCP 8443

If you use VMware Horizon View HTML Access, the external Web client connects to a security server within the DMZ on HTTPS port 8443 to communicate with View desktops.

To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server instances to communicate with each other. Back-End Firewall Rules summarizes the back-end firewall rules.

Back-End Firewall Rules

Source

Default Port

Protocol

Destination

Default Port

Notes

Security server

UDP 500

IPSec

Connection Server

UDP 500

Security servers negotiate IPSec with View Connection Server instances on UDP port 500.

Connection Server

UDP 500

IPSec

Security server

UDP 500

View Connection Server instances respond to security servers on UDP port 500.

Security Server

UDP 4500

NAT-T ISAKMP

Connection Server

UDP 4500

Required if NAT is used between a security server and its paired View Connection Server instance. Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.

Connection Server

UDP 4500

NAT-T ISAKMP

Security server

UDP 4500

View Connection Server instances respond to security servers on UDP port 4500 if NAT is used.

Security server

TCP Any

AJP13

Connection Server

TCP 8009

Security servers connect to View Connection Server instances on TCP port 8009 to forward Web traffic from external client devices.

If you enable IPSec, and one-way or two-way NAT is configured on the back-end firewall, UDP port 4500 must be allowed in each direction between the security server and the View Connection Server instance, which will be used instead of TCP port 8009 for AJP13 traffic.

Security server

TCP Any

JMS

Connection Server

TCP 4001

Security servers connect to View Connection Server instances on TCP port 4001 to exchange Java Message Service (JMS) traffic.

Security server

TCP Any

RDP

View desktop

TCP 3389

Security servers connect to View desktops on TCP port 3389 to exchange RDP traffic.

Security server

TCP Any

MMR

View desktop

TCP 4927

Security servers connect to View desktops on TCP port 9427 to receive MMR traffic.

Security server

TCP Any

UDP Any

PCoIP

View desktop

TCP 4172

UDP 4172

Security servers connect to View desktops on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.

View desktop

UDP 4172

PCoIP

Security server

UDP Any

View desktops send PCoIP data back to a security server from UDP port 4172 .

The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

Security server

TCP 32111

USB-R

View desktop

TCP 4172

Security servers connect to View desktops on TCP port 32111 to exchange USB redirection traffic between an external client device and the View desktop.

Security server

TCP Any

HTTP

Transfer Server

TCP 80

Security servers connect to View Transfer Servers on TCP port 80 to download View desktop data to external local mode clients and to exchange replication data.

Security server

TCP Any

HTTPS

Transfer Server

TCP 443

If you configure View Transfer Server to use SSL for local mode operations and desktop provisioning, security servers connect to View Transfer Servers on TCP port 443 instead of TCP port 80 to download View desktop data to external local mode clients and to exchange replication data.

Security server

TCP Any

HTTPS

View desktop

TCP 22443

If you use VMware Horizon View HTML Access, security servers connect to View desktops on HTTPS port 22443 to communicate with the Blast agent.

Groups of View Connection Server instances use additional TCP ports to communicate with each other. For example, View Connection Server instances use port 4100 to transmit JMS inter-router (JMSIR) traffic to each other. Firewalls are generally not used between the View Connection Server instances in a group.