TECHNICAL WHITE PAPER – SEPTEMBER 2017

NETWORK PORTS IN
VMWARE HORIZON 7
VMware Horizon 7 version 7.2

For full interactive PDF ability to display

high-resolution diagrams, download this
file and view it locally.
 NETWORK PORTS IN VMWARE HORIZON 7

Table of Contents
About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Client Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Internal Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
External Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Tunneled Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Virtual Desktop or RDS Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

View Connection Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vCenter Server and View Composer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Unified Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

App Volumes Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

vRealize Operations for Horizon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Display-Protocol-Specific Diagram Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

About the Author and Contributors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

T E C H N I C A L W H I T E PA P E R | 2
 NETWORK PORTS IN VMWARE HORIZON 7

About This Guide

This document lists port requirements for connectivity between the various components and servers in a
VMware Horizon® 7 deployment.

Figure 1: Horizon 7 Network Ports with All Connection Types and All Display Protocols

Figure 1 shows three different client connection types and also includes all display protocols. Different
subsets of this diagram are displayed throughout this document and linked to larger PDF layouts. To
view these larger PDF diagram layouts, access the Attachments panel in this file or click on the diagram
images in the layout. You might need to download this PDF and view it locally (rather than in a browser)
for full interactive functionality.

Each subset of Figure 1 focuses on a particular connection type and display protocol use. The PDF
diagrams are high-resolution graphics and in a format suitable for printing as posters.

This document also contains tables that list all possible ports from a source component to destination
components. This does not mean that all of these ports necessarily need to be open. If a component or
display protocol is not in use, then the ports associated with it can be omitted. For example:
• If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened.
• If VMware vRealize® Operations for Horizon is not deployed, ports to and from it can be ignored.

Ports shown are destination ports.

T E C H N I C A L W H I T E PA P E R | 3
 NETWORK PORTS IN VMWARE HORIZON 7

The Horizon 7 tables and diagrams include connections to the following products, product families, and
components:
• vRealize Operations for Horizon
• VMware Horizon Client™
• VMware Identity Manager™
• VMware Unified Access Gateway™
• VMware App Volumes™
• VMware User Environment Manager™
• VMware vCenter Server®
• VMware ESXi™
• VMware AirWatch®

T E C H N I C A L W H I T E PA P E R | 4
 NETWORK PORTS IN VMWARE HORIZON 7

Client Connections
Network ports for connections between a client (either Horizon Client or a browser) and the various
Horizon 7 components vary by whether the connections are internal, external, or tunneled.

Internal Connection
An internal connection is typically used within the internal network. Initial authentication is performed to
the View Connection Server, and then the Horizon Client connects directly to the Horizon Agent running
in the virtual desktop or RDS host.

The following table lists network ports for internal connections from a client device to Horizon 7
components. The diagrams following the table show network ports for internal connections, by display
protocol.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Horizon Client View TCP 443 Login traffic.

Connection SSL (HTTPS access) is enabled by default for
Server client connections, but port 80 (HTTP access)
can be used in some cases. See HTTP
Redirection in View in View Security.

Horizon Agent TCP 22443 Blast Extreme.

Excellent or typical network condition is
selected on client.

UDP 22443 Blast Extreme.

Typical network condition is selected on client.

TCP 4172 PCoIP.

UDP 4172 PCoIP.

TCP 3389 RDP.

TCP 9427 Optional for client drive redirection (CDR) and

multimedia redirection (MMR).
By default, when using Blast Extreme, CDR traffic
is side-channeled in the Blast Extreme ports
indicated previously. If you prefer, this traffic can
be separated onto the port indicated here.

TCP 32111 Optional for USB redirection.

By default, USB traffic is side-channeled in the
Blast Extreme or PCoIP ports indicated
previously. If desired, this traffic can be
separated onto the port indicated here.

Browser View TCP 443 HTML Access.

Connection
Server

VMware TCP 443 VMware Identity Manager.

Identity
Manager

T E C H N I C A L W H I T E PA P E R | 5
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 2: Internal Connection Showing All Display Protocols

Figure 3: Blast Extreme Internal Connection

T E C H N I C A L W H I T E PA P E R | 6
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 4: PCoIP Internal Connection

Figure 5: HTML Access Internal Connection

T E C H N I C A L W H I T E PA P E R | 7
 NETWORK PORTS IN VMWARE HORIZON 7

External Connection
An external connection provides secure access into Horizon 7 resources from an external network.
A Unified Access Gateway or a security server provides the secure edge services. All communication from
the client will be to that edge device, which then communicates to the internal resources.

The following table lists network ports for external connections from a client device to Horizon 7
components. The diagrams following the table show network ports for external connections, by display
protocol, all with Unified Access Gateway.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Horizon Client Unified Access TCP 443 Login traffic.

Gateway or SSL (HTTPS access) is enabled by default for
security server client connections, but port 80 (HTTP access)
can be used in some cases. See HTTP
Redirection in View in View Security.
Can also carry tunneled RDP, client drive
redirection, and USB redirection traffic.

TCP 4172 PCoIP via PCoIP Secure Gateway on

Unified Access Gateway or security server.

UDP 4172 PCoIP via PCoIP Secure Gateway on

Unified Access Gateway or security server.

Unified Access TCP 443 Blast Extreme via Blast Secure Gateway on
Gateway Unified Access Gateway for data traffic where
port sharing is used.
Excellent or typical network condition is
selected on client.

TCP 8443 Optional for Blast Extreme via Blast Secure

Gateway on Unified Access Gateway for data
traffic (performant channel).
Excellent or typical network condition is
selected on client.

UDP 443 Blast Extreme via the Unified Access Gateway

for data traffic where port sharing is used.
Also used for login traffic when poor network
condition is selected on client.

UDP 8443 Optional for Blast Extreme via Blast Secure

Gateway on Unified Access Gateway for data
traffic (adaptive transport).
Typical or poor network condition is selected on
client.

Security TCP 8443 Blast Extreme via Blast Secure Gateway on

server security server.

Browser Unified Access TCP 443 HTML Access.

Gateway or
security server

Unified Access TCP 443 VMware Identity Manager login and data traffic.
Gateway

T E C H N I C A L W H I T E PA P E R | 8
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 6: External Connection Showing All Display Protocols (Using Unified Access Gateway)

}}

Figure 7: Blast Extreme External Connection (Using Unified Access Gateway)

T E C H N I C A L W H I T E PA P E R | 9
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 8: PCoIP External Connection (Using Unified Access Gateway)

Figure 9: HTML Access External Connection (Using Unified Access Gateway)

T E C H N I C A L W H I T E PA P E R | 1 0
 NETWORK PORTS IN VMWARE HORIZON 7

Tunneled Connection
A tunneled connection uses the View Connection Server to provide gateway services. Authentication
and session traffic is routed through the View Connection Server. This approach is less frequently used
because Unified Access Gateway can provide the same and more functionality.

The following table lists network ports for tunneled connections from a client device to the Horizon 7
components. The diagrams following the table show network ports for tunneled connections, by display
protocol.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Horizon Client View TCP 443 Login.

Connection SSL (HTTPS access) is enabled by default for
Server client connections, but port 80 (HTTP access)
can be used in certain cases. See HTTP
Redirection in View in View Security.
Can also carry tunneled RDP, client drive
redirection, and USB redirection traffic.

TCP 8443 Blast Extreme to Blast Secure Gateway.

Excellent or typical network condition is
selected on client.

TCP 4172 PCoIP to PCoIP Secure Gateway.

UDP 4172 PCoIP to PCoIP Secure Gateway.

Browser View TCP 443 HTML Access.

Connection
Server

VMware TCP 443 VMware Identity Manager.

Identity
Manager

T E C H N I C A L W H I T E PA P E R | 1 1
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 10: Tunneled Connection Showing All Display Protocols

Figure 11: Blast Extreme Tunneled Connection

T E C H N I C A L W H I T E PA P E R | 1 2
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 12: PCoIP Tunneled Connection

Figure 13: HTML Access Tunneled Connection

T E C H N I C A L W H I T E PA P E R | 1 3
 NETWORK PORTS IN VMWARE HORIZON 7

Virtual Desktop or RDS Host

The following table lists network ports for connections from a virtual desktop or RDS host, to other
Horizon 7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Horizon View TCP 4002 Java Message Service (JMS) when using
Agent Connection enhanced security (default).
Server

TCP 4001 JMS (legacy).

TCP 389 Only required when doing an unmanaged agent

registration, for example, RDSH agent install
without linked-clone or instant-clone
component.

vRealize TCP 3091 Remote Method Invocation (RMI) registry

Operations for lookup.
Horizon *
TCP 3099 Desktop message server.

App Volumes App Volumes TCP 443 Can use port 80 if not using SSL certificates to
Agent Manager secure communication.

TCP 5895 PowerShell web services.

User File shares TCP 445 User Environment Manager agent access to
Environment SMB file shares.
Manager
FlexEngine

* VMware vRealize Operations for Horizon ports shown are for version 6.2. See the vRealize Operations
for Horizon Documentation for earlier versions.

T E C H N I C A L W H I T E PA P E R | 1 4
 NETWORK PORTS IN VMWARE HORIZON 7

View Connection Server

The following table lists network ports for connections from a View Connection Server to other Horizon
7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

View Horizon Agent TCP 22443 Blast Extreme for a tunneled connection.
Connection
Server TCP 4172 PCoIP for a tunneled connection.

UDP 4172 PCoIP for a tunneled connection.

TCP 3389 RDP for a tunneled connection.

TCP 9427 Optional for client drive redirection (CDR) and

multimedia redirection (MMR) for a tunneled
connection.
By default, when using Blast Extreme, CDR
traffic is side-channeled in the Blast Extreme
ports indicated previously. If you prefer, this
traffic can be separated onto the port indicated
here.

TCP 32111 Optional for USB redirection for a tunneled

connection.
By default, USB traffic is side-channeled in the
Blast Extreme or PCoIP ports indicated
previously. If you prefer, this traffic can be
separated onto the port indicated here.

vCenter Server TCP 443 SOAP messages.

View Composer TCP 18443 SOAP messages.

View TCP 4100 JMS to replica View Connection Server for

Connection redundancy and scale.
Server

TCP 4101 JMS SSL to replica View Connection Server for

redundancy and scale.

TCP 22389 Cloud Pod Architecture ADLDS – Global LDAP

replication.

TCP 22636 Cloud Pod Architecture ADLDS – Secure global

LDAP replication.

TCP 8472 Cloud Pod Architecture inter-pod VIPA.

TCP 32111 Only used during installation of a replica View

Connection Server.

Enrollment TCP 32111 View Framework.

server

T E C H N I C A L W H I T E PA P E R | 1 5
 NETWORK PORTS IN VMWARE HORIZON 7

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

View Security server UDP 500 IPsec negotiation traffic.

Connection
Server UDP 4500 NAT-T ISAKMP.

VMware TCP 443 Message bus.

Identity
Manager

vRealize TCP 3901 Remote Method Invocation (RMI) registry

Operations for lookup.
Horizon
TCP 3101 Broker message server – Send topology data.

TCP 3100 Certificate management server – Pair.

RSA UDP 5500 Two-factor authentication.

SecurID Default value is shown. This port is configurable.
Authentication
Manager

vCenter Server and View Composer

The following table lists network ports for connections from a vCenter Server and a View Composer
server, to other Horizon 7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

vCenter ESXi TCP 902 SOAP.

Server

View vCenter TCP 443 SOAP.

Composer Server

ESXi TCP 902 SOAP.

 

T E C H N I C A L W H I T E PA P E R | 1 6
 NETWORK PORTS IN VMWARE HORIZON 7

Unified Access Gateway

The following table lists network ports for connections from a Unified Access Gateway to other
Horizon 7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Unified View TCP 443 Login.

Access Connection
Gateway Server

Horizon Agent TCP 22443 Blast Extreme.

UDP 22443 Blast Extreme.

TCP 4172 PCoIP.

UDP 4172 PCoIP.

TCP 3389 RDP.

TCP 9427 Optional for client drive redirection (CDR) and

multimedia redirection (MMR).
By default, when using Blast Extreme, CDR
traffic is side-channeled in the Blast Extreme
ports indicated previously. If you prefer, this
traffic can be separated onto the port indicated
here.

TCP 32111 Optional for USB redirection.

By default, USB traffic is side-channeled in the
Blast Extreme or PCoIP ports indicated
previously. If you prefer, this traffic can be
separated onto the port indicated here.

VMware TCP 443

Identity
Manager

RADIUS,… UDP 5500 Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is
configurable.

T E C H N I C A L W H I T E PA P E R | 1 7
 NETWORK PORTS IN VMWARE HORIZON 7

Security Server
The following table lists network ports for connections from a security server to other Horizon 7
components. The diagrams following the table show network ports for external connections when using
a security server, by display protocol.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Security View UDP 500 IPsec negotiation traffic.

server Connection
Server ESP IP Protocol 50.
AJP13-forwarded web traffic, when using IPsec
without a NAT device.

UDP 4500 AJP13-forwarded web traffic, when using IPsec

through a NAT device.

TCP 8009 AJP13-forwarded web traffic, if not using IPsec.

TCP 4001 JMS traffic.

TCP 4002 JMS SSL traffic.

Horizon Agent TCP 22443 Blast Extreme.

TCP 4172 PCoIP.

UDP 4172 PCoIP.

TCP 3389 RDP.

TCP 9427 Optional for client drive redirection (MMR) and

multimedia redirection (MMR).
By default, when using Blast Extreme, CDR
traffic is side-channeled in the Blast Extreme
ports indicated above. If you prefer, this traffic
can be separated onto the port indicated here.

TCP 32111 Optional for USB redirection.

By default, USB traffic is side-channeled in the
Blast Extreme or PCoIP ports indicated
previously. If you prefer, this traffic can be
separated onto the port indicated here.

T E C H N I C A L W H I T E PA P E R | 1 8
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 14: External Connection Showing All Display Protocols (Using Security Server)

Figure 15: Blast Extreme External Connection (Using Security Server)

T E C H N I C A L W H I T E PA P E R | 1 9
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 16: PCoIP External Connection (Using Security Server)

Figure 17: HTML Access External Connection (Using Security Server)

T E C H N I C A L W H I T E PA P E R | 2 0
 NETWORK PORTS IN VMWARE HORIZON 7

VMware Identity Manager

The following table lists the network ports for connections from VMware Identity Manager to other
Horizon 7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

VMware View TCP 389

Identity Connection
Manager Server

TCP 443

VMware TCP 443

Identity
Manager TCP 9300-9400 Audit needs.

SMTP server TCP 25 SMTP port to relay outbound mail.

Domain TCP 389 LDAP to Active Directory. Default, but is

controllers configurable.

Both 88 Kerberos authentication.

Both 464 Kerberos password change.

TCP 135 RPC.

DNS servers Both 53 DNS lookup.

Citrix TCP 80, 443 Connection to the Citrix Integration Broker. Port
Integration option depends on whether a certificate is
Broker server installed on the Integration Broker server.

File servers TCP 445 Access to the VMware ThinApp® repository on

SMB share.

vapp-updates. TCP 443 Access to the upgrade server.

vmware.com

RSA SecurID UDP 5500 Default value is shown. This port is configurable.
system

VMware TCP 443 For device compliance-checking, and for the

AirWatch VMware AirWatch Cloud Connector password
REST API authentication method, if that is used.

Database TCP 1433 If using an external Microsoft SQL database

(default port is 1443).

TCP 5432 If using an external PostgreSQL database.

TCP 1521 If using an external Oracle database.

T E C H N I C A L W H I T E PA P E R | 2 1
 NETWORK PORTS IN VMWARE HORIZON 7

App Volumes Manager

The following table lists network ports for connections from App Volumes Manager to other Horizon 7
components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

App Volumes vCenter Server TCP 443 SOAP.

Manager
ESXi TCP 443 Hostd.

Database TCP 1433 Default port for Microsoft SQL.

vRealize Operations for Horizon

The following table lists network ports for connections from vRealize Operations for Horizon, to other
Horizon 7 components.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

vRealize View TCP 3091 Remote Method Invocation (RMI) registry

Operations Connection lookup.
for Horizon Server
TCP 3101 Broker message server – Send topology data.

TCP 3100 Certificate management server – Pair.

Horizon Agent TCP 3901 Remote Method Invocation (RMI) registry

lookup.

TCP 3909 Desktop message server.

Unified Access TCP 9443 Monitoring of Unified Access Gateway

Gateway appliances.

App Volumes TCP 443 Monitoring of App Volumes Managers.

Manager

T E C H N I C A L W H I T E PA P E R | 2 2
 NETWORK PORTS IN VMWARE HORIZON 7

Management
The following table lists network ports for the administrative consoles in Horizon 7.

SOURCE DESTINATION NETWORK DESTINATION DETAILS

PROTOCOL PORT

Administrative View TCP 443 https://<Connection Server FQDN>/admin

console in Connection
browser Server

vCenter Server TCP 443 https:// <vCenter Server FQDN>/vsphere-client

https:// <vCenter Server FQDN>/ui

App Volumes TCP 443 https:// <App Volumes Manager Server FQDN>/
Manager

VMware TCP 8443 https://<Identity Manager Instance FQDN>

Identity https://<Identity Manager Appliance
Manager FQDN>:8443/cfg/login

vRealize TCP 443 https://<vRealize Manager FQDN or IP

Operations for Address>/admin
Horizon

Unified Access TCP 9443 https://<Unified Access Gateway FQDN or IP

Gateway Address>:9443/admin/

T E C H N I C A L W H I T E PA P E R | 2 3
 NETWORK PORTS IN VMWARE HORIZON 7

Display-Protocol-Specific Diagram Views

The following diagrams display network ports for connections, by display protocol (Blast Extreme or
PCoIP), and for HTML Access client connections.

Figure 18: Blast Extreme Connections

Figure 19: PCoIP Connections

T E C H N I C A L W H I T E PA P E R | 2 4
 NETWORK PORTS IN VMWARE HORIZON 7

Figure 20: HTML Access Connections

T E C H N I C A L W H I T E PA P E R | 2 5
 NETWORK PORTS IN VMWARE HORIZON 7

About the Author and Contributors

Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware,
created these network-port diagrams and wrote the accompanying document.

The following people contributed their knowledge and assisted with reviewing:
• Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware
• Mark Benson, Sr. Staff Engineer, EUC CTO Office, VMware
• Paul Green, Staff Engineer, Enterprise Desktop, VMware
• Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware
• Ramu Panayappan, Director, R&D, Enterprise Desktop, VMware
• Rick Terlep, EUC Architect, EUC Technical Marketing, VMware
• Jim Yanik, Senior Manager, EUC Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at

euc_tech_content_feedback@vmware.com.

T E C H N I C A L W H I T E PA P E R | 2 6
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed
at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies. Item No: VMW-TWP-NETWKPORTSHORIZ7-USLTR-20170908-WEB
9/17