Network Ports in VMware Horizon | VMware

Network Ports in VMware Horizon

Client Connections

Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon components vary by whether the connections are internal, external, or tunneled.

Internal Connection

An internal connection is typically used within the internal network. Initial authentication is performed to the Horizon Connection Server, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS Host.

The following table lists network ports for internal connections from a client device to Horizon components. The diagrams following the table show network ports for internal connections, by display protocol.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Client

Horizon Connection Server

TCP

443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in VMware Horizon in Horizon Security.

Horizon Agent

 

TCP

22443

Blast Extreme.

 

UDP

22443

Blast Extreme.

 

TCP

4172

PCoIP.

UDP

4172

PCoIP.

TCP

3389

RDP.

TCP

9427

Windows multimedia redirection, client drive redirection, HTML5 multimedia redirection, Microsoft Teams optimization, VMware printer redirection, and USB redirection.

By default, when using Blast Extreme, client drive redirection traffic is side-channeled in the Blast Extreme ports indicated previously.

TCP

32111

USB redirection and time synchronization.

When using Blast Extreme, USB redirection traffic can also be side-channeled in the Blast Extreme ports indicated previously. See note below.

Browser

Horizon Connection Server

TCP

8443

Horizon HTML Access.

Workspace ONE Access Appliance

TCP

443

Workspace ONE Access login and data traffic.

Both

88

iOS single sign-on (SSO).

TCP

5262

Android single sign-on (SSO).

TCP

7443

SSL certificate authentication.

Workspace ONE Access Connector

TCP

443

This port is required only for a connector being used in inbound mode (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

Notes:

With the VMware Blast display protocol, you can configure features, such as USB redirection, and client drive redirection, to send side channel traffic over a Blast Extreme ports. See:

  • .

  • .

External Connection

An external connection provides secure access into Horizon resources from an external network. A Unified Access Gateway (UAG) provides the secure edge services. All communication from the client will be to that edge device, which then communicates to the internal resources.

The following table lists network ports for external connections from a client device to Horizon components. The diagrams following the table show network ports for external connections, by display protocol, all with Unified Access Gateway.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Client

 

Unified Access Gateway

TCP

443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in VMware Horizon in Horizon Security.

Can also carry tunneled RDP, Client Drive Redirection, and USB redirection traffic.

TCP

4172

PCoIP via PCoIP Secure Gateway on Unified Access Gateway.

UDP

4172

PCoIP via PCoIP Secure Gateway on Unified Access Gateway.

 

 

 

TCP

8443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

UDP

8443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

TCP

443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used. This would be instead of TCP 8443.

Browser

Unified Access Gateway

TCP

8443

Or 443

Horizon HTML Access.

8443 is the default but can be changed to 443 on Unified Access Gateway.

Workspace ONE Access Appliance

TCP

443

Workspace ONE Access login and data traffic.

Both

88

iOS (single-sign-on) SSO.

TCP

5262

Android (single-sign-on) SSO.

TCP

7443

SSL certificate authentication.

Workspace ONE Access Connector

TCP

443

This port is only required for a connector being used in inbound mode. (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

Notes:

The Blast Secure Gateway on Unified Gateway can dynamically adjust to network conditions such as varying speeds and packet loss. In Unified Access Gateway, you can configure the ports used by the Blast protocol.

  • By default, Blast Extreme uses the standard ports TCP 8443 and UDP 8443.

  • However, port 443 can also be configured for Blast TCP.

  • The port configuration is set through the Unified Access Gateway Blast External URL property. See

If you configure Unified Access Gateway to use both IPv4 and IPv6 mode, then the Blast TCP/UDP must be set to port 443. You can enable Unified Access Gateway to act as a bridge for IPv6 Horizon clients to connect to an IPv4 backend Connection Server or agent environment. See Unified Access Gateway Support for IPv4 and IPv6 Dual Mode for Horizon Infrastructure.

Tunneled Connection

A tunneled connection uses the Horizon Connection Server to provide gateway services. Authentication and session traffic is routed through the Horizon Connection Server. This approach is less frequently used because Unified Access Gateway can provide the same and more functionality.

The following table lists network ports for tunneled connections from a client device to the Horizon components. The diagrams following the table show network ports for tunneled connections, by display protocol.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Client

Horizon Connection Server

 

TCP

443

Login.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in VMware Horizon in Horizon Security.

Can also carry tunneled RDP, Client Drive Redirection, and USB redirection traffic.

TCP

8443

Blast Extreme to Blast Secure Gateway.

TCP

4172

PCoIP to PCoIP Secure Gateway.

UDP

4172

PCoIP to PCoIP Secure Gateway.

Browser

Horizon Connection Server

TCP

8443

Horizon HTML Access.

Workspace ONE Access Appliance

TCP

443

Workspace ONE Access login and data traffic.

Both

88

iOS (single-sign-on) SSO.

TCP

5262

Android (single-sign-on) SSO.

TCP

7443

SSL certificate authentication.

Workspace ONE Access Connector

TCP

443

This port is only required for a connector being used in inbound mode (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

Virtual Desktop or RDS Host

The following table lists network ports for connections from a virtual desktop or RDS host, to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Agent

Horizon Connection Server

 

TCP

4001

Java Message Service (JMS).

TCP

4002

Java Message Service (JMS) when using enhanced security (default).

TCP

389

Only required when doing an unmanaged agent registration, for example, RDSH agent install without linked-clone or instant-clone component.

Horizon Cloud Connector

TCP

11002

Agent data collection.

App Volumes Agent

App Volumes Manager

TCP

443

Can use port 80 if not using SSL certificates to secure communication.

Dynamic Environment Manager FlexEngine

File shares

TCP

445

Dynamic Environment Manager agent access to SMB file shares.

Horizon Connection Server

The following table lists network ports for connections from a Horizon Connection Server to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Connection Server

Horizon Agent

 

TCP

22443

Blast Extreme for a tunneled connection.

TCP

4172

PCoIP for a tunneled connection.

UDP

4172

PCoIP for a tunneled connection.

TCP

3389

RDP for a tunneled connection.

TCP

9427

Optional for client drive redirection (CDR) and multi-media redirection (MMR) for a tunneled connection.

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If desired, this traffic can be separated onto the port indicated here.

TCP

32111

Framework channel – used by ws_admin

One use is for vdmadmin to configure or read from the agent.

For example, creating a Data Collection Tool (DCT) log bundle. (vdmadmin -A -getDCT…)

TCP

32111

USB redirection for a tunneled connection.

vCenter Server

TCP

443

SOAP messages.

Horizon Connection Server

 

TCP

4100

JMS to replica Horizon Connection Server for redundancy and scale.

TCP

4101

JMS SSL to replica Horizon Connection Server for redundancy and scale.

TCP

32111

Used during installation of a replica Horizon Connection Server and when rekeying the cluster master secret.

TCP

135

MS-RPC endpoint mapper. Required for Connection Server replication.

TCP

49152 -65535

MS-RPC dynamic client port range. Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Server instances. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. See note below.

TCP

389

Only used during installation of a replica Horizon Connection Server.

TCP

22389

Cloud Pod Architecture ADLDS – global LDAP replication.

TCP

22636

Cloud Pod Architecture ADLDS – secure global LDAPS replication.

TCP

8472

Cloud Pod Architecture inter-pod VIPA.

Database

(Events)

TCP

1433

If using a Microsoft SQL database (default port is 1443).

TCP

5432

If using a PostgreSQL database.

TCP

1521

If using an Oracle database.

Enrollment server

TCP

32111

Framework channel.

App Volumes Manager

TCP

443

Monitoring and App on Demand calls.

Workspace ONE Access Appliance

TCP

443

Message bus.

AD Domain Controllers

 

 

The Connection Server also communicates with domain controllers, using all relevant ports to discover a DC and bind to and query the Active Directory.

See https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

RSA SecurID Authentication Manager

UDP

5500

2-factor authentication.

Default value is shown. This port is configurable.

Notes:

Replication requires RPC ports between Connection Servers, both within a Pod and between Pods with Cloud Pod Architecture (CPA). The RPC port numbers are dynamically allocated after initial communication with the RPC endpoint mapper over TCP port 135. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.

  • Review the RPC port requirements for the different Microsoft Server OS versions:

  • To understand RPC dynamic ports see:

     

  • The ports required can be restricted:

Unified Access Gateway

The following table lists network ports for connections from a Unified Access Gateway to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

Unified Access Gateway

Horizon Connection Server

TCP

443

Login.

Horizon Agent

 

TCP

22443

Blast Extreme.

UDP

22443

Blast Extreme.

TCP

4172

PCoIP.

UDP

4172

PCoIP.

TCP

3389

RDP.

TCP

9427

Windows multimedia redirection, client drive redirection, HTML5 multimedia redirection, Microsoft Teams optimization, VMware printer redirection, and USB redirection.

By default, when using Blast Extreme, client drive redirection traffic is side-channeled in the Blast Extreme ports indicated previously.

TCP

32111

USB redirection and time synchronization.

When using Blast Extreme, the USB traffic can also be side-channeled in the Blast Extreme ports indicated previously. See note below.

RADIUS,…

UDP

5500

Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is configurable.

Notes:

With the VMware Blast display protocol, you can configure USB features, such as USB redirection, and client drive redirection, to send side channel traffic over a Blast Extreme ports. See:

  • .

  • .

Enrollment Server

The following table lists network ports for connections from a Horizon Enrollment Server.

Source

Destination

Network Protocol

Destination Port

Details

Enrollment Server

AD Certificate Services

TCP

135

Enrollment Server requests certificate from Microsoft Certificate Authority (CA) to generate a temporary, short-lived certificate.

The enrollment service uses TCP 135 RPC for the initial communication with the CA, then a random port from 1024 – 5000 and 49152 -65535.

See Certificate Services in https://support.microsoft.com/en-us/help/832017#method4.

AD Domain Controllers

 

 

The Enrollment Server also communicates with domain controllers, using all relevant ports to discover a DC and bind to and query the Active Directory.

See https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

Horizon Cloud Connector

The Horizon Cloud Connector is a virtual appliance that connects a Connection Server in a pod with the VMware Cloud Service. The Horizon Cloud Connector is required to use with Horizon subscription licenses. The following table lists network ports for connections from a Horizon Cloud Connector.

Source

Destination

Network Protocol

Destination Port

Details

Horizon Cloud Connector

Horizon Connection Server

TCP

443

Horizon pod integration.

TCP

4002

Java Message Service (JMS)

TCP

33443

Universal Broker client on the Horizon Cloud Connector to the Universal Broker plugin on the Connection Server

Port can be specified during installation of Universal Broker plugin.

vCenter Server

TCP

443

Used by the Image Management Service

Used during automatic upgrade of connector.

Horizon Cloud Service Control Plane

TCP

443

Regional control plane instance

https://cloud.horizon.vmware.com

Plus, one of the following names, depending on which regional control plane instance is specified in your Horizon Cloud tenant account.

cloud-us-2.horizon.vmware.com

cloud-eu-central-1.horizon.vmware.com

cloud-eu-2.horizon.vmware.com

cloud-ap-southeast-2.horizon.vmware.com

cloud-ap-2.horizon.vmware.com

cloud-jp.horizon.vmware.com

cloud-uk.horizon.vmware.com

Horizon Cloud Monitoring Service (CMS)

TCP

443

Depends on which regional control plane is specified in your Horizon Cloud account.

North America:

kinesis.us-east-1.amazonaws.com

query-prod-us-east-1.cms.vmware.com

Europe:

kinesis.eu-central-1.amazonaws.com

query-prod-eu-central-1.cms.vmware.com

Australia:

kinesis.ap-southeast-2.amazonaws.com

query-prod-ap-southeast-2.cms.vmware.com

Japan:

kinesis.ap-northeast-1.amazonaws.com

query-prod-ap-northeast-1.cms.vmware.com

United Kingdom:

kinesis.eu-west-2.amazonaws.com

query-prod-eu-west-2.cms.vmware.com

Certificate Authority

TCP

443

CRL or OCSP queries CRL used to obtain validation from the certificate authority, DigiCert

*.digicert.com

Universal Broker

TCP

443

Regional instance of the Universal Broker service depending on which regional control plane instance is specified in your Horizon Cloud tenant account.

United States:

connector-azure-us.vmwarehorizon.com

Europe:

connector-azure-eu.vmwarehorizon.com

Australia:

connector-azure-aus.vmwarehorizon.com

Japan:

connector-azure-jp.vmwarehorizon.com

United Kingdom:

connector-azure-uk.vmwarehorizon.com

Germany:

connector-azure-de.vmwarehorizon.com

Horizon Cloud Connector

TCP

22

Used during upgrades. Listen for requests to start the upgrade process.

Notes:

The regional instance is set when the account is created, as described in Deployments and Onboarding to Horizon Cloud for Microsoft Azure and Horizon Pods.

Certificate Authority – If your organization discourages the use of wildcards in allowable DNS names, you can specify specific names to DigiCert for the Certificate Authority CRL or OCSP queries. At the time of this writing, the specific DNS names required for certificate validation are:

  • ocsp.digicert.com

  • crl3.digicert.com

  • crl4.digicert.com

  • www.digicert.com/CPS

These DNS names are determined by DigiCert and subject to change. For instructions on how to obtain the specific names required by your certificates, refer to VMware Knowledge Base (KB) article 79859.

vCenter Server

The following table lists network ports for connections from a vCenter Server to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

vCenter Server

ESXi

TCP

902

SOAP.

Workspace ONE Access

The following table lists the network ports for connections from Workspace ONE Access (formerly VMware Identity Manager) to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

Workspace ONE Access Appliance

Workspace ONE Access Appliance

TCP

443

Appliance to appliance cluster communication

TCP

8443

Appliance to appliance cluster communication

TCP

8200

ElasticSearch.

TCP

5701

Hazelcast cache.

TCP

40002

40003

EHCache.

TCP

9300

Audit needs.

UDP

54328

Audit needs.

TCP

9400

vPostgres.

DNS servers

Both

53

DNS Lookup.

NTP

UDP

123

Time sync.

SMTP server

TCP

25

SMTP port to relay outbound mail.

Syslog

UDP

514

For external syslog server, if configured.

Log Insight

TCP

9543

 

OCSP

TCP

80

Online Certificate Status Protocol.

KDC

UDP

88

Hybrid KDC.

VMware Verify

TCP

443

 

Database

TCP

1433

If using an external Microsoft SQL database (default port is 1443).

TCP

5432

If using an external PostgreSQL database.

TCP

1521

If using an external Oracle database.

Workspace ONE UEM (AirWatch) REST API

TCP

443

For device compliance-checking, and for the AirWatch Cloud Connector password authentication method, if that is used.

vapp-updates.vmware.com

TCP

443

Access to the upgrade server.

Source

Destination

Network Protocol

Destination Port

Details

Workspace ONE Access Connector

Workspace ONE Access Appliance

TCP

443

Connector to appliance communication.

Horizon Connection Server

TCP

443

Horizon integration.

TCP

389

Communication to Lightweight Directory Services (LDS) to sync entitlements.

Domain controllers

 

TCP

389

LDAP to Active Directory. Default, but is configurable.

TCP

636

LDAPS to Active Directory.

TCP

3268

AD Global Catalog.

TCP

3269

AD Global Catalog.

Both

88

Kerberos authentication.

Both

464

Kerberos password change.

TCP

135

RPC.

DNS servers

Both

53

DNS Lookup.

NTP

UDP

123

Time sync.

Syslog

UDP

514

 

Log Insight

TCP

9543

 

OCSP

TCP

80

Online Certificate Status Protocol.

File servers

TCP

445

Access to the ThinApp repository on SMB share.

RADIUS Server

TCP

1812

 

TCP

1813

 

RSA SecurID system

TCP

5500

Default value is shown. This port is configurable.

Citrix Integration Broker server

TCP

80, 443

Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.

vapp-updates.vmware.com

TCP

443

Access to the upgrade server.

App Volumes Manager

The following table lists network ports for connections from App Volumes Manager to other Horizon components.

Source

Destination

Network Protocol

Destination Port

Details

App Volumes Manager

App Volumes Manager

TCP

3001

HTTP

TCP

3002

HTTP

TCP

3003

HTTP

TCP

3004

HTTP

TCP

54311

HTTPS

vCenter Server

TCP

443

SOAP.

ESXi

TCP

443

Hostd.

Database

TCP

1433

Default port for Microsoft SQL.

Active Directory

TCP

389

LDAP

TCP

636

LDAPS (Optional)

Management

The following table lists network ports for the administrative consoles used in Horizon.

Source

Destination

Network Protocol

Destination Port

Details

Admin browser

Horizon Connection Server

TCP

443

https://<Connection Server FQDN>/admin

vCenter Server

TCP

443

https:// <vCenter Server FQDN>/

Horizon Cloud Connector

TCP

443

 

App Volumes Manager

TCP

443

https:// <App Volumes Manager Server FQDN>/

Workspace ONE Access Appliance

TCP

443

https://<W1 Access Instance FQDN>

TCP

8443

https://<W1 Access Appliance FQDN>:8443/cfg/login

TCP

22

SSH

Workspace ONE Access Connector

TCP

8443

 

TCP

22

SSH

Unified Access Gateway

TCP

9443

https://<UAG FQDN or IP Address>:9443/admin/

Microsoft Remote Assistant

Virtual Desktop or RDS Host

TCP

3389

RDP traffic for remote assistance sessions.

Display Protocol-Specific Diagram Views

The following diagrams display network ports for connections, by display protocol (Blast Extreme, PCoIP, or RDP), and for HTML Access client connections.

Summary and Additional Resources

For Horizon 7, see Network Ports in VMware Horizon 7.

Changelog

The following updates were made to this guide.

Date

Changes

2023-01-23

Added new port from Connection server to App Volumes Manager to facilitate monitoring of App Volumes Mangers in the Connection Server console and Apps on Demand calls.

2022-03-01

Added row to Connection Server table with link to port requirements for AD domain controllers.

2021-11-09

Added port for Horizon Cloud Connector to Universal Broker plugin on Connection Server.

2021-10-06

Updated diagrams to label new uses of TCP 4927.

2021-06-28

Diagrams updated to add in connection from Horizon Cloud Connector to vCenter Server.

2021-06-25

Additional port information for Horizon Cloud Connector to cover the new services.

Updated the information on the services that use ports TCP 4927 and 32111 from the Client (Internal Connection) and Unified Access Gateway.

2021-05-17

Added port if using a PostgreSQL database for Horizon Connection Server events.

Update links to Horizon 2103 and Unified Access Gateway 2103 documentation.

2021-05-14

Additional port information for the Horizon Cloud Connector required for various control plane services.

  • vCenter Server for Image Management Service

  • Horizon Cloud Service Control Plane

  • Horizon Cloud Monitoring Service (CMS) URLs

  • Certificate Authority URLs

  • Universal Broker URLs

2021-04-12

Removed the word legacy from JMS TCP 4001 as this described this incorrectly.

2020-10-15

First version for Horizon 8.

Removed deprecated features: Composer, security server, JMP server, vRealize Operations for Horizon.

Recolored.

About the Author and Contributors

Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware, wrote this document and created the accompanying network-port diagrams.

The following people contributed their knowledge and assisted with reviewing:

  • Mark Benson, VMware Alumni

  • Paul Green, Staff Engineer, Virtual Workspace R&D, VMware

  • Ramu Panayappan, Director, Virtual Workspace R&D, VMware

  • Mike Oliver, Staff Engineer, Virtual Workspace R&D, VMware

  • Andrew Jewitt, Staff Engineer, Virtual Workspace R&D, VMware

  • Rick Terlep, Senior EUC Architect, EUC Technical Marketing, VMware

  • Jim Yanik, Senior Manager, EUC Technical Marketing, VMware

  • Frank Anderson, VMware Alumni

To comment on this paper, contact VMware End-User-Computing Technical Marketing at [email protected].

Associated Content

From the action bar MORE button.