Network Ports in VMware Horizon Cloud Service: VMware ...€¦ · a VMware Horizon® Cloud...

TECHNICAL WHITE PAPER – FEBRUARY 2018

NETWORK PORTS IN VMWARE HORIZON CLOUD SERVICE VMware Horizon Cloud Service

VMware Horizon Cloud Service with Hosted Infrastructure

VMware Horizon Cloud Service on Microsoft Azure

For full interactive PDF ability to display high-resolution diagrams, download this file and view it locally.

T E C H N I C A L W H I T E PA P E R | 2

NETWORK PORTS IN VMWARE HORIZON CLOUD SERVICE

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Client Connections for Horizon Cloud with Hosted Infrastructure, with an External Connection . . 4

External Client Connections to the Horizon Cloud with Hosted Infrastructure Tenant . . . . . . . . . 4

Internal Client Connections to the Horizon Cloud with Hosted Infrastructure Tenant . . . . . . . . . . 7

Client Connections for Horizon Cloud with Hosted Infrastructure, with an Internal Connection . . . 9

Client Connections for Horizon Cloud on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Virtual Desktop or RDS Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Unified Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Node Appliance, Tenant Appliance, and Tenant Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

About the Author and Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20



About This GuideThis document lists port requirements for connectivity between the various components and servers in a VMware Horizon® Cloud Service™ deployment . Two deployment models for the Horizon Cloud Service are covered: VMware Horizon Cloud Service with Hosted Infrastructure, and VMware Horizon Cloud Service on Microsoft Azure . This document is intended as a companion to the VMware Horizon Cloud Service Network Ports diagrams .

The first set of diagrams covers Horizon Cloud with Hosted Infrastructure with external connectivity . The second set covers Horizon Cloud with Hosted Infrastructure with internal connectivity . The final set covers connectivity for Horizon Cloud on Microsoft Azure .

Figure 1 shows the possible client connection types for Horizon Cloud with Hosted Infrastructure and also includes all display protocols . Different versions of this diagram are displayed in this document and linked to larger PDF layouts . They show a subset of this diagram and focus on a particular connection type and protocol use . To view these larger PDF diagram layouts, access the Attachments panel in the PDF file or click the diagram images in the layout . You might need to download the PDF and view it locally (rather than in a browser) for full interactive functionality .

This document also provides tables listing all possible ports from a source component to destination components within a typical Horizon Cloud deployment . This does not mean that all of these ports necessarily need to be open . If a component or protocol is not in use, then the ports associated with it can be omitted . For example:

• If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened .

• If VMware User Environment Manager™ is not deployed, ports to and from it can be ignored .

Furthermore, this document does not list all possible ports for all possible integrations with third-party services . The document lists ports to third-party services that are critical to a functioning deployment .

Ports shown are destination ports . In the diagrams, arrows depict the direction of communication from source to destination .

The Horizon Cloud tables and diagrams include connections to the following products, product families, and components:

• VMware Horizon Client™

• VMware Unified Access Gateway™

• VMware Identity Manager™

• VMware App Volumes™

• VMware User Environment Manager

• VMware ThinApp®

• VMware AirWatch®

https://www.vmware.com/products/horizon-cloud-virtual-desktops.html

https://www.vmware.com/products/user-environment-manager.html



Client Connections for Horizon Cloud with Hosted Infrastructure, with an External ConnectionThere are two basic configurations for Horizon Cloud with Hosted Infrastructure . One assumes client connections from an external network . The other configuration assumes connection from a trusted, or “internal,” network . Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon Cloud components are similar in both cases .

External Client Connections to the Horizon Cloud with Hosted Infrastructure TenantAn external connection provides secure access into Horizon Cloud resources from an external network . A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant . All communication from the client will be to that edge device, which then communicates to the internal resources .

SOURCE DESTINATION NETWORK PROTOCOL

DESTINATION PORT

DETAILS

Horizon Client Unified Access Gateway

TCP 443 Login traffic .SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases . See Understanding What URL Content Redirection Is in Horizon Cloud with Hosted Infrastructure Administration .Can also carry tunneled RDP, client drive redirection, and USB redirection traffic .

TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway .

UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway .

TCP 443 Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used .Excellent or typical network condition is selected on client .

TCP 8443 Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel) .Excellent or typical network condition is selected on client .

UDP 443 Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used .Also used for login traffic when poor network condition is selected on client .

UDP 8443 Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport) .Typical or poor network condition is selected on client .

https://www.vmware.com/support/pubs/horizon-cloud-service-pubs.html





DESTINATION PORT

DETAILS

Browser Unified Access Gateway

TCP 443 HTML Access .

TCP 443 VMware Identity Manager login and data traffic .

Figure 1: Horizon Cloud with Hosted Infrastructure, External Connection with All Display Protocols



Figure 2: Horizon Cloud with Hosted Infrastructure, External Connection with Blast Extreme

Figure: 3: Horizon Cloud with Hosted Infrastructure, External Connection with PCoIP



Figure 4: Horizon Cloud with Hosted Infrastructure, External Connection with HTML Access

Internal Client Connections to the Horizon Cloud with Hosted Infrastructure TenantAn internal connection is typically used within the internal network . Initial authentication is performed to the tenant appliance or node appliance, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS host .

The following table lists network ports for internal connections from a client device to Horizon Cloud components . The diagrams following the table show network ports for internal connections by protocol .


DESTINATION PORT

DETAILS


TCP 443 Login traffic .SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases . See Understanding What URL Content Redirection Is in Horizon Cloud with Hosted Infrastructure Administration .Can also carry tunneled RDP, client drive redirection, and USB-redirection traffic .








DESTINATION PORT

DETAILS








Client Connections for Horizon Cloud with Hosted Infrastructure, with an Internal ConnectionAn internal connection is typically used when an organization would like to have greater control over end-user communications between the organization’s data center and Horizon Cloud with Hosted Infrastructure . An internal connection to Horizon Cloud assumes that all end-user traffic comes from a trusted source (organization’s data center) and is configured like a branch office . A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant . In these cases, the Unified Access Gateway is deployed to the Services Zone instead of to the Security Zone in Horizon Cloud with Hosted Infrastructure . All communication from the client will be to that edge device, which then communicates to the internal resources .

With these diagrams, the only thing that changes is the way that the network zones are defined . All communication flows are similar to those in Horizon Cloud with Hosted Infrastructure with an external connection .

Figure 5: Horizon Cloud with Hosted Infrastructure, Internal Connection with All Display Protocols

T E C H N I C A L W H I T E PA P E R | 1 0


Figure 6: Horizon Cloud with Hosted Infrastructure, Internal Connection with Blast Extreme

Figure 7: Horizon Cloud with Hosted Infrastructure, Internal Connection with PCoIP



Figure 8: Horizon Cloud with Hosted Infrastructure, Internal Connection with HTML Access



Client Connections for Horizon Cloud on Microsoft AzureHorizon Cloud on Microsoft Azure differs from Horizon Cloud with Hosted Infrastructure in one critical way—with these solutions, you provide your own infrastructure via Microsoft Azure or a hyperconverged appliance to run the service on . These implementations require specific configurations of the basic infrastructure with the intent of providing an equivalent connection topography to a Horizon Cloud with Hosted Infrastructure deployment . Therefore, while the deployment models are different, they are purposefully very similar from a network connectivity point of view .

A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant . All communication from the client will be to that edge device, which then communicates to the internal resources .


DESTINATION PORT

DETAILS

Horizon Client Unified Access Gateway or security server

TCP 443 Login traffic .SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases . See Understanding What URL Content Redirection Is in VMware Horizon Cloud Service on Microsoft Azure Administration Guide .Can also carry tunneled RDP, client drive redirection, and USB-redirection traffic .



Unified Access Gateway





https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/






DESTINATION PORT

DETAILS

Browser Unified Access Gateway

TCP 443 HTML Access .

TCP 443 VMware Identity Manager login and data traffic .

Figure 9: Horizon Cloud on Microsoft Azure, External Connection with All Display Protocols



Figure 10: Horizon Cloud on Microsoft Azure, External Connection with Blast Extreme

Figure 11: Horizon Cloud on Microsoft Azure, External Connection with PCoIP



Figure 12: Horizon Cloud on Microsoft Azure, External Connection with HTML Access



Virtual Desktop or RDS Host


DESTINATION PORT

DETAILS

Horizon Agent

Tenant / node appliance

TCP 4002 Java Message Service (JMS) when using enhanced security – default .

TCP 4001 Java Message Service (JMS) – legacy .

TCP 3099 Desktop message server .

App Volumes Agent

App Volumes Manager

TCP 3443 Not currently used for Horizon Cloud on Microsoft Azure . Can use port 80 if not using SSL certificates to secure communication .

User Environment Manager FlexEngine

File shares TCP 445 User Environment Manager agent access to SMB file shares .



DESTINATION PORT

DETAILS


Tenant / node appliance

TCP 443 Login .

Horizon Agent TCP 22443 Blast Extreme .

UDP 22443 Blast Extreme .

TCP 4172 PCoIP .

UDP 4172 PCoIP .

TCP 3389 RDP .

TCP 9427 Optional for client drive redirection (CDR) and multi-media redirection (MMR) .By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously . If you prefer, this traffic can be separated onto the port indicated here .

TCP 32111 Optional for USB redirection .By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously . If you prefer, this traffic can be separated onto the port indicated here .

VMware Identity Manager

TCP 443




DESTINATION PORT

DETAILS


RADIUS UDP 5500 Other authentication sources such as RADIUS . Default value for RADIUS is shown but is configurable .



DESTINATION PORT

DETAILS



TCP 443

TCP 9300-9400 Audit needs .

SMTP server TCP 25 SMTP port to relay outbound mail .

Domain controllers

TCP 389 LDAP to Active Directory . Default but is configurable .

Both 88 Kerberos authentication .

Both 464 Kerberos password change .

TCP 135 RPC .

DNS servers Both 53 DNS lookup .

Citrix Integration Broker server

TCP 80, 443 Connection to the Citrix Integration Broker . Port option depends on whether a certificate is installed on the Integration Broker server .

File servers TCP 445 Access to the ThinApp repository on SMB share .

vapp-updates.vmware.com

TCP 443 Access to the upgrade server .

RSA SecurID system

UDP 5500 Default value is shown . This port is configurable .

AirWatch REST API

TCP 443 For device compliance-checking, and for the AirWatch Cloud Connector password authentication method, if that is used .

Database TCP 1433 If using an external Microsoft SQL database (default port is 1443) .

TCP 5432 If using an external PostgreSQL database .

TCP 1521 If using an external Oracle database .



Node Appliance, Tenant Appliance, and Tenant Resources


DESTINATION PORT

DETAILS

Tenant appliance / node appliance / tenant desktops

Global catalog TCP 3268 Server that contains global catalog role in an Active Directory configuration . This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant .

Domain controller

TCP 389 LDAP services . Server that contains a domain controller role in an Active Directory configuration . This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant .

TCP 88 Kerberos services . Server that contains a domain controller role in an Active Directory configuration . This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant .

DNS server TCP 53 DNS services . DNS name resolution is required between the AD and Horizon Cloud, for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant .

File shares TCP 445 User Environment Manager agent access to SMB file shares .

Tenant appliance / node appliance

CMS TCP 443 VMware cloud monitoring service .

RADIUS UDP 5500 Other authentication sources such as RADIUS . Default value for RADIUS is shown but is configurable .Applies only to Horizon Cloud with Hosted Infrastructure .

RSA SecurID system

UDP 5500 Default value is shown . This port is configurable .Applies only to Horizon Cloud with Hosted Infrastructure .



Management


DESTINATION PORT

DETAILS

Admin browser

Horizon Cloud Service

TCP 443 https://cloud.horizon.vmware.com/horizonadmin


TCP 8443 https://<VMware Identity Manager instance FQDN>

https://<VMware Identity Manager appliance FQDN>:8443/cfg/login

Admin PC with RDP client

Utility server* TCP 3389 For console access of Utility servers housed in a given Horizon Cloud with Hosted Infrastructure tenant .

*Relevant only in Horizon Cloud with Hosted Infrastructure tenant deployments .



About the Author and ContributorsRick Terlep, End-User-Computing Architect, EUC Technical Marketing, VMware, wrote this document and created the diagrams .

The following people contributed considerable knowledge and assisted with reviewing:

• Daniel Berkowicz, Architect, EUC Cloud Services, VMware

• Jerrid Cunniff, Senior Architect, EUC Cloud Services, VMware

• Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware

• Frank Taylor, Principal Engineer, EUC, VMware

• Griff James, Staff Engineer, EUC, VMware

The following people contributed their knowledge to the VMware Horizon 7 document and diagrams that this document and diagrams were based on:

• Mark Benson, Sr . Staff Engineer, EUC CTO Office, VMware

• Paul Green, Staff Engineer, Enterprise Desktop, VMware

• Ramu Panayappan, Director, R&D, Enterprise Desktop, VMware

• Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware

• Jim Yanik, Senior Manager, EUC Technical Marketing, VMware

• Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware .com .

mailto:euc_tech_content_feedback%40vmware.com?subject=

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2018 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-NETWKPORTSHORIZCLDSVSHI_17_2_HCSMA_1_4-USLTR-20180212-WEB 2/18

VMware Identity Manager Components

Client User (External Connection)

Tenant

Services Zone

Desktop Zone

Unified AccessGateway

dtService

Desktop Manager

RDSH / Virtual Desktop VMwareIdentity

Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ Internal Connection, HTML Access

@vmwarehorizon

Feedback: VMware End‐User‐Computing Technical Marketing team [email protected]

HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS

User Environment Manager

FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP

Blast ExtremeHTTP/HTTPS

JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other

JMS (TCP 4001) JMS SSL (TCP 4002)

Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent UDP Server Handler

Collector Service

ViewClientServletMessage Sender

HT

TP

S (

TC

P 3

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC

Agent Auto UpdateDaaS

Agent

dtREST API -- HTTPS (TCP 443)

XML API -- HTTPS (TCP 443)

All network ports are shown, but only a subset are normally required depending on the components deployed and protocols in use. See the companion VMware Horizon Cloud Network Ports document for more detail and information on ports.

Arrows indicate direction of traffic (source and destination). Ports shown are destination ports. Note: Network ports shown for supporting infrastructure are not exhaustive. This diagram primarily

illustrates connectivity between VMware components.

UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)

VMwareIdentity Manager

Connector

TrueSSO Enrollment Service

HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)

Utility ServersSMB (TCP / UDP 445)

File Shares SMB (TCP 445)

RDP(TCP 3389)

Global Catalog (TCP 3268)Domain ControllersLDAP (TCP 389)Kerberos(TCP 88)DNS(TCP 53)

Monitoring Services

CMS

HTTPS (TCP 443)

mailto:[email protected]



Client User (External Connection) Administrator

TenantServices ZoneDesktop Zone

Security Zone Unified AccessGateway

Tenant Appliance

dtService

Desktop Manager


Manager

VMware Horizon Cloud on Microsoft Azure – External Connection, All Display Protocols

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

PC

oIP

(TC

P/U

DP

417

2)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

RD

P (

TC

P 3

389

)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other

HTTPS (TCP 8443)


Horizon Agent

Web Browser

Ruby

UDP Tunnel

App Volumes Agent

(On Premises Only)

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 4

43)

Typ

ical

(T

CP

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

Web Browser(HorizonAdmin)

HTTPS (TCP 443)

XM

L A

PI H

TT

PS

(T

CP

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

HT

TP

S (T

CP

44

3) Node ApplianceGlobal Catalog (TCP 3268)Domain ControllersLDAP (TCP 389)Kerberos(TCP 88)DNS(TCP 53)File SharesSMB (TCP 445)

Monitoring Services

CMS

HTTPS (TCP 443)

RADIUS / RSA / OCSP







dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ External Connection, PCoIP

@vmwarehorizon


PC

oIP

(TC

P/U

DP

417

2)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent

Horizon Client

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



HT

TP

S (

TC

P 4

43)


FlexEngine

RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)







Tenant Appliance

dtService

Desktop Manager


Manager

VMware Horizon Cloud on Microsoft Azure – External Connection, HTML Access

@vmwarehorizon


HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes Agent

(On Premises Only) UDP Server

Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

HT

TP

S (T

CP

44


Monitoring Services

CMS

HTTPS (TCP 443)





Tenant

Services Zone

Desktop Zone


dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ Internal Connection, All Display Protocols

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

PC

oIP

(TC

P/U

DP

417

2)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

RD

P (

TC

P 3

389

)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other

HTTPS (TCP 8443)


Horizon Agent

Web Browser

Ruby

UDP Tunnel

App Volumes

Agent

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 8

44

3)T

ypic

al (

TC

P 8

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)


Organization dtREST API Integration

HTTPS (TCP 443)

XM

L A

PI H

TT

PS

(T

CP

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)







Tenant Appliance

dtService

Desktop Manager


Manager

VMware Horizon Cloud on Microsoft Azure – External Connection, Blast Extreme

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes Agent

(On Premises Only)

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 4

43)

Typ

ical

(T

CP

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

HT

TP

S (T

CP

44

3) Node ApplianceGlobal Catalog (TCP 3268)Domain ControllersLDAP (TCP 389)Kerberos(TCP 88)DNS(TCP 53)

Monitoring Services

CMS

HTTPS (TCP 443)







dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ External Connection, HTML Access

@vmwarehorizon


HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



RDP (TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)





Tenant

Services Zone

Desktop Zone


dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ Internal Connection, PCoIP

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

PC

oIP

(TC

P/U

DP

417

2)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent

Horizon Client

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)







Tenant Appliance

dtService

Desktop Manager


Manager

VMware Horizon Cloud on Microsoft Azure – External Connection, PCoIP

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

PC

oIP

(TC

P/U

DP

417

2)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes Agent

(On Premises Only)

Horizon Client

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

HT

TP

S (T

CP

44


Monitoring Services

CMS

HTTPS (TCP 443)







dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ External Connection, Blast Extreme

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 8

44

3)T

ypic

al (

TC

P 8

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)




FlexEngine

RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)







dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ External Connection, All Display Protocols

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

PC

oIP

(TC

P/U

DP

417

2)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

PC

oIP

(T

CP

/UD

P

417

2)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

RD

P (

TC

P 3

389

)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

HT

ML

Acc

ess

(TC

P 4

43)

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Web Browser

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other

HTTPS (TCP 8443)


Horizon Agent

Web Browser

Ruby

UDP Tunnel

App Volumes

Agent

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 8

44

3)T

ypic

al (

TC

P 8

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)


Organization dtREST API Integration

HTTPS (TCP 443)

XM

L A

PI H

TT

PS

(T

CP

44

3)

HT

TP

S (

TC

P 4

43)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)





Tenant

Services Zone

Desktop Zone


dtService

Desktop Manager


Manager

VMware Horizon Cloud with Hosted Infrastructure ‐ Internal Connection, Blast Extreme

@vmwarehorizon


HT

TP

S (

TC

P 4

43)

Bla

st E

xtre

me

(UD

P)

Po

or

(UD

P 4

43)

HTTPS (TCP 443)

Bla

st E

xtre

me

(TC

P/U

DP

224

43)

US

B (

TC

P 3

2111

)

CD

R/M

MR

(T

CP

94

27)

RADIUS / RSA / OCSP

Agent

VMware Component

Client

Process/Service

IKEEXT

PCoIP Secure

GatewayBlast

Secure Gateway

HTTP(S) Server

Fabric

dtREST API

VDMDS


FlexEngine

Horizon XML

Horizon Tunnel

Web Reverse Proxy

NGINX

TomcatVDMDSG

Message Bus

PCoIP


JMS SSL/AJP13USB

3rd-Party Svc.

CDR/MMR

Other


Horizon Agent

Ruby

UDP Tunnel

App Volumes

Agent

Bla

st E

xtre

me

(TC

P)

Exc

elle

nt (

TC

P 8

44

3)T

ypic

al (

TC

P 8

44

3)

Horizon Client

Bla

st E

xtre

me

(UD

P)

Typ

ical

(U

DP

84

43)

Po

or

(UD

P 8

44

3)

UDP Server Handler

Collector Service


HT

TP

S (

TC

P 3

44

3)

XM

L A

PI H

TT

PS

(T

CP

44

3)

AV Mgr

XMP Server

AD AccessMgr

2FA Mgr

NGVC


Agent






UDP 5678

HTTPS (TCP 8443)

TCP 49152-65535

HTTPS (TCP 443)


Connector


HTTPS (TCP 443)

TCP 32111

Tenant Appliance

HT

TP

S (T

CP

44

3)



RDP (TCP 3389)RDP(TCP 3389)


Monitoring Services

CMS

HTTPS (TCP 443)



Network Ports in VMware Horizon Cloud Service: VMware ...€¦ · a VMware Horizon® Cloud...

Documents

Transcript of Network Ports in VMware Horizon Cloud Service: VMware ...€¦ · a VMware Horizon® Cloud...