This post was written on the 5th May 2015. Hopefully sometime in the near future it is no longer relevant, but until then, be aware of an error in a KB article (2085383) for Horizon View 6.x network ports.
I’m compelled to write this post as I’ve just encountered a 2nd partner who got misled by this erroneous article.
For the proper reference, the Horizon View 6.x documentation lists out the ports that are required. The direct link to the web based documentation is here. I recommend using this.
If you want to see a correct diagram on how the ports should be like, you can look at the slightly older KB article (2061913) for View 5.x. The key differences between View 5.x and 6.x are the following
- View 6.x no longer support Local Mode – but since it shares ports 80 & 443 for other purposes, you’ve got to keep them.
- View 6.x adds Cloud Port Architecture – so this is a new port for View Pod to View Pod communication.
- View 6.x adds Enhanced Message Security mode – and this also adds a new port between View Connection Servers only.
Back to the erroneous article.
The part which needs to be fixed are the ports depicted for the Horizon View Client to communicate with a View Security Server. This is typical of a situation when an end device is situated in an untrusted network (e.g. the Internet), and the connection has to be tunnelled through a View Security Server that sits in the corporate DMZ. Under such a situation, there are only 3, at most 4 ports which are required, and they are
- 80 TCP (HTTP) – for users who use a web browser and simply just hit the access URL without prefixing a HTTPS:// in the address bar. This will simply allow the Security Server to do a redirect to the same URL, but with HTTPS
- 443 TCP (HTTPS) – all non-desktop traffic goes through this HTTPS encrypted connection. So right from the start, all communications between a View Client and the Security Server are fully encrypted; additionally, if RDP is the chosen protocol, it will be embedded within this HTTPS communication. So, there is no need for 3389 TCP to be opened between the View Client and Security Server.
- 4172 TCP & 4172 UDP (PCoIP) – all PCoIP based desktop traffic will use these 2 ports. The TCP port is only used for the initial setup of the PCoIP connection. Once it’s up, all desktop activities will be just 4172 UDP.
the diagram below was cut out of the KB article. You’ll see 3 additional ports which I’ve crossed out in red.
- 9472 TCP (MMR) – this is the Multimedia Redirection port. It is not used between the View Client and Security Server. The View Client will only use it when it does a direct connection with the Virtual Desktop.
- 3389 TCP (RDP) – this is the well known RDP port. As mentioned above, when the session is tunnelled, RDP is embedded within the 443 TCP traffic, and does not use 3389 TCP. Again, the View Client will only use this port if it is to do a direct connection with the Virtual Desktop.
- 32111 TCP (USB) – this port is used for USB redirection. When tunnelled through a Security Server, the View Client will not use this port; instead it will send the traffic via 4172 UDP. When the View Client is to have a direct connection to the Virtual Desktop, it will then use 32111 TCP.