The following diagram illustrates how the primary protocols used by the Horizon Security Server work with other components of the Horizon infrastructure. The diagram shows the following components of a Horizon infrastructure:
- Communication between the Horizon Security Server and the Horizon Desktop or Application
- Communication between the Horizon Security Server and the Horizon Connection Server
The arrows indicate the direction in which each protocol travels, assuming that the default settings are used:
This list of ports used by the core components is outlined in the following table. Additionally, consult the Firewall Rules for DMS-Based Security Servers in the VMware document Horizon Architecture Planning (https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-architecture-planning.pdf) for additional information concerning the function of each component, and when the associated port is actually required to be opened in the firewall:
| Protocol or Service | Port | Notes |
| AJP13 (Apache Tomcat Connector) | TCP 8009 | Not used if IPsec is enabled and the DMZ backend firewall uses one-way or two-way NAT. |
| Blast Agent | TCP/UDP 22443 | Used to connect to the Blast (HTML Access) Agent on the desktop or application host |
| HTTP/HTTPS | TCP 80/443/8443 | Port TCP 8443 is only used for HTML Access (web) clients. |
| JMS (Java Messaging Service) | TCP 4001-4002 | If upgrading existing Horizon Security Servers, port TCP 4002 might not be open as it was not previously required. |
| MMR (Multimedia redirection) | TCP 9427 | Used alongside RDP; uses client rather than server resources to render DirectShow-based media and codecs. |
| NAT-T ISAKMP | UDP 4500 | Used to negotiate IPsec security; if the DMZ backend firewall uses one-way or two-way NAT, and IPsec is enabled, UDP port 4500 must be allowed in each direction between the Security Server and the Horizon Connection Server. |
| PCoIP | TCP/UDP 4172, UDP 55000 | |
| RDP | TCP 3389 | |
| IPsec | UDP 500 | |
| USB Redirection for PCoIP, Blast, and RDP | TCP 32111 | TCP 32111 is used to support USB redirection to Horizon clients. |