VMware Horizon Community
henrylaw
Enthusiast
Enthusiast
‎11-16-2017 04:44 AM

VMWare Horizon Client: do inbound ports need to be opened?

I'm trying to diagnose and fix a total failure of Client Drive Redirection to work on the client, version 4.6.0, 64-bit. I set up the sharing on the connection properties, but it's not there in the "Computer" display on the remote Windows 7 image.

I've read some articles about ports needing to be opened to new inbound traffic (9427, 32111 for example) but I'm not clear whether that's a requirement on the machine which runs the client.

My (Linux) client sits on a 10.n.n.n network behind a NAT router (with a firewall which I control), onto a 192.168.n.n network which has another NAT firewall router connection to the public internet.  Both firewalls are set up fairly conventionally, to allow established traffic in but basically nothing else.  I can't see a way of doing port forwarding on both of those routers so that an unsolicited inbound connection would work on such ports (even if I was happy to do so from a security point of view, which I'm doubtful about).

Have I got this wrong?  Does the VMWare server open new (that is, not already established) connections on inbound ports?  If so, how do others configure their firewalls to allow it?

0 Kudos
3 Replies
pengwang
VMware Employee
VMware Employee
‎11-16-2017 09:55 PM

Hi henrylaw,

View server need the inbound TCP/UDP traffics that mentioned in doc, both pcoip and blast protocol connection can repro it or one of them? and it only repro in linux client? Thanks.

0 Kudos
ggordon
VMware Employee
VMware Employee
‎11-24-2017 02:01 AM

I'd have a read through of the Horizon Network Ports Document and the embedded diagrams. Best to download this as a pdf as you can then click on the embedded diagrams and get a hi-res version.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-use...

From a firewall perspective, most are in one direction with one side being the initiator. E.g. the client is the initiator so the rules should allows inbound traffic from the client.

For an internal connection (not going through a Unified Access Gateway or tunneled through a Connection Server) Firewall rules will need to allow:

  • Client to Connection Server (TCP 443)
  • Client to Agent (virtual desktop or RDSH) - Protocol ports (e.g. Blast Extreme TCP 22443 at a minimum).

With later versions of Horizon (7.2 and later I think) CDR is side-channeled on the protocol by default. You can override that but that is only necessary if you want to separate the traffic out onto individual ports to perform some type of control.

0 Kudos
henrylaw
Enthusiast
Enthusiast
‎11-26-2017 08:34 AM

That's a really helpful document, ggordon; thank you.

I think what it tells me is that the server needs certain ports open but my local client configuration doesn't.  The server belongs to a local college and is in widespread use across the local area, so I think I can assume that the admins there have configured their firewall correctly; therefore I don't think there's anything for me to do.  It would seem that CDR on the Linux client doesn't work, here at least.

0 Kudos