VMware Horizon Community
EricNichols
Hot Shot
Hot Shot
‎03-28-2016 12:20 PM

What are the appropriate Firewall\VLAN ACL Rules for this situation?

Does this all look correct? The Connection Server is on VLAN 6 172.16.6.166 with the windows firewall on with the default rules. The Virtual Desktops are on VLAN 4, the windows firewall is off. The client access devices running the Horizon View client are on VLAN 2 and VLAN 4 without local firewalls. We dont use MMR or RDP. When a connection is being negotiated, doesnt the agent need to talk back to the client on random ports? Is there a way to configure a range for the pcoip and usb agents to use?


Outgoing traffic ACL's:


VLAN 6 ACL's:

permit all

VLAN 4 ACL's:

permit tcp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 443

permit tcp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 4172

permit udp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 4172

permit tcp 0.0.0.0 255.255.255.255 172.16.2.0 0.0.3.255 eq 4172

permit udp 0.0.0.0 255.255.255.255 172.16.2.0 0.0.3.255 eq 4172

permit tcp 0.0.0.0 255.255.255.255 172.16.2.0 0.0.3.255 eq 32111

permit tcp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 range 4001 4002

VLAN 2 ACL's:

permit tcp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 443

permit tcp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 4172

permit udp 0.0.0.0 255.255.255.255 172.16.6.166 0.0.0.0 eq 4172

permit tcp 0.0.0.0 255.255.255.255 172.16.4.0 0.0.3.255 eq 4172

permit udp 0.0.0.0 255.255.255.255 172.16.4.0 0.0.3.255 eq 4172

permit tcp 0.0.0.0 255.255.255.255 172.16.4.0 0.0.3.255 eq 32111

permit udp 0.0.0.0 255.255.255.255 172.16.4.0 0.0.3.255 eq 50002

Reply
0 Kudos
2 Replies
mittim12
Immortal
Immortal
‎03-30-2016 11:12 AM

This KB gives you all the ports plus source and destination.

VMware KB: VMware View ports and network connectivity requirements

Reply
0 Kudos
EricNichols
Hot Shot
Hot Shot
‎03-31-2016 01:38 PM

The KB you linked is what we used to come up with the above ACL's. We are using an HP Procurve core switch. Its firewall and ACL's are not statefull. It appears that the USB and some other traffic that returns from the initial connection is on random ports using RPC. Are these RPC port ranges configurable or even documented?

Reply
0 Kudos