Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
Table 3‑1. TCP and UDP Ports Used by View (Continued)
Source Port Target Port
Protoco
l Description
Unified Access
Gateway
appliance
* View Connection
Server or load
balancer
443 TCP HTTPS access. Unified Access Gateway appliances
connect on TCP port 443 to communicate with a View
Connection Server instance or load balancer in front of
multiple View Connection Server instances.
View Composer
service
* ESXi host 902 TCP Used when View Composer customizes linked-clone
disks, including View Composer internal disks and, if
they are specified, persistent disks and system
disposable disks.
Note The UDP port number that clients use for PCoIP might change. If port 50002 is in use, the client
will pick 50003. If port 50003 is in use, the client will pick port 50004, and so on. You must configure
firewalls with ANY where an asterisk (*) is listed in the table.
Note Microsoft Windows Server requires a dynamic range of ports to be open between all Connection
Servers in the Horizon 7 environment. These ports are required by Microsoft Windows for the normal
operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about
the dynamic range of ports, see the Microsoft Windows Server documentation.
HTTP Redirection in View
Connection attempts over HTTP are silently redirected to HTTPS, except for connection attempts to View
Administrator. HTTP redirection is not needed with more recent Horizon clients because they default to
HTTPS, but it is useful when your users connect with a Web browser, for example to download Horizon
Client.
The problem with HTTP redirection is that it is a non-secure protocol. If a user does not form the habit of
entering https:// in the address bar, an attacker can compromise the Web browser, install malware, or
steal credentials, even when the expected page is correctly displayed.
Note HTTP redirection for external connections can take place only if you configure your external
firewall to allow inbound traffic to TCP port 80.
Connection attempts over HTTP to View Administrator are not redirected. Instead, an error message is
returned indicating that you must use HTTPS.
To prevent redirection for all HTTP connection attempts, see "Prevent HTTP Redirection for Client
Connections to Connection Server" in the View Installation document.
Connections to port 80 of a View Connection Server instance or security server can also take place if you
off-load SSL client connections to an intermediate device. See "Off-load SSL Connections to Intermediate
Servers" in the View Administration document.
To allow HTTP redirection when the SSL port number was changed, see "Change the Port Number for
HTTP Redirection to Connection Server" in the View Installation document.
View Security
VMware, Inc. 17