5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
Table 5-1. Front-End Firewall Rules
Source
Default
Port Protocol Destination
Default
Port Notes
View Client TCP Any HTTP Security
Server
TCP 80 (Optional) External client devices connect to a security server
within the DMZ on TCP port 80 and are automatically directed
to HTTPS. For information about the security considerations
related to letting users connect with HTTP rather than HTTPS,
see the VMware Horizon View Security guide.
View Client TCP Any HTTPS Security
server
TCP 443 External client devices connect to a security server within the
DMZ on TCP port 443 to communicate with a Connection
Server instance and View desktops.
View Client TCP Any
UDP
Any
PCoIP Security
server
TCP 4172
UDP 4172
External client devices connect to a security server within the
DMZ on TCP port 4172 and UDP port 4172 to communicate
with a View desktop over PCoIP.
Security
Server
UDP
4172
PCoIP View Client UDP Any Security servers send PCoIP data back to an external client
device from UDP port 4172. The destination UDP port will be
the source port from the received UDP packets and so as this is
reply data, it is normally unnecessary to add an explicit firewall
rule for this.
Client Web
browser
TCP Any HTTPS Security
server
TCP 8443 If you use VMware Horizon View HTML Access, the external
Web client connects to a security server within the DMZ on
HTTPS port 8443 to communicate with View desktops.
Back-End Firewall Rules
To allow a security server to communicate with each View Connection Server instance that resides within the
internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end
firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server
instances to communicate with each other. Table 5-2 summarizes the back-end firewall rules.
Table 5-2. Back-End Firewall Rules
Source
Default
Port Protocol Destination
Default
Port Notes
Security server UDP 500 IPSec Connection
Server
UDP 500 Security servers negotiate IPSec with View Connection
Server instances on UDP port 500.
Connection
Server
UDP 500 IPSec Security server UDP 500 View Connection Server instances respond to security
servers on UDP port 500.
Security
Server
UDP 4500 NAT-T
ISAKMP
Connection
Server
UDP 4500 Required if NAT is used between a security server and its
paired View Connection Server instance. Security servers
use UDP port 4500 to traverse NATs and negotiate IPsec
security.
Connection
Server
UDP 4500 NAT-T
ISAKMP
Security server UDP 4500 View Connection Server instances respond to security
servers on UDP port 4500 if NAT is used.
Security server TCP Any AJP13 Connection
Server
TCP 8009 Security servers connect to View Connection Server
instances on TCP port 8009 to forward Web traffic from
external client devices.
If you enable IPSec, and one-way or two-way NAT is
configured on the back-end firewall, UDP port 4500 must
be allowed in each direction between the security server
and the View Connection Server instance, which will be
used instead of TCP port 8009 for AJP13 traffic.
Security server TCP Any JMS Connection
Server
TCP 4001 Security servers connect to View Connection Server
instances on TCP port 4001 to exchange Java Message
Service (JMS) traffic.
Chapter 5 Planning for Security Features
VMware, Inc. 73