5.1
Table Of Contents
- VMware View Architecture Planning
- Contents
- VMware View Architecture Planning
- Introduction to VMware View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- VMware View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- VMware View Building Blocks
- VMware View Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding VMware View Communications Protocols
- Overview of Steps to Setting Up a VMware View Environment
- Index
Back-End Firewall Rules
To allow a security server to communicate with each View Connection Server instance that resides within the
internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end
firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server
instances to communicate with each other. Table 5-2 summarizes the back-end firewall rules.
Table 5-2. Back-End Firewall Rules
Source Port Protocol Destination Port Notes
Security server UDP 500 IPSec Connection
Server
UDP 500 Security servers negotiate IPSec with View Connection
Server instances on UDP port 500.
Connection
Server
UDP 500 IPSec Security server UDP 500 View Connection Server instances respond to security
servers on UDP port 500.
Security server TCP Any AJP13 Connection
Server
TCP 8009 Security servers connect to View Connection Server
instances on TCP port 8009 to forward Web traffic from
external client devices.
If you enable IPSec, and one-way or two-way NAT is
configured on the back-end firewall, UDP port 4500 must
be allowed in each direction between the security server
and the View Connection Server instance, which will be
used instead of TCP port 8009 for AJP13 traffic.
Security server TCP Any JMS Connection
Server
TCP 4001 Security servers connect to View Connection Server
instances on TCP port 4001 to exchange Java Message
Service (JMS) traffic.
Security server TCP Any RDP View desktop TCP 3389 Security servers connect to View desktops on TCP port
3389 to exchange RDP traffic.
Security server TCP Any MMR View desktop TCP 4927 Security servers connect to View desktops on TCP port
9427 to receive MMR traffic.
Security server TCP Any
UDP Any
PCoIP View desktop TCP 4172
UDP 4172
Security servers connect to View desktops on TCP port
4172 and UDP port 4172 to exchange PCoIP traffic.
View desktop UDP 4172 PCoIP Security server UDP Any View desktops send PCoIP data back to a security server
from UDP port 4172 .
The destination UDP port will be the source port from the
received UDP packets and so as this is reply data, it is
normally unnecessary to add an explicit firewall rule for
this.
Security server TCP 32111 USB-R View desktop TCP 4172 Security servers connect to View desktops on TCP port
32111 to exchange USB redirection traffic between an
external client device and the View desktop.
Security server TCP Any HTTP Transfer Server TCP 80 Security servers connect to View Transfer Servers on TCP
port 80 to download View desktop data to external local
mode clients and to exchange replication data.
Security server TCP Any HTTPS Transfer Server TCP 443 If you configure View Transfer Server to use SSL for local
mode operations and desktop provisioning, security
servers connect to View Transfer Servers on TCP port 443
instead of TCP port 80 to download View desktop data
to external local mode clients and to exchange replication
data.
TCP Ports for View Connection Server Intercommunication
Groups of View Connection Server instances use additional TCP ports to communicate with each other. For
example, View Connection Server instances use port 4100 to transmit JMS inter-router (JMSIR) traffic to each
other. Firewalls are generally not used between the View Connection Server instances in a group.
Chapter 5 Planning for Security Features
VMware, Inc. 67