Archive for the ‘4.6’ tag
Firewall settings for a VMware View environment
When you have to configure your firewall policies for a VMware View environment it’s sometimes a little bit hard to find a simple overview of all the necessary ports and firewall settings.
To help you doing your job, I provide you here a comprehensive overview of all important communication flows of such an implementation.
This documents is a consolidated aggregation of the information you can find in the following documents:
- VMware View Architecture Planning Guide (View 4.6)
- KB1012382 – TCP and UDP Ports required to access vCenter Server, ESX hosts and other network components
Perimeter Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Security Server | Optional |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 443 | HTTPS | Communication between View Client and View Security Server. Authentication etc. | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <SECURITYSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <EXTERNALCLIENT> | <CLIENTPORT> | Both | <SECURITYSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
DMZ Firewall Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9427 | Multi Media Redirection, RDP-Connections only | Optional |
Connection Server Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | TCP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <ACTIVEDIRECTORYSERVER> | UDP | 389 | LDAP | Active Directory Authentication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 389 | LDAP | ADAM | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 636 | LDAPS | AD LDS | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 1515 | Microsoft Endpoint Mapper | Mandatory | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 18443 | SOAP | View Composer Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <VCENTERSERVER> | TCP | 443 | HTTPS | vCenter Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Both | <VIEWAGENT> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Outbound | <RSASERVER> | UDP | 5500 | RSA Secure ID Authentication | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Connection Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 443 | SSL | Communication between View Client and View Connection Server. Authentication etc. | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
Transfer Server Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 80 | HTTP | Used if SSL/HTTPS is not used on the Transfer Server | HTTPS prefered |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 443 | HTTPS | Communication with Transfer Server for the Offline Usage of VDIs | |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <SECURITYSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 4100 | JMSIR | Inter-Server Communication | Mandatory |
| <CONNECTIONSERVER> | <CLIENTPORT> | Inbound | <TRANSFERSERVER> | TCP | 8009 | AJP13 | AJP-Data Traffic | Mandatory |
| <TRANSFERSERVER> | <CLIENTPORT> | Outbound | <VSPHEREHOST> | TCP | 902 | Used if SSL/HTTPS is not used on the Connection Server | Mandatory |
View Agent Rules
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <VIEWAGENT> | <CLIENTPORT> | Outbound | <CONNECTIONSERVER> | TCP | 4001 | JMS | Java Messanging | Mandatory |
View Client Rules (internal / without using Security Server)
| Source IP |
Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 3389 | RDP | Remote Desktop Protocol | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <VIEWAGENT> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 9472 | Multi Media Redirection, RDP-Connections only | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 32111 | USB-Redirection | Optional | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <VIEWAGENT> | TCP | 42966 | HP RGS | HP Remote Graphics Server | Optional |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS |
View Client Rules (external / using Security Server)
| Source IP | Source Port | Direction | Destination IP | Transport Protocol | Dest. Port | Application Protocol | Comment | Type |
| <EXTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 80 | HTTP | HTTPS Prefred | |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 443 | HTTPS | ||
| <INTERNALCLIENT> | <CLIENTPORT> | Both | <CONNECTIONSERVER> | UDP | 4172 | PCoIP | PCoIP Data Transmission | Mandatory |
| <INTERNALCLIENT> | <CLIENTPORT> | Inbound | <CONNECTIONSERVER> | TCP | 4172 | PCoIP | PCoIP Connection Establishment | Mandatory |
HTTP and HTTPS-Traffic can be proxied on the application layer.
Every other protocol should only be proxied using a transparent TCP-/UDP-Proxy.
Just noticed. The View Client in the Windows Startmenu
Maybe you’ve already seen it but I just noticed now. If you open the Windows Startmenu and you click on the little arrow on the right side of the View Client option, you can easily access the last used servers and desktops. I really like that!
