Architecture Planning
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for View Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops and Applications
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In to a Remote Desktop
- Using Multiple Monitors
- Managing Desktop and Application Pools from a Central Location
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
Table 5‑1. Front-End Firewall Rules (Continued)
Source
Default
Port Protocol Destination
Default
Port Notes
Horizon
Client
TCP
Any
UDP
Any
PCoIP Security
server
TCP 4172
UDP 4172
External client devices connect to a security server within the
DMZ on TCP port 4172 and UDP port 4172 to communicate
with a remote desktop or application over PCoIP.
Security
Server
UDP
4172
PCoIP Horizon
Client
UDP Any Security servers send PCoIP data back to an external client
device from UDP port 4172. The destination UDP port is the
source port from the received UDP packets. Because these
packets contain reply data, it is normally unnecessary to add
an explicit firewall rule for this traffic.
Client Web
browser
TCP
Any
HTTPS Security
server
TCP 8443 If you use HTML Access, the external Web client connects to a
security server within the DMZ on HTTPS port 8443 to
communicate with remote desktops.
Back-End Firewall Rules
To allow a security server to communicate with each View Connection Server instance that resides within
the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the
back-end firewall, internal firewalls must be similarly configured to allow remote desktops applications and
View Connection Server instances to communicate with each other. Table 5-2 summarizes the back-end
firewall rules.
Table 5‑2. Back-End Firewall Rules
Source
Default
Port Protocol Destination
Default
Port Notes
Security
server
UDP 500 IPSec Connection
Server
UDP 500 Security servers negotiate IPSec with View Connection
Server instances on UDP port 500.
Connection
Server
UDP 500 IPSec Security server UDP 500 View Connection Server instances respond to security
servers on UDP port 500.
Security
Server
UDP 4500 NAT-T
ISAKMP
Connection
Server
UDP 4500 Required if NAT is used between a security server and
its paired View Connection Server instance. Security
servers use UDP port 4500 to traverse NATs and
negotiate IPsec security.
Connection
Server
UDP 4500 NAT-T
ISAKMP
Security server UDP 4500 View Connection Server instances respond to security
servers on UDP port 4500 if NAT is used.
Security
server
TCP Any AJP13 Connection
Server
TCP 8009 Security servers connect to View Connection Server
instances on TCP port 8009 to forward Web traffic from
external client devices.
If you enable IPSec, AJP13 traffic does not use TCP port
8009 after pairing. Instead it flows over either NAT-T
(UDP port 4500) or ESP.
Security
server
TCP Any JMS Connection
Server
TCP 4001 Security servers connect to View Connection Server
instances on TCP port 4001 to exchange Java Message
Service (JMS) traffic.
Security
server
TCP Any JMS Connection
Server
TCP 4002 Security servers connect to View Connection Server
instances on TCP port 4002 to exchange secure Java
Message Service (JMS) traffic.
Security
server
TCP Any RDP Remote
desktop
TCP 3389 Security servers connect to remote desktops on TCP
port 3389 to exchange RDP traffic.
Security
server
TCP Any MMR Remote
desktop
TCP 9427 Security servers connect to remote desktops on TCP
port 9427 to receive traffic relating to multimedia
redirection (MMR) and client drive redirection.
Chapter 5 Planning for Security Features
VMware, Inc. 85