Horizon Cloud network ports diagrams

Overview

These diagrams are a visual companion to the port and protocol requirements in the Horizon Cloud Service product documentation, which is the canonical reference for ports and protocols prerequisites. Not all ports shown are required for every deployment — only those relevant to your chosen components and protocols apply. See: Getting Started with Horizon Cloud

This document provides network port and protocol diagrams for Omnissa® Horizon Cloud deployments across three infrastructure scenarios:

Cloud-based capacity providers
Microsoft Azure with Private Link Service
Private data center / on-premises infrastructure providers

All three scenarios share the same Horizon Cloud architecture: a UAG in the DMZ proxy’s client sessions to Horizon Agents over Blast Extreme, and the Edge Gateway connects outbound to the Horizon Control Plane on TCP 443. Each section below covers one scenario standalone and notes provider-specific connections.

Note: Always verify requirements against the product documentation for your specific release. When diagrams and documentation differ, the product documentation prevails.

Cloud-Based Infrastructure

This section shows ports and protocols for a standard Horizon Cloud deployment on a cloud-based capacity provider.

Refer to the product documentation for the complete port list, required reachable URLs, and details on supporting infrastructure connections (Active Directory, DNS, NTP, file shares).

Select the page for your cloud-based capacity provider:

Microsoft Azure: Port and Protocol Requirements for Your Horizon Cloud Deployment in Microsoft Azure
Other supported cloud-based providers, see Getting started with Horizon Cloud and open the port-and-protocol page for your provider.

Figure 1: All network ports — standard Horizon Edge Gateway deployment, Cloud-Based Provider

Microsoft Azure with Private Link Service

With Microsoft Azure Private Link Service enabled, MQTT SSL traffic from the Horizon Agent to the Horizon Control Plane routes through an Azure Private Link Endpoint (TCP 443) in the Desktop Network Zone instead of the public internet. All other ports and flows match the Cloud-Based Infrastructure section.

The Private Link Endpoint is provisioned in the customer’s Azure subscription during Horizon Edge deployment. See: Port and Protocol Requirements for Your Horizon Cloud Deployment in Microsoft Azure

Figure 2: All network ports — Horizon Edge Gateway deployment, Microsoft Azure with Private Link Service

Private Data Center / On-premises infrastructure providers

This section covers Horizon Cloud deployments on customer-owned, on-premises infrastructure. On-premises deployments add a direct hypervisor management connection: the Edge Gateway connects to the hypervisor's management API for VM lifecycle operations. The diagram below shows a VMware vSphere example, with the Edge Gateway calling vCenter Server over TCP 443; the same pattern applies to other supported hypervisor management APIs.

Note: Refer to the product documentation for the authoritative port list for your hypervisor platform, including required reachable URLs and supported load balancer options.

For VMware vSphere, see: Port and Protocol Requirements for Deploying a vSphere Edge.

Figure 3: All network ports — Horizon Edge Gateway deployment, Private Data Center / on-premises hypervisor

Additional Resources

For more information about Horizon Cloud:

Changelog

The following updates were made to this guide:

Date	Description of Changes
2026/05	Refreshed document for three deployment scenarios. Figure 1 retitled to Cloud-Based Provider (provider-agnostic). Figure 2 Azure Private Link retained with minor cleanup. Figure 3 added for Private Data Center / on-premises infrastructure providers, introducing the vCenter API (TCP 443) connection to Hypervisor Management. Overview and all supporting text updated. Inline links added to product documentation.
2024/05/21	First pass rebranding, URL Updates.
2023/06/29	Updated to add TrueSSO details Updated to add DNS over TLS (TCP 853) Diagram reorganization for future considerations Document reorganization for future considerations
2023/01/26	Updated thumbnail graphic for Azure Private Link
2022/09/19	Added section on the use of Microsoft Azure Private Link Added NAT Gateway for outbound communications to Horizon Service from Horizon Edge Gateway Service Added NTP to Desktop Zone Added SSO (TCP 443) from Edge Gateway to Desktop Zone Corrected direction of MQTT between Horizon Agent and Horizon Edge Gateway Service
2022/09/15	Initial Release

About the Author and Contributors

This guide was written by Rick Terlep, Staff Technical Marketing Architect, Omnissa, with support and contributions from:

Graeme Gordon, Senior Staff Architect, Omnissa
John Kramer, Senior Staff Product Specialist, Omnissa

Feedback

Your feedback is valuable.

To comment on this paper, contact End-User-Computing Technical Marketing at tech_content_feedback@omnissa.com.