3.12. Firewall Ports and Protocols

3.12.1. Firewalls Between Clients and Oracle VDI
3.12.2. Firewalls Between Oracle VDI and User Directories
3.12.3. Firewalls Between Oracle VDI and Desktop Providers
3.12.4. Firewalls Between the Hosts in an Oracle VDI Center

Firewalls can be used to protect various parts of a network and must be configured to permit the connections required by Oracle VDI.

3.12.1. Firewalls Between Clients and Oracle VDI

Clients must be able to connect to any host in an Oracle VDI Center.

The following table lists the ports you might need to open to permit these connections.

Source

Destination

Port

Protocol

Purpose

Client

Oracle VDI web server

1800

TCP

HTTP connections to Oracle VDI Manager.

These connections are redirected to port 1801.

Client

Oracle VDI web server

1801

TCP

HTTPS connections to Oracle VDI Manager.

Client

Oracle VDI web server

1802

TCP

HTTPS connections to the VDI Client web services API.

Client

Oracle VDI host

3389

TCP

RDP connections to the Oracle VDI RDP Broker.

Sun Ray Clients

Oracle VDI host

Various

Various

See Chapter 2 of the Sun Ray Software 5.2 Installation and Configuration Guide for details.

3.12.2. Firewalls Between Oracle VDI and User Directories

All hosts in an Oracle VDI Center need to be able to make connections to any of the configured user directories.

The following table lists the ports you might need to open to permit these connections.

Source

Destination

Port

Protocol

Purpose

Oracle VDI host

Windows server

53

UDP

DNS lookups on Active Directory.

Oracle VDI host

Windows server

88

TCP or UDP

Authenticate users in Active Directory.

Oracle VDI host

LDAP directory

389

TCP

Authenticate users in an LDAP directory.

Oracle VDI host

Windows server

464

TCP or UDP

Enable users to change their password if it has expired.

Oracle VDI host

LDAP directory server

636

TCP

Authenticate users using a secure connection to an LDAP directory.

Oracle VDI host

Windows server

3268

TCP

Authenticate users in Active Directory.

Ports Required for Active Directory Type Directories

Each Oracle VDI host must be able to make connections to Active Directory on the following ports:

  • Port 53 for DNS lookups on Active Directory

  • Ports 88 and 464 for Kerberos authentication to a Key Distribution Center (KDC)

  • Port 389 for the secure LDAP connection to a domain controller

  • Port 3268 for the secure LDAP connection to a global catalog server

Oracle VDI performs several DNS lookups to discover LDAP information. For these lookups to work, it is essential that your DNS is configured correctly to enable the required information to be returned from Active Directory.

Ports 88 and 464 are the standard ports used for Kerberos authentication to a Key Distribution Center (KDC). These ports are configurable. Connections to these ports can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration. Port 464 is only required for password change operations.

Ports Required for LDAP Type Directories

The standard ports used for connections to LDAP directories are port 389 for standard connections (simple authentication) and port 636 for secure connections (secure authentication). These ports are configurable.

3.12.3. Firewalls Between Oracle VDI and Desktop Providers

In order to run desktops, all hosts in an Oracle VDI Center must be able to connect to any of the configured desktop provider hosts, and their associated storage hosts.

The ports used for connections depends on the desktop provider type and whether the storage is managed by Oracle VDI.

The following table lists the ports you might need to open to permit these connections.

Source

Destination

Port

Protocol

Purpose

Oracle VDI host

Storage host

22

TCP

Storage management using SSH.

Required only for Oracle VDI and Hyper-V desktop providers.

Oracle VDI host

Oracle VM VirtualBox host

22

TCP

Used to run some Oracle VM VirtualBox commands over SSH.

Required only for the Oracle VDI desktop provider.

Oracle VDI host

Desktop provider host

443

TCP

HTTPS connections to web services for provisioning and managing virtual desktops, or HTTPS connections for Windows Remote Management (WinRM).

Required only for Oracle VDI, Microsoft Hyper-V, VMware vCenter, and Microsoft Remote Desktop desktop providers.

Oracle VDI host

Storage host

3260

TCP

iSCSI connections when virtual disks are copied for management reasons, for example when desktops are imported or copied to a storage host for cloning.

Required only for Oracle VDI and Hyper-V desktop providers.

Oracle VM VirtualBox host or Microsoft Hyper-V host

Storage host

3260

TCP

iSCSI connections to connect virtual machines to their virtual disks.

Required only for Oracle VDI and Hyper-V desktop providers.

Oracle VDI host

Desktop provider host

3389

TCP

Microsoft RDP connections to virtual desktops.

Oracle VDI host

Oracle VM VirtualBox host

49152-65534

TCP

Oracle VM VirtualBox RDP (VRDP) connections to virtual desktops.

Required only for the Oracle VDI desktop provider if VRDP is selected as the desktop protocol.

Ports 22, 443, 3389, and 49152-65534 are configurable.

On Oracle VM VirtualBox hosts, port 18083 is also used for HTTP connections to the Oracle VM VirtualBox web service. This port is bound to localhost.

3.12.4. Firewalls Between the Hosts in an Oracle VDI Center

A network might contain firewalls between the hosts in an Oracle VDI Center, for example if you have multiple offices each containing an Oracle VDI host. The Oracle VDI hosts must be able to connect to any other member of the Oracle VDI Center.

The following table lists the ports you might need to open to permit these connections.

Source

Destination

Port

Protocol

Purpose

Oracle VDI host

Another Oracle VDI host

3307

TCP

Connections to the Oracle VDI embedded MySQL Server database.

Oracle VDI host

Remote MySQL database host

Configurable

Configurable

Connection to a remote MySQL database.

Required only if a remote MySQL database is selected when you configure an Oracle VDI Center.

Oracle VDI host

Another Oracle VDI host

11172

TCP

Used for the JMX-MP connector to Cacao.

Used by the cacaoadm command

Oracle VDI host

Another Oracle VDI host

11173

TCP

Used for the command stream connector to Cacao.

Used by vda and vda-center commands.

Oracle VDI host

Another Oracle VDI host

11174

TCP

Used for the JMX RMI connector to Cacao.

Used by the Oracle VDI Manager and for the communication between Oracle VDI Center Agents.

Sun Ray Software

Sun Ray Software

Various

Various

See Chapter 2 of the Sun Ray Software 5.2 Installation and Configuration Guide for details.

On Oracle VDI hosts, port 3303 is also used for the connection between the vda client command and the Oracle VDI host. This port is bound to localhost and is configurable.