Communication Port Requirements

Summary

ProfileUnity with FlexApp provides User Environment Management and Application Layering for both virtual desktop deployments and physical PCs. ProfileUnity decouples user profiles, settings, and data from the operating system on Windows desktops, including RDSH, Citrix Virtual Apps and Desktops (CVAD), and VMware Horizon. ProfileUnity’s ongoing User Environment Management features centralized user and policy management with context aware settings.

The ProfileUnity solution consists of three parts: the Management Console, the FlexApp Packaging Console, and the Client. The ProfileUnity Management Console provides one central location where administrators can configure persona management and user and machine policies. The FlexApp Packaging Console allows administrators to configure and prepare any applications that needs to be configured for users and made available as a department installed application. The Client manages each user’s settings and persona during their session.

In addition, ProfileUnity can be configured in a clustered mode to provide multiple nodes for scaling additional resources and to protect against a single point of failure offering high availability. ProfileUnity Clustering is comprised of the following parts that communicate with each other: the license service, the FlexDisk Service, the ProfileUnity database, and ProfileUnity itself.

The goal of this document is to provide a summary of the types of communication that are taking place while providing user services and to enumerate which ports are being used.

Core ProfileUnity UEM, FlexApp with VHDX, and ProfileDisk with VHDX

Source	Target	Target TCP Port	Target Port Direction	Description
Admin PC	ProfileUnity Server	8000	Inbound	Admin PC access to the ProfileUnity Management Console
Desktops	All domain controllers with read access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Installer and Client access this path.
	Home share for user profile	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity client reads the user’s profile from this path.
	VHDX file share	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Client layers in applications located on this file share.
	ProfileUnity Server	443 (Optional 8000)	Inbound	Desktops communicating with ProfileUnity to request licensing (Optional 8000 for Inventory Module support)
ProfileUnity Server	All domain controllers in the site	389, 636	Inbound	The default port for LDAP traffic is on TCP and UDP 389. If LDAP traffic is tunneled through SSL/TLS encrypted connections, then TCP port 636 is used for SSL and TCP port 389 is used for TLS.
ProfileUnity Server	All domain controllers with write access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	Allows ProfileUnity Management Console to auto deploy tools and write configurations to domain controller.
All clustered ProfileUnity Servers (optional for license redundancy)	All clustered ProfileUnity Servers	8000	Inbound	ProfileUnity Management Console cluster communications
	All clustered ProfileUnity Servers	443	Inbound	ProfileUnity License Service communications
	All clustered ProfileUnity Servers	27017	Inbound	ProfileUnity Database cluster communications

Citrix Virtual Apps and Desktops VMDK ProfileDisk Ports

Source	Target	Target TCP Port	Target Port Direction	Description
Admin PC	All clustered ProfileUnity Servers	8000	Inbound	Admin PC access to the ProfileUnity Management Console
Desktops	All domain controllers with read access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Installer and Client access this path.
	Home share for user profile	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Client reads the user’s profile from this path.
	All clustered ProfileUnity Servers	443, 4443 (Optional 8000)	Inbound	Desktops communicating with ProfileUnity to request FlexDisk VMDKs and licensing (Optional 8000 for Inventory Module support)
All clustered ProfileUnity Servers	All clustered ProfileUnity Servers	4443, 8000	Inbound	ProfileUnity Management Console cluster communications
	All clustered ProfileUnity Servers	443	Inbound	ProfileUnity License Service communications
	All clustered ProfileUnity Servers	27017	Inbound	ProfileUnity Database cluster communications
	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management
	All ESXi Hosts	443, 902	Inbound (443), Bidirectional (902)	FlexDisk VMDK provisioning and management
	All domain controllers in the site	389, 636	Inbound	The default port for LDAP traffic is on TCP and UDP 389. If LDAP traffic is tunneled through SSL/TLS encrypted connections, then TCP port 636 is used for SSL and TCP port 389 is used for TLS.
	All domain controllers with write access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	Allows ProfileUnity Management Console to auto deploy tools and write configurations to domain controller.

VMware Horizon VMDK ProfileDisk Ports

Source	Target	Target TCP Port	Target Port Direction	Description
Admin PC	All clustered ProfileUnity Servers	8000	Inbound	Admin PC access to the ProfileUnity Management Console
Desktops	All domain controllers with read access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Installer and Client access this path.
	Home share for user profile	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Client reads the user’s profile from this path.
	All clustered ProfileUnity Servers	443, 4443 (Optional 8000)	Inbound	Desktops communicating with ProfileUnity to request FlexDisk VMDKs and licensing (Optional 8000 for Inventory Module support)
All clustered ProfileUnity Servers	All clustered ProfileUnity Servers	4443, 8000	Inbound	ProfileUnity Management Console cluster communications
	All clustered ProfileUnity Servers	443	Inbound	ProfileUnity License Service communications
	All clustered ProfileUnity Servers	27017	Inbound	ProfileUnity Database cluster communications
	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management
	VMware Horizon Connection Server	443	Inbound	FlexDisk VMDK provisioning and management
	All ESXi Hosts	443, 902	Inbound (443), Bidirectional (902)	FlexDisk VMDK provisioning and management
	All domain controllers in the site	389, 636	Inbound	The default port for LDAP traffic is on TCP and UDP 389. If LDAP traffic is tunneled through SSL/TLS encrypted connections, then TCP port 636 is used for SSL and TCP port 389 is used for TLS.
	All domain controllers with write access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	Allows ProfileUnity Management Console to auto deploy tools and write configurations to domain controller.

Citrix Virtual Apps and Desktops VMDK FlexApp Ports

Source	Target	Target TCP Port	Target Port Direction	Description
Admin PC	All clustered ProfileUnity Servers	8000	Inbound	Admin PC access to the ProfileUnity Management Console
Desktops	All domain controllers with read access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Installer and Client access this path.
	Home share for user profile	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Client reads the user’s profile from this path.
	All clustered ProfileUnity Servers	443, 4443 (Optional 8000)	Inbound	Desktops communicating with ProfileUnity to request FlexDisk VMDKs and licensing (Optional 8000 for Inventory Module support)
All clustered ProfileUnity Servers	All clustered ProfileUnity Servers	4443, 8000	Inbound	ProfileUnity Management Console cluster communications
	All clustered ProfileUnity Servers	443	Inbound	ProfileUnity License Service communications
	All clustered ProfileUnity Servers	27017	Inbound	ProfileUnity Database cluster communications
	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management
	All ESXi Hosts	443, 902	Inbound (443), Bidirectional (902)	FlexDisk VMDK provisioning and management
	All domain controllers in the site	389, 636	Inbound	The default port for LDAP traffic is on TCP and UDP 389. If LDAP traffic is tunneled through SSL/TLS encrypted connections, then TCP port 636 is used for SSL and TCP port 389 is used for TLS.
	All domain controllers with write access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	Allows ProfileUnity Management Console to auto deploy tools and write configurations to domain controller.
FlexApp Packaging Console	ProfileUnity Service, FlexDisk Service	8000	Inbound	FlexApp Packaging Console access to check FlexApp packages into inventory, FlexApp Packaging Console VMDK provisioning
FlexApp Packaging Console	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management

VMware Horizon and RDSH VMDK FlexApp Ports

Source	Target	Target TCP Port	Target Port Direction	Description
Admin PC	All clustered ProfileUnity Servers	8000	Inbound	Admin PC access to the ProfileUnity Management Console
Desktops	All domain controllers with read access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Installer and Client access this path.
	Home share for user profile	SMB 445 (TCP & UDP)	Inbound	The ProfileUnity Client reads the user’s profile from this path.
	All clustered ProfileUnity Servers	443, 4443 (Optional 8000)	Inbound	Desktops communicating with ProfileUnity to request FlexDisk VMDKs and licensing (Optional 8000 for Inventory Module support)
All clustered ProfileUnity Servers	All clustered ProfileUnity Servers	4443, 8000	Inbound	ProfileUnity Management Console cluster communications
	All clustered ProfileUnity Servers	443	Inbound	ProfileUnity License Service communications
	All clustered ProfileUnity Servers	27017	Inbound	ProfileUnity Database cluster communications
	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management
	VMware Horizon Connection Server	443	Inbound	FlexDisk VMDK provisioning and management
	All ESXi Hosts	443, 902	Inbound (443), Bidirectional (902)	FlexDisk VMDK provisioning and management
	All domain controllers in the site	389, 636	Inbound	The default port for LDAP traffic is on TCP and UDP 389. If LDAP traffic is tunneled through SSL/TLS encrypted connections, then TCP port 636 is used for SSL and TCP port 389 is used for TLS.
	All domain controllers with write access to NETLOGON	SMB 445 (TCP & UDP)	Inbound	Allows ProfileUnity Management Console to auto deploy tools and write configurations to domain controller.
FlexApp Packaging Console	ProfileUnity Service, FlexDisk Service	8000	Inbound	FlexApp Packaging Console access to check FlexApp packages into inventory, FlexApp Packaging Console VMDK provisioning
FlexApp Packaging Console	VMware Virtual Center	443	Inbound	FlexDisk VMDK provisioning and management