VMware Horizon Client Architecture : 4.3 Blast Extreme Protocol
   
4.3 Blast Extreme Protocol
Blast Extreme is an enhanced remote session protocol introduced with Horizon for Linux desktops, Horizon 7 and Horizon DaaS. One of the benefits of Blast Extreme is that it can be used with the Horizon Client, in addition to HTML Access using HTML5. One of the other significant features of Blast Extreme is the ability to offload the CPU cycles used for decoding by using H.264 hardware decoding.
Blast Extreme is a TCP-based protocol, but it can also be configured to use UDP, unlike PCoIP which is UDP only. TCP is the most versatile as it’s not likely to be blocked on customer firewalls, whereas UDP is sometimes filtered in some locations (for example, public WiFi or guest networks). See Figure 21 for a full list TCP/UDP ports.
Note Consider that zero-client support might be limited, and older zero-clients might only support PCoIP. If zero-clients are to be used, tenants must be sure that the Blast Extreme protocol is supported.
Figure 4. Horizon Client Blast Extreme Connection Flow
 
 
1. The Horizon Client sends authentication credentials using XML-API over HTTPS to the external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).
a. HTTPS Authentication data is passed-through from Access Point to the Connection Server. Any entitled desktop pool(s) are then returned back to client.
Note If Security Servers are used, they must be paired with a Connection Server. Access Point does not require pairing with Connection Servers, which provides greater flexibility without the need to dedicate Connection Servers for external or internal access.
2. The user selects a desktop or application pool entitlement, and a session handshake occurs over HTTPS (TCP 443) to Access Point / Security Server. A secure WebSocket is then established (TCP 443) for the session data between the Horizon Client and the Access Point / Security Server.
3. If configured to use UDP, the Blast Secure Gateway service will attempt to establish a UDP WebSocket connection on 8443. If this fails, due to a firewall blocking the UDP port, then the initial WebSocket TCP 443 connection will be used instead.
Client Drive Redirection (CDR) and Multimedia Redirection (MMR) are encapsulated using HTTPS (TCP 443) from the Horizon Client to Access Point or Security Server. The HTTPS Secure Tunnel connects to the Horizon Agent on TCP 9427 for MMR and CDR traffic.
The client to server port can be configured to use a side channel by configuring the following registry key on the guest OS: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware TSDR\tcpSidechannel
tcp - CDR over TCP Sidechannel
vvc - CDR over VVC sidechannel in Blast & PCoIP – Default (Horizon Agent 7.0.2)
PCoIP - CDR over TCP sidechannel in Blast & PCoIP
vchan - CDR over VVC/PCoIP sidechannel.
none - CDR over main channel