Prerequisites

WinHorizon should be installed using WinHorizon installation guide;
An account with Full Control permissions on Public Key Services (Sites and Services > Services > Public Key Services).
This account must be able to open sessions on WinHorizon’s server. An enterprise administrator account can be used;
Access to WinHorizon server;
WinHorizon certificate (PKCS12, PFX format) with proper permissions on WCCE profiles on Horizon side;
The following flaws should be opened:

Source	Destination	Port	Description
CLIENTS_IP	WINHORIZON_IP	1024-65535/TCP, 1024-65535/UDP, 135/TCP	Clients using DCOM to retrieve certificates through WinHorizon
WINHORIZON_IP	AD_IP	3269/TCP, 3268/TCP, 389/TCP, 389/UDP, 636/TCP, 88/TCP and 88/UDP	WinHorizon connects to Active Directory component
WINHORIZON_IP	HORIZON_IP	443/TCP	WinHorizon connects to Horizon instance using mutual SSL authentication
WINHORIZON_IP	CRLDP_IP or OCSP_IP	80/TCP	WinHorizon retrieves CRL or perform OCSP request

Source

Destination

Port

Description

CLIENTS_IP

WINHORIZON_IP

1024-65535/TCP, 1024-65535/UDP, 135/TCP

Clients using DCOM to retrieve certificates through WinHorizon

WINHORIZON_IP

AD_IP

3269/TCP, 3268/TCP, 389/TCP, 389/UDP, 636/TCP, 88/TCP and 88/UDP

WinHorizon connects to Active Directory component

WINHORIZON_IP

HORIZON_IP

443/TCP

WinHorizon connects to Horizon instance using mutual SSL authentication

WINHORIZON_IP

CRLDP_IP or OCSP_IP

80/TCP

WinHorizon retrieves CRL or perform OCSP request