Internet-Facing Server Scenarios for Perimeter Networks

App-V 4.5 supports Internet-facing server scenarios, in which users who are not connected to the corporate network or who disconnect from the network can still use App-V. As shown in the following illustration, only the use of secure protocols on the Internet (RTSPS and HTTPS) is supported.

app-v firewall positioning diagram

You can set up an Internet-facing solution, using an ISA Server, where the App-V infrastructure is on the internal network in the following ways:

As shown in the following illustration, if the infrastructure has implemented other firewalls between the client and the ISA Server or between the ISA Server and the internal network, both RTSPS (TCP 322) and HTTPS (TCP 443) firewall rules must be created to support the flow of traffic. Also, if firewalls have been implemented between the ISA Server and the internal network, the default traffic required for domain members must be permitted to tunnel through the firewall (DNS, LDAP, Kerberos, SMB/CIFS).

app-v perimeter network firewall diagram

Because the firewall solutions vary from environment to environment, the guidance provided in this topic describes the traffic that would be required to configure an Internet-facing App-V environment in the perimeter network. This information also includes the recommended internal network servers.

Place the following servers in the perimeter network:

  • App-V Management Server

  • IIS server for publishing and streaming

It is a best practice to place the Management Server and IIS server on separate computers.

Place the following servers in the internal network:

  • Content server

  • Data store (SQL Server)

  • Active Directory Domain Controller

Traffic Requirements

The following tables list the traffic requirements for communication from the Internet and the perimeter network and from the perimeter network to the internal network.

Traffic Requirements from Internet to Perimeter Network Details

RTSPS (publishing refresh and streaming packages)

TCP 322 by default; this can be changed in App-V Management Server.

HTTPS (publishing ICO and OSD files and streaming packages)

TCP 443 by default; this can be changed in the IIS configuration.

Traffic Requirements from Perimeter Network to Internal Network Details

SQL Server

TCP 1433 is the default but can be configured in SQL Server.


If the content directory is located remotely from the Management Server(s) or IIS server (recommended).


TCP and UDP 88


TCP and UDP 389


For name resolution of internal resources (can be eliminated with the use of host’s file on perimeter network servers)