5.1. Security Groups Requirements

Before creating your Connection Broker and Leostream Gateway instances, ensure that you have the appropriate security groups configured in Virtuozzo Hybrid Infrastructure. Leostream requires the following ports be open for incoming traffic to the specified component. Consider three separate security groups:

  • Connection Broker

  • Leostream Gateway

  • VDI instances


Required By



Connection Broker, Leostream Gateway

For SSH access to the Connection Broker or Leostream Gateway, if required.


Connection Broker, Leostream Gateway

For access to the Connection Broker Web interface, and communications from the Leostream Agents and Leostream Connect.

On the Leostream Gateway, for communication from Leostream Connect and to use the Leostream HTML5 viewer.


Leostream Gateway

The Leostream Gateway uses this default port range to forward display protocol traffic from the user’s client device to an instance isolated in a private VHI network. You may optionally change this port range using the Leostream Gateway CLI.

NOTE: You do not need to open this range if you use the display protocol port for forwarding desktop connection traffic. For that scenario, open the display protocol port in the Leostream Gateway security group, instead.


VDI instances

Port for communications from the Connection Broker to the Leostream Agent.

* The Leostream Agent port may be changed using the Leostream Agent Control Panel dialog. If you change the default Leostream Agent port, ensure that you open the associated port in the security group


VDI instances, Leostream Gateway

For RDP access to the VDI/DaaS instances

** This port is dependent on the display protocol you plan to use. If you use a display protocol other than RDP, ensure that you open the ports required by that display protocol.