Which ports are used by a RDS 2012 deployment?
To configure Remote Desktop Services correctly for internet access or any time where firewalls are used, it is useful to know what ports are required. A detailed guide for perimeter networks is here. 
The information / taxonomy is broken down by role service/component, and lists all inbound/outbound ports used.
The information / taxonomy is broken down by role service/component, and lists all inbound/outbound ports used.
- From Client to RD Resource
- If using RDWeb
- TCP 443 (HTTPS)
- TCP|UDP 3389: Standard RDP port. Can be configured on host and client to a different port number.
- If using RDWeb
- Remote Desktop Connection Broker (RDCB)
- TCP 5504: connection to RD Web Access
- TCP 3389: connection to RD Session Host
- TCP 3389: connection to non-managed VM pools, managed machines use VMBus to open port.
- TCP 3389: client port for clients not using RD Gateway
- TCP 445|RPC: connection to RD Virtualization Host
- TCP 445|RPC: connection to RD Session Host
- TCP 5985: WMI and PowerShell Remoting for administration
- Remote Desktop Gateway
- For inbound external internet based traffic from RD Clients to the Gateway:
- TCP 443: HTTP (includes RPC over HTTP) over SSL - (configurable using RD Gateway Management console)
- UDP 3391: RDP/UDP (configurable using RD Gateway Management console) (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" configured)
- For internal traffic between the Gateway and the required User AD, Resource AD, DNS, NPS etc:
- TCP 88: Kerberos for user authentication
- TCP 135: RPC Endpoint Mapper
- TCP: <>, Port on which NTDS RPC services listens on AD
- TCP|UDP 389: LDAP for user authentication
- TCP|UDP 53: Internal resource name resolution, DNS
- TCP|UDP 389: If using LDAP for Certificate Revocation List (CRL)
- TCP 80: If using HTTP for Certificate Revocation List (CRL)
- TCP 21: If using FTP for Certificate Revocation List (CRL)
- UDP 1812, 1813: If NPS Server is being used
- TCP 5985: WMI and PowerShell Remoting for administration
- For internal traffic from the Gateway and the Internal Remote Desktop resources
- TCP|UDP 3389: RDP (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" configured in the UDP protocol)
- For inbound external internet based traffic from RD Clients to the Gateway:
- Remote Desktop Web Access
- If RD Web Access is on perimeter network
- TCP: <WMI Fixed Port>
- TCP 5504: connection to RD Connection Broker for centralized publishing
- TCP 5985: WMI and PowerShell Remoting for administration
- If RD Web Access is on perimeter network
- If ISA is used, please refer to: http://www.isaserver.org/articles/2004perimeterdomain.html
- Remote Desktop Session Host
- RD License Server Port RPC
- TCP 389|636: Active Directory communication
- TCP 5985: WMI and PowerShell Remoting for administration
- Remote Desktop Virtualization Host
- RD License Server Port RPC
- TCP 389|636: Active Directory communication
- TCP 5985: WMI and PowerShell Remoting for administration
- Remote Desktop Licensing Server
- Information for Terminal Server in Windows Server 2008 is at:http://support.microsoft.com/KB/832017#method26
• TCP 135 - RPC for License Server communication and RDSH
• TCP 1024-65535 (randomly allocated) Used for RPC For Windows Server pre-2008 (see next line).
• TCP 49152 - 65535 (randomly allocated) - This is the range in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
• How to configure which ports (if need to set to specifics) : http://support.microsoft.com/kb/154596/
• UDP 137 - NetBIOS Name resolution
• UDP 138 - NetBIOS datagram
• TCP 139 - NetBIOS session service
• UDP|TCP 389 LDAP - Used with per user CALs against Active Directory
• TCP 445 - SMB
• TCP 443: Communication over the internet to the Microsoft Clearing House
• TCP 5985: WMI and PowerShell Remoting for administration - From a proxy standpoint, the regkey HKLM\Software\Microsoft\TermServLicensing\lrwiz\Params shows the Microsoft service that the RD LS communicates with. e.g. clearinghouse.one.microsoft.com
- Information for Terminal Server in Windows Server 2008 is at:http://support.microsoft.com/KB/832017#method26
Is there a method to limit the range of ports required for RDS Licensing; I'm searching for a method to understand if that is possible and how to carry it out.
ReplyDelete