By default, Remote Application Server will install with a Secure Client Gateway and a Publishing Agent. There can only be one master Publishing Agent in a farm; however, multiple Client Secure Gateway access points and resource publishing agents (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:
All Components TCP 135, 445 - remote agent push.
Relating to components tables below:
- External Ports should be enabled and allow incoming traffic from all network nodes.
- Internal Ports need not be enabled for access from the WAN or Internet since they are communication ports for Remote Application Server functions and modules.
SECURE CLIENT GATEWAY
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | UDP | 80 | If RDP-UDP is enabled |
External | TCP | 443 | If SSL is enabled |
External | UDP | 443 | If SSL and RDP-UDP is enabled |
External | TCP | 3389 | If RDP load balancing is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | UDP | 20000 | Gateway Lookup |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Localhost | TCP | 20020 | Communication with NodeJS web server |
NOTE: By default, RDP load balancing is not available on 3389 port for RAS Secure Client Gateway as this feature is not enabled and thus Gateway is not listening for it.
However, there is a possibility to enable it. Connections on this port will not support published items as it's strictly for RDP load balancing.
By default this port is used only on RD Session Hosts. (see below - Remote Desktop Session Host Agent)
HALB APPLIANCE
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | TCP | 443 | If SSL is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | TCP | 31006 | Configuration |
Internal | UDP | 31006 | Configuration |
Internal | RAW | 112 | Virtual Router Redundancy Protocol |
PUBLISHING AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 20001 | Publishing Agent Service Port - Communication with other Publishing Agents |
Internal | TCP | 20002 | Publishing Agent Service Port – Communications with SecureClientGateway and UI Console |
Internal | TCP | 20003 | RDSH Agent Port – Communications with Terminal RDSH agents and RemotePC Agents |
Internal | TCP | 20030 | Communication between multiple Publishing Agents |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server
Outbound TCP 443 – Communication with Parallels Licensing Server:
Version 14 and earlier:
erp.2x.com
prm.2x.com
Version 15 and later:
account.parallels.com
license.parallels.com
ras.parallels.com
s.parallels.com
CONSOLE
Outbound TCP 80 – Update checking:
download.parallels.com
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server/s
Outbound TCP 80, 443:
www.turbo.net
Outbound UDP 1234 - Discovery of the Wyse brokers.
REMOTE DESKTOP SESSION HOST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | TCP | 30004 | Terminal Server Agent Communication Port |
Internal | UDP | 30004 | Used for "Check Agent" task |
Internal | TCP | 30005 | RDSH Agent internal components communication |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
VDI AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 30006 | VDI Agent Communication Port |
Internal | UDP | 30006 | VDI Agent Communication Port |
Internal | TCP | 30007 | VDI Agent Communication Port |
Internal | TCP | 30009 | VDI Agent Communication Port |
REMOTE PC AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used to check agent status |
Internal | TCP | 30005 | Remote PC Agent internal components communication |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
REMOTE APPLICATION SERVER REPORTING
Type | Protocol | Port | Commentary |
Internal | TCP | 30008 | Connection between PA and Remote Application Server Reporting service |
GUEST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used to check agent status |
Internal | TCP | 30005 | Guest Agent internal components communication |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
CLIENT
Type | Protocol | Port | Commentary |
Internal | TCP | 50005 |
Shadowing from RAS Console incase of direct network connection |
PERFORMANCE MONITOR (Applicable for version 16.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 3000 | Grafana (dashboard service) |
Internal | UDP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB |
ENROLLMENT SERVER (Applicable for version 17.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 30030 | RAS Publishing Agent Sends RAS Enrollment Server connection request |
Internal | UDP | 30030 | Used for the "Check Agent" task.Used to manage components and for troubleshooting. |
Was this article helpful?
Tell us how we can improve it.