By default, Remote Application Server will install with a Secure Gateway and a Connection Broker. There can only be one master Connection Broker in a farm; however, multiple Secure Gateway access points and resource Connection Brokers (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:

All Components TCP 135, 445 - remote agent push.

Relating to components tables below:

• External Ports should be enabled and allow incoming traffic from all network nodes.
• Internal Ports need not be enabled for access from the WAN or Internet since they are communication ports for Remote Application Server functions and modules.

 

SECURE GATEWAY

Type	Protocol	Port	Commentary
External	TCP	80
External	UDP	80	If RDP-UDP is enabled
External	TCP	443	If SSL is enabled
External	UDP	443	If SSL and RDP-UDP is enabled
External	TCP	3389	If RDP load balancing is enabled
External	TCP	20009	If Client Manager is enabled
External	UDP	20009	If Client Manager is enabled
Internal	UDP	20000	Gateway Lookup
Internal	TCP	30020	Remote agent pushing
Internal	TCP	49179	Remote Install Push/Takeover of Software
Localhost	TCP	20020	Communication with NodeJS web server

 

NOTE: By default, RDP load balancing is not available on 3389 port for RAS Secure Client Gateway as this feature is not enabled and thus Gateway is not listening for it.

However, there is a possibility to enable it. Connections on this port will not support published items as it's strictly for RDP load balancing.

By default, this port is used only on RD Session Hosts. (see below - Remote Desktop Session Host Agent)

HALB APPLIANCE

Type	Protocol	Port	Commentary
External	TCP	80
External	TCP	443	If SSL is enabled
External	TCP	20009	If Client Manager is enabled
External	UDP	20009	If Client Manager is enabled
Internal	TCP	31006	Configuration
Internal	UDP	31006	Configuration
Internal	RAW	112	Virtual Router Redundancy Protocol

 

CONNECTION BROKER

Type	Protocol	Port	Commentary
Internal	TCP	20001	Connection Broker Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication
Internal	TCP	20002	Connection Broker Service Port – Communications with SecureClientGateway and UI Console
Internal	TCP	20003	Communications with RDSH agents, RemotePC and Provider Agents. Connection Broker Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication
Internal	TCP	20030	Communication between multiple Connection Brokers
Internal	TCP	30020	Remote agent pushing
Internal	TCP	49179	Remote Install Push/Takeover of Software

Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:

2FA Server

Outbound TCP 443 – Communication with Parallels Licensing Server:

account.parallels.com
license.parallels.com
ras.parallels.com
s.parallels.com

CONSOLE

Outbound TCP 80 – Update checking:

download.parallels.com

Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:

2FA Server/s 

Outbound TCP 80, 443:

• Microsoft resources for downloading FSLogix / Windows Virtual Desktop installers

Outbound UDP 1234 - Discovery of the Wyse brokers.

 

REMOTE DESKTOP SESSION HOST AGENT

Type	Protocol	Port	Commentary
Internal	TCP	3389	Standard RDP Connections
Internal	UDP	3389	Standard RDP Connections
Internal	TCP	30004	Terminal Server Agent Communication Port
Internal	UDP	30004	Used for "Check Agent" task and log retrieval
Internal	TCP	30005	RDSH Agent internal components communication
Internal	TCP	30020	Remote agent pushing
Internal	TCP	49179	Remote Install Push/Takeover of Software

 

PROVIDER AGENT

Type	Protocol	Port	Commentary
Internal	TCP	30006	Provider Agent Communication Port
Internal	UDP	30006	Provider Agent Communication Port
Internal	TCP	30007	Provider Agent Communication Port
Internal	TCP	30009	Provider Agent Communication Port
Internal	TCP	30020	Remote agent pushing

 

REMOTE PC AGENT

Type	Protocol	Port	Commentary
Internal	TCP	3389	Standard RDP Connections
Internal	UDP	3389	Standard RDP Connections
Internal	UDP	30004	Used for "Check Agent" task and log retrieval
Internal	TCP	30005	Remote PC Agent internal components communication
Internal	TCP	30020	Remote agent pushing
Internal	TCP	49179	Remote Install Push/Takeover of Software

 

REMOTE APPLICATION SERVER REPORTING

Type	Protocol	Port	Commentary
Internal	TCP	30008	Connection between Connection Broker and Remote Application Server Reporting service

 

GUEST AGENT

Type	Protocol	Port	Commentary
Internal	TCP	135, 49152-65535	For RemotePC over VDI. DCOM/RPC ports used to check if the guest is powered on and send shutdown, restart or suspend commands.
Internal	TCP	3389	Standard RDP Connections
Internal	UDP	3389	Standard RDP Connections
Internal	UDP	30004	Used to check agent status
Internal	TCP	30005	Guest Agent internal components communication
Internal	UDP	30009	Used to manage components.
Internal	TCP	30010	Used for "Check Agent" task and log retrieval
Internal	TCP	30020	Remote agent pushing
Internal	TCP	49179	Remote Install Push/Takeover of Software

 

CLIENT

Type	Protocol	Port	Commentary
Internal	TCP	50005	Shadowing from RAS Console in case of direct network connection

 

PERFORMANCE MONITOR (Applicable for version 16.1 onwards)

Type	Protocol	Port	Commentary
Internal	TCP	3000	Grafana (dashboard service)
Internal	UDP	8086	Agent (Telegraf service) sends collected performance data to InfluxDB

 

ENROLLMENT SERVER (Applicable for version 17.1 onwards)

Type	Protocol	Port	Commentary
Internal	TCP	30030	RAS Publishing Agent Sends RAS Enrollment Server connection request
Internal	UDP	30030	Used for the "Check Agent" task. Used to manage components and for troubleshooting.