By default, Remote Application Server will install with a Secure Gateway and a Connection Broker. There can only be one master Connection Broker in a farm; however, multiple Secure Gateway access points and resource Connection Brokers (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:
All Components TCP 135, 445 - remote agent push.
Relating to components tables below:
- External Ports should be enabled and allow incoming traffic from all network nodes.
- Internal Ports need not be enabled for access from the WAN or Internet since they are communication ports for Remote Application Server functions and modules.
SECURE GATEWAY
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | UDP | 80 | If RDP-UDP is enabled |
External | TCP | 443 | If SSL is enabled |
External | UDP | 443 | If SSL and RDP-UDP is enabled |
External | TCP | 3389 | If RDP load balancing is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | UDP | 20000 | Gateway Lookup |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Localhost | TCP | 20020 | Communication with NodeJS web server |
NOTE: By default, RDP load balancing is not available on 3389 port for RAS Secure Client Gateway as this feature is not enabled and thus Gateway is not listening for it.
However, there is a possibility to enable it. Connections on this port will not support published items as it's strictly for RDP load balancing.
By default, this port is used only on RD Session Hosts. (see below - Remote Desktop Session Host Agent)
HALB APPLIANCE
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | TCP | 443 | If SSL is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | TCP | 31006 | Configuration |
Internal | UDP | 31006 | Configuration |
Internal | RAW | 112 | Virtual Router Redundancy Protocol |
CONNECTION BROKER
Type | Protocol | Port | Commentary |
Internal | TCP | 20001 |
Connection Broker Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication |
Internal | TCP | 20002 | Connection Broker Service Port – Communications with SecureClientGateway and UI Console |
Internal | TCP | 20003 |
Communications with RDSH agents, RemotePC and Provider Agents. Connection Broker Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication |
Internal | TCP | 20030 | Communication between multiple Connection Brokers |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server
Outbound TCP 443 – Communication with Parallels Licensing Server:
account.parallels.com
license.parallels.com
ras.parallels.com
s.parallels.com
CONSOLE
Outbound TCP 80 – Update checking:
download.parallels.com
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server/s
Outbound TCP 80, 443:
- Microsoft resources for downloading FSLogix / Windows Virtual Desktop installers
Outbound UDP 1234 - Discovery of the Wyse brokers.
REMOTE DESKTOP SESSION HOST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | TCP | 30004 | Terminal Server Agent Communication Port |
Internal | UDP | 30004 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30005 | RDSH Agent internal components communication |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
PROVIDER AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 30006 | Provider Agent Communication Port |
Internal | UDP | 30006 | Provider Agent Communication Port |
Internal | TCP | 30007 | Provider Agent Communication Port |
Internal | TCP | 30009 | Provider Agent Communication Port |
Internal | TCP | 30020 | Remote agent pushing |
REMOTE PC AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30005 | Remote PC Agent internal components communication |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
REMOTE APPLICATION SERVER REPORTING
Type | Protocol | Port | Commentary |
Internal | TCP | 30008 | Connection between Connection Broker and Remote Application Server Reporting service |
GUEST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 135, 49152-65535 | For RemotePC over VDI. DCOM/RPC ports used to check if the guest is powered on and send shutdown, restart or suspend commands. |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used to check agent status |
Internal | TCP | 30005 | Guest Agent internal components communication |
Internal | UDP | 30009 | Used to manage components. |
Internal | TCP | 30010 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
CLIENT
Type | Protocol | Port | Commentary |
Internal | TCP | 50005 |
Shadowing from RAS Console in case of direct network connection |
PERFORMANCE MONITOR (Applicable for version 16.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 3000 | Grafana (dashboard service) |
Internal | UDP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB |
ENROLLMENT SERVER (Applicable for version 17.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 30030 | RAS Publishing Agent Sends RAS Enrollment Server connection request |
Internal | UDP | 30030 | Used for the "Check Agent" task. Used to manage components and for troubleshooting. |
Was this article helpful?
Tell us how we can improve it.