By default, Remote Application Server will install with a Secure Gateway and a Connection Broker. There can only be one master Connection Broker in a farm; however, multiple Secure Gateway access points and resource Connection Brokers (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:
All Components: TCP 135, 445 - remote agent push.
Parallels Client
Source |
Destination |
Protocols |
Ports |
Description |
|
Parallels Client |
HALB |
TCP, UDP TCP, UDP |
80, 443 20009 |
Management and user session connections. Device Manager shadowing via Firewall (indirect network connection). |
|
|
RAS Secure Gateway Forwarding mode |
TCP, UDP TCP, UDP UDP |
80, 443 3389 20000 |
Management and user session connections. Optional - Used for user session if RDP load balancing is enabled (Standard RDP). Secure Gateway lookup broadcast. |
|
RAS Secure Gateway Normal mode |
TCP, UDP TCP, UDP TCP, UDP UDP |
80, 443, 3389 20009 20000 |
Management and user session connections. Optional - Used for user session if RDP load balancing is enabled (Standard RDP). Device Manager shadowing via Firewall (indirect network connection) Secure Gateway Lookup Broadcast |
|
|
|
Session host (VDI, RDS, RemotePC) |
TCP, UDP |
3389 |
Used for user session connections in Direct Mode only. RDP connection is always encrypted. |
|
|
Azure Virtual Desktop Services |
TCP UDP |
443 3390 |
Azure Virtual Desktop Gateway connection Used for user session connections in ShortPath mode only. |
|
|
Microsoft site |
TCP |
443 |
Download Microsoft Remote Desktop (MSRDC) client |
|
|
Parallels site |
TCP |
80, 443 |
Check for updates and download Parallels Client |
Web (external)
Source |
Destination |
Protocols |
Ports |
Description |
|
Web browser (HTML5) and Let's Encrypt service |
RAS Web Admin Service [RAS Management Portal] |
TCP |
20443 |
Admin access to HTML5-based Management Portal of RAS environment |
|
|
HALB |
TCP |
80, 443 |
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB (Optional - required when using Let's Encrypt) Responds to Let's Encrypt challenge |
|
|
RAS Secure Gateway |
TCP |
80, 443 |
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) (Optional - required when using Let's Encrypt) Responds to Let's Encrypt challenge |
HALB
Source |
Destination |
Protocols |
Ports |
Description |
|
HALB |
HALB |
VRRP |
112 |
HALB-to-HALB communication is used for the automatic assignment of VIP to active HALB. |
|
|
RAS Secure Gateway in Forwarding Mode |
TCP, UDP |
80, 443 |
Management and user session connections. |
|
|
RAS Secure Gateway in Normal Mode |
TCP, UDP TCP, UDP |
80, 443 20009 |
Management and user session connections. Device Manager shadowing via Firewall (indirect network connection). |
RAS Secure Gateway
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Secure Gateway in Forwarding mode |
RAS Secure Gateway in Normal mode |
TCP, UDP TCP, UDP |
80, 443 3389 |
Management and user session connections. Optional - Used for user session if RDP Load Balancing is enabled. |
|
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB. |
|
RAS Secure Gateway in Normal mode |
Remote Desktop Services |
TCP, UDP |
3389 |
RDP Connections. |
|
|
RAS Connection Broker |
TCP TCP, UDP |
20002 20009 |
RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only). Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker |
|
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB. |
|
|
Localhost |
TCP |
20020 |
Communication with HTML5 Gateway web server (NodeJS). |
RAS Connection Broker
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Connection Broker |
AD DS controllers |
TCP TCP TCP, UDP UDP |
389, 3268 636, 3269 88, 53 |
LDAP LDAPS Kerberos DNS |
|
|
RAS Connection Broker |
TCP |
20001 20030 |
Redundancy service. Communication between RAS Connection Brokers running on the same site. |
|
Parallels Licensing Server |
TCP |
443 |
RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com). Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section). |
|
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB. |
|
|
RAS RD Session Host Agent |
TCP, UDP |
30004 |
Server for Connection Broker requests. |
|
|
RAS Provider Agent |
TCP, UDP |
30006 |
Provider Agent communication port. |
|
|
RAS Remote PC Agent |
TCP, UDP |
30004 |
Remote PC Agent Communication Port (agent state, counters, and session information) |
|
|
2FA Server(s) |
TCP, UDP |
8080, 80 1812, 1813 |
Deepnet/ Safenet Radius |
|
|
RAS Enrollment Server |
TCP |
30030 |
RAS Connection Broker Sends RAS Enrollment Server Connection Request |
|
|
RAS Reporting |
TCP |
30008 |
Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS). |
|
|
RAS Remote Installer Service |
TCP |
30020 |
Remote agent pushing |
|
|
RAS RD Session Host Agent RAS Guest Agent RAS Remote PC Agent RAS Connection Broker RAS Secure Gateway RAS Enrollment Server |
TCP |
135, 445, 49179 |
Remote Install Push/Takeover of Software |
|
|
SMTP |
TCP |
587 |
Notifdispatcher is the service that sends the emails using the port specified in the Mailbox settings (+SSL/TLS) |
|
|
Let's Encrypt Service |
TCP |
443 |
Communication between the Let's Encrypt client (available in the primary Connection Broker) and Let's Encrypt server. |
RAS Console
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Console |
RAS Reporting |
TCP |
30008 |
RAS Console is connected to the primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings). |
|
|
SSRS |
TCP |
443 |
Reports retrieval. |
|
HALB |
TCP, UDP |
31006 |
Used for configuration. |
|
|
Parallels Client |
TCP |
50005 |
Shadowing from the RAS Console in case of direct network connection. |
|
|
RAS RD Session Host Agent |
UDP, TCP |
30004 |
Used for the "Check Agent" task. Used to manage components. |
|
|
RAS Guest Agent |
UDP TCP |
30009 30010 |
Used for the "Check Agent" task. Used to manage components. |
|
|
RAS Remote PC Agent |
UDP, TCP |
30004 |
Used for the "Check Agent" task. Used to manage components. |
|
|
RAS Provider Agent |
UDP, TCP |
30006 |
Used for the "Check Agent" task. Used to manage components. |
|
|
MFA Server(s) |
TCP, UDP |
8080, 80, 1812, 1813 |
Deepnet / Safenet / Radius |
|
|
Microsoft site |
TCP |
80, 443 |
Check for updates and download Parallels Client |
|
|
Parallels site |
TCP |
80 |
Check for updates and download Parallels Client |
|
|
RAS Secure Gateway |
TCP |
80, 443 |
Set the log level or clear/retrieve the log file Prefers to connect to the normal port (80 by default), falls back to the SSL port (443 by default) if the normal port is disabled |
|
|
RAS Performance Monitor |
TCP |
20002, 20001 |
Communication with Connection Broker and redundancy. |
|
|
RAS Connection Broker |
TCP |
20002, 20001 |
Communication with Connection Broker and redundancy. |
|
|
RAS Enrollment Server |
TCP, UDP |
30030 |
Used for the "Check Agent" task. Used to manage components and for troubleshooting. |
|
|
Wyse Broker |
UDP |
1234 (outbound only) 68 (inbound only) |
Wyse broker discovery request broadcast packet (V_WYSEBCAST). Wyse broker discovery reply packet (V_WYSETEST). |
|
|
SMTP |
TCP |
587 |
RAS Console can send test emails using the port specified in the Mailbox settings (+SSL/TLS) |
SSRS
Source |
Destination |
Protocols |
Ports |
Description |
|
SSRS |
Microsoft SQL Server |
TCP |
1433 |
RAS Console is connected to the RAS Reporting |
RAS Reporting
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Reporting Service |
MS SQL |
TCP |
1433 |
Store RAS activity information |
|
|
SSRS |
TCP |
8085, 443 |
Enumeration of reports (incl. custom reports) |
RAS Web Administration Service (REST/Management Portal)
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Web Administration Service |
RAS RD Session Host Agent |
TCP |
30004 |
Log retrieval |
|
|
RAS Guest Agent |
TCP |
30010 |
Log retrieval |
|
RAS Provider Agent |
TCP |
30006 |
Log retrieval |
|
|
RAS Connection Broker |
TCP |
20002, 20001 30020 |
Communication with PA and Redundancy Used during publishing to browse for installed applications or single file/folder browsing. 30020 - remote agent pushing (pre-RAS 18). |
|
|
RAS RD Session Host Agent RAS Guest Agent RAS Remote PC Agent RAS Connection Broker RAS Secure Gateway RAS Enrollment Server |
TCP |
135, 445 |
Remote Install Push/Takeover of Software (pre-RAS 18). |
|
|
RAS Reporting Service |
TCP |
3000 |
Integration of RAS Reporting in Management Portal iFrame |
RAS PowerShell
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS PowerShell |
RAS RD Session Host Agent |
TCP |
30004 |
Log retrieval |
|
|
RAS Guest Agent |
TCP |
30010 |
Log retrieval |
|
RAS Remote PC Agent |
TCP |
30004 |
Log retrieval |
|
|
RAS Provider Agent |
TCP |
30006 |
Log retrieval |
|
|
RAS Connection Broker |
TCP |
20002, 20001 |
Communication with PA and Redundancy Used during publishing to browse for installed applications or single file/folder browsing. |
RAS Provider Agent
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Provider Agent |
RAS Connection Broker |
TCP |
20003 |
Connection Broker communication port. |
|
|
RAS Guest Agent |
TCP UDP |
30010 30009 |
TCP is used to send the commands. UDP is used during the initial handshake. |
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only. |
|
|
|
Hyper-V |
TCP |
135, 49152-65535 |
Used to check if the guest is powered on and send export, import, delete, shutdown, restart or suspend commands. |
|
|
Nutanix |
TCP |
9440 |
Used to check if the guest is powered on and send export, import, delete, shutdown, restart or suspend commands. |
|
|
VMWare |
TCP |
443 |
Used to check if the guest is powered on and sends clone, delete, shutdown, restart and suspend commands. |
|
|
Microsoft Azure |
TCP |
443 |
Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). |
|
|
AWS |
TCP |
443 |
Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). |
|
|
Scale |
TCP |
443 |
Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). |
|
|
Remote PC over VDI |
TCP |
135, 49152-65535 |
Used to check if the guest is powered on and sends shutdown, restart or suspend commands. |
RAS Enrollment Server
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Enrollment Server |
AD DS controllers |
TCP TCP TCP, UDP UDP |
389, 3268 636, 3269 88 53 |
LDAP LDAPS Kerberos DNS |
|
|
RAS Connection Broker |
TCP UDP |
20003 20003 |
Settings synchronization and performance counters. Deny Connection Request |
|
Certificate Authority (CA) |
TCP TCP |
135 dynamic range 49152 - 65535 |
DCOM/RPC ports |
RAS RD Session Host Agent
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS RD Session Host Agent
|
RAS Connection Broker |
TCP, UDP |
20003 |
Used for communications with RAS Connection Brokers. |
|
Localhost |
TCP |
30005 |
For internal commands (memshell, printer redirector). |
|
|
FSlogix |
TCP |
443 |
Download FSlogix installer |
|
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB. |
|
|
RAS Enrollment Server |
TCP |
30030 |
RAS RD Session Host Agent (PrlsSCDriver) connects to get login credentials. |
RAS Guest Agent
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Guest Agent (used by Azure Virtual Desktop) |
Provider Agent |
TCP, UDP |
30006 |
Communication with Provider Agent Subnet broadcast is sent to find Provider Agent Regular UDP heartbeats |
|
|
Localhost |
TCP |
30005 |
For internal commands - memshell, printer redirector) |
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB |
|
|
RAS Enrollment Server |
TCP |
30030 |
RAS Guest Agent (PrlsSCDriver) connects to get logon credentials |
|
|
FSlogix |
TCP |
443 |
Download FSlogix installer |
RAS Remote PC Agent
Source |
Destination |
Protocols |
Ports |
Description |
|
RAS Remote PC Agent |
RAS Connection Broker |
TCP, UDP |
20003 |
Used for communications with RAS Connection Brokers |
|
|
Localhost |
TCP |
30005 |
For internal commands - memshell, printer redirector) |
|
RAS Performance Monitor |
TCP |
8086 |
Agent (Telegraf service) sends collected performance data to InfluxDB |
|
|
RAS Enrollment Server |
TCP, UDP |
30030 |
RAS Remote PC (PrlsSCDriver) connects to get logon credentials |
|
|
FSlogix |
TCP |
443 |
Download FSlogix installer |
Tenant Broker
Source |
Destination |
Protocols |
Ports |
Description |
|
Tenant - RAS Connection Broker |
Tenant Broker - RAS Connection Broker |
TCP |
20003 |
Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses |
Azure Virtual Desktop
The Azure virtual machines you create for Azure Virtual Desktop must have access to the following URLs in the Azure commercial cloud:
Address |
Outbound TCP port |
Purpose |
Service tag |
|
443 |
Service traffic |
WindowsVirtualDesktop |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Agent traffic |
AzureCloud |
|
|
443 |
Azure Marketplace |
AzureCloud |
|
|
1688 |
Windows activation |
Internet |
|
|
443 |
Agent and SXS stack updates |
AzureCloud |
|
|
443 |
Azure portal support |
AzureCloud |
|
|
169.254.169.254 |
80 |
Azure Instance Metadata service endpoint |
N/A |
|
168.63.129.16 |
80 |
Session host health monitoring |
N/A |
The following table lists optional URLs that your Azure virtual machines can have access to:
Address |
Outbound TCP port |
Purpose |
Azure Gov |
|
443 |
Authentication to Microsoft Online Services |
||
|
443 |
Telemetry Service |
None |
|
|
443 |
Detects if the OS is connected to the internet |
None |
|
|
443 |
Windows Update |
None |
|
|
443 |
Sign in to Microsoft Online Services, Microsoft 365 |
||
|
*.sfx.ms |
443 |
Updates for OneDrive client software |
|
|
443 |
Certificate revocation check |
None |
|
|
443 |
Azure DNS resolution |
None |
|
|
443 |
Azure DNS resolution |
None |
Was this article helpful?
Tell us how we can improve it.