Firewall requirements for Parallels Remote Application Server 19

1 users found this article helpful

By default, Remote Application Server will install with a Secure Gateway and a Connection Broker. There can only be one master Connection Broker in a farm; however, multiple Secure Gateway access points and resource Connection Brokers (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:

All Components: TCP 135, 445 - remote agent push.

Parallels Client 
Source
Destination
   Protocols    
Ports
Description

Parallels Client 

HALB 

TCP, UDP 

TCP, UDP 

80, 443 

20009 

Management and user session connections. 

Device Manager shadowing via Firewall (indirect network connection). 

 

RAS Secure Gateway Forwarding mode 

TCP, UDP 

TCP, UDP 

UDP 

80, 443 

3389 

20000 

Management and user session connections.  

Optional - Used for user session if RDP load balancing is enabled (Standard RDP). 

Secure Gateway lookup broadcast. 

 

RAS Secure Gateway Normal mode 

TCP, UDP 

TCP, UDP 

TCP, UDP 

UDP 

80, 443, 

3389 

20009 

20000 

Management and user session connections.  

Optional - Used for user session if RDP load balancing is enabled (Standard RDP). 

Device Manager shadowing via Firewall (indirect network connection) 

Secure Gateway Lookup Broadcast 

 

Session host (VDI, RDS, RemotePC) 

TCP, UDP 

3389 

Used for user session connections in Direct Mode only. RDP connection is always encrypted. 

 

Azure Virtual Desktop Services 

TCP 

UDP 

443 

3390 

Azure Virtual Desktop Gateway connection 

Used for user session connections in ShortPath mode only. 

 

Microsoft site 

TCP 

443

Download Microsoft Remote Desktop (MSRDC) client 

 

Parallels site 

TCP  

80, 443 

Check for updates and download Parallels Client 

 

Web (external)
Source
Destination
Protocols
   Ports  
Description

Web browser (HTML5) and Let's Encrypt service

RAS Web Admin Service [RAS Management Portal] 

TCP 

20443 

Admin access to HTML5-based Management Portal of RAS environment 

 

HALB 

TCP 

80, 443

End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB 

(Optional - required when using Let's Encrypt) Responds to Let's Encrypt challenge

 

RAS Secure Gateway 

TCP 

80, 443

End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) 

(Optional - required when using Let's Encrypt) Responds to Let's Encrypt challenge

 

 HALB 
Source 
Destination 
Protocols 
Ports 
Description 

HALB 

HALB 

VRRP 

112 

HALB-to-HALB communication is used for the automatic assignment of VIP to active HALB. 

 

RAS Secure Gateway in Forwarding Mode 

TCP, UDP 

80, 443 

Management and user session connections. 

 

RAS Secure Gateway in Normal Mode 

TCP, UDP 

TCP, UDP 

80, 443 

20009 

Management and user session connections. 

Device Manager shadowing via Firewall (indirect network connection). 

 

RAS Secure Gateway 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Secure Gateway in Forwarding mode 

RAS Secure Gateway in Normal mode 

TCP, UDP 

TCP, UDP 

80, 443 

3389 

Management and user session connections. 

Optional - Used for user session if RDP Load Balancing is enabled. 

 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB. 

RAS Secure Gateway in Normal mode 

Remote Desktop Services 

TCP, UDP 

3389 

RDP Connections. 

 

RAS Connection Broker 

TCP 

TCP, UDP 

20002 

20009 

RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only). 

Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker  

 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB. 

 

Localhost 

TCP 

20020 

Communication with HTML5 Gateway web server (NodeJS). 

  

RAS Connection Broker 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Connection Broker 

AD DS controllers 

TCP 

TCP 

TCP, UDP 

UDP 

389, 3268 

636, 3269 

88, 53 

LDAP 

LDAPS 

Kerberos 

DNS 

 

RAS Connection Broker 

TCP 

20001 

20030 

Redundancy service. 

Communication between RAS Connection Brokers running on the same site. 

Parallels Licensing Server 

TCP 

443 

RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com). 

Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section). 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB. 

RAS RD Session Host Agent 

TCP, UDP 

30004 

Server for Connection Broker requests. 

RAS Provider Agent 

TCP, UDP 

30006 

Provider Agent communication port. 

RAS Remote PC Agent 

TCP, UDP 

30004 

Remote PC Agent Communication Port (agent state, counters, and session information) 

2FA Server(s)  

TCP, UDP 

8080, 80 

1812, 1813 

 Deepnet/ Safenet 

 Radius 

RAS Enrollment Server 

TCP 

30030 

RAS Connection Broker Sends RAS Enrollment Server Connection Request 

RAS Reporting 

TCP 

30008 

Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS).  

RAS Remote Installer Service 

TCP 

30020 

Remote agent pushing 

RAS RD Session Host Agent 

RAS Guest Agent 

RAS Remote PC Agent 

RAS Connection Broker 

RAS Secure Gateway 

RAS Enrollment Server 

TCP 

135, 445, 49179 

Remote Install Push/Takeover of Software 

SMTP 

TCP  

587 

Notifdispatcher is the service that sends the emails using the port specified in the Mailbox settings (+SSL/TLS) 

Let's Encrypt Service

TCP

443

Communication between the Let's Encrypt client (available in the primary Connection Broker) and Let's Encrypt server.

 

 RAS Console 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Console 

RAS Reporting 

TCP 

30008 

RAS Console is connected to the primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings). 

 

SSRS 

TCP  

443 

Reports retrieval. 

HALB 

TCP, UDP 

31006 

Used for configuration. 

Parallels Client 

TCP 

50005 

Shadowing from the RAS Console in case of direct network connection. 

RAS RD Session Host Agent 

UDP, TCP 

30004 

Used for the "Check Agent" task. 

Used to manage components. 

RAS Guest Agent 

UDP 

TCP

30009 

30010

Used for the "Check Agent" task. 

Used to manage components. 

RAS Remote PC Agent  

UDP, TCP 

30004 

Used for the "Check Agent" task. 

Used to manage components. 

RAS Provider Agent 

UDP, TCP 

30006 

Used for the "Check Agent" task. 

Used to manage components. 

MFA Server(s)  

TCP, UDP 

8080, 80, 1812, 1813  

Deepnet / Safenet / Radius 

Microsoft site 

TCP 

80, 443 

Check for updates and download Parallels Client 

Parallels site 

TCP  

80 

Check for updates and download Parallels Client 

RAS Secure Gateway 

TCP

80, 443

Set the log level or clear/retrieve the log file

Prefers to connect to the normal port (80 by default), falls back to the SSL port (443 by default) if the normal port is disabled

RAS Performance Monitor 

TCP 

20002, 20001 

Communication with Connection Broker and redundancy. 

RAS Connection Broker 

TCP 

20002, 20001 

Communication with Connection Broker and redundancy. 

RAS Enrollment Server 

TCP, UDP 

30030 

Used for the "Check Agent" task. 

Used to manage components and for troubleshooting. 

Wyse Broker 

UDP 

1234 (outbound only) 

68 (inbound only) 

Wyse broker discovery request broadcast packet (V_WYSEBCAST). 

Wyse broker discovery reply packet (V_WYSETEST). 

SMTP 

TCP 

587 

RAS Console can send test emails using the port specified in the Mailbox settings (+SSL/TLS) 

 

 SSRS 
Source 
Destination 
Protocols 
Ports 
Description 

SSRS 

Microsoft SQL Server 

TCP 

1433 

RAS Console is connected to the RAS Reporting 

  

RAS Reporting 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Reporting Service 

MS SQL 

TCP 

1433 

Store RAS activity information 

 

SSRS 

TCP 

8085, 443 

Enumeration of reports (incl. custom reports) 

  

RAS Web Administration Service (REST/Management Portal) 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Web Administration Service  

RAS RD Session Host Agent 

TCP 

30004 

Log retrieval 

 

RAS Guest Agent 

TCP 

30010 

Log retrieval 

RAS Provider Agent 

TCP 

30006 

Log retrieval 

RAS Connection Broker 

TCP 

20002, 20001 30020 

Communication with PA and Redundancy 

Used during publishing to browse for installed applications or single file/folder browsing. 

30020 - remote agent pushing (pre-RAS 18). 

RAS RD Session Host Agent 

RAS Guest Agent 

RAS Remote PC Agent 

RAS Connection Broker 

RAS Secure Gateway 

RAS Enrollment Server 

TCP 

135, 445 

Remote Install Push/Takeover of Software (pre-RAS 18). 

RAS Reporting Service 

TCP 

3000 

Integration of RAS Reporting in Management Portal iFrame 

 

 RAS PowerShell 
Source 
Destination 
Protocols 
Ports 
Description 

RAS PowerShell 

RAS RD Session Host Agent 

TCP 

30004 

Log retrieval 

 

RAS Guest Agent 

TCP 

30010 

Log retrieval 

RAS Remote PC Agent  

TCP 

30004 

Log retrieval 

RAS Provider Agent 

TCP 

30006 

Log retrieval 

RAS Connection Broker 

TCP 

20002, 20001 

Communication with PA and Redundancy 

Used during publishing to browse for installed applications or single file/folder browsing. 

 

 RAS Provider Agent 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Provider Agent 

RAS Connection Broker 

TCP 

20003 

Connection Broker communication port. 

 

RAS Guest Agent 

TCP 

UDP

30010 

30009 

TCP is used to send the commands. 

UDP is used during the initial handshake.  

 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only. 

 

Hyper-V 

TCP 

135, 49152-65535 

Used to check if the guest is powered on and send export, import, delete, shutdown, restart or suspend commands. 

 

Nutanix 

TCP 

9440 

Used to check if the guest is powered on and send export, import, delete, shutdown, restart or suspend commands. 

 

VMWare 

TCP 

443 

Used to check if the guest is powered on and sends clone, delete, shutdown, restart and suspend commands. 

 

Microsoft Azure 

TCP 

443 

Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). 

 

AWS

TCP 

443 

Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). 

 

Scale 

TCP 

443 

Used to check if the guest is powered on and sends clone, shutdown, and restart commands (via REST). 

 

Remote PC over VDI 

TCP 

135, 49152-65535 

Used to check if the guest is powered on and sends shutdown, restart or suspend commands. 

 

 RAS Enrollment Server 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Enrollment Server 

AD DS controllers 

TCP 

TCP 

TCP, UDP 

UDP 

389, 3268 

636, 3269 

88 

53 

LDAP 

LDAPS 

Kerberos 

DNS 

 

RAS Connection Broker 

TCP 

UDP 

20003 

20003 

Settings synchronization and performance counters. 

Deny Connection Request 

Certificate Authority (CA) 

TCP 

TCP 

135 

dynamic range 

49152 - 65535 

DCOM/RPC ports 

 

 RAS RD Session Host Agent 
Source 
Destination 
Protocols 
Ports 
Description 

RAS RD Session Host Agent 

 

 

 

 

 

 

RAS Connection Broker 

TCP, UDP 

20003 

Used for communications with RAS Connection Brokers. 

Localhost 

TCP 

30005 

For internal commands (memshell, printer redirector). 

FSlogix 

TCP 

443 

Download FSlogix installer 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB. 

RAS Enrollment Server 

TCP 

30030 

RAS RD Session Host Agent (PrlsSCDriver) connects to get login credentials. 

 

 RAS Guest Agent 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Guest Agent (used by Azure Virtual Desktop) 

Provider Agent 

TCP, UDP 

30006 

Communication with Provider Agent 

Subnet broadcast is sent to find Provider Agent 

Regular UDP heartbeats 

 

Localhost 

TCP 

30005 

For internal commands - memshell, printer redirector) 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB 

RAS Enrollment Server 

TCP 

30030 

RAS Guest Agent (PrlsSCDriver) connects to get logon credentials 

FSlogix 

TCP 

443 

Download FSlogix installer 

  

RAS Remote PC Agent 
Source 
Destination 
Protocols 
Ports 
Description 

RAS Remote PC Agent 

RAS Connection Broker 

TCP, UDP 

20003 

Used for communications with RAS Connection Brokers 

 

Localhost 

TCP 

30005 

For internal commands - memshell, printer redirector) 

RAS Performance Monitor 

TCP 

8086 

Agent (Telegraf service) sends collected performance data to InfluxDB 

RAS Enrollment Server 

TCP, UDP 

30030 

RAS Remote PC (PrlsSCDriver) connects to get logon credentials 

FSlogix 

TCP 

443 

Download FSlogix installer 

 

 Tenant Broker 
Source 
Destination 
Protocols 
Ports 
Description 

Tenant - RAS Connection Broker 

Tenant Broker - RAS Connection Broker 

TCP 

20003 

Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses 

 

Azure Virtual Desktop 
The Azure virtual machines you create for Azure Virtual Desktop must have access to the following URLs in the Azure commercial cloud: 
Address 
Outbound TCP port 
Purpose 
Service tag 

*.wvd.microsoft.com 

443 

Service traffic 

WindowsVirtualDesktop 

gcs.prod.monitoring.core.windows.net 

443 

Agent traffic 

AzureCloud 

production.diagnostics.monitoring.core.windows.net 

443 

Agent traffic 

AzureCloud 

*xt.blob.core.windows.net 

443 

Agent traffic 

AzureCloud 

*eh.servicebus.windows.net 

443 

Agent traffic 

AzureCloud 

*xt.table.core.windows.net 

443 

Agent traffic 

AzureCloud 

*xt.queue.core.windows.net 

443 

Agent traffic 

AzureCloud 

catalogartifact.azureedge.net 

443 

Azure Marketplace 

AzureCloud 

kms.core.windows.net 

1688 

Windows activation 

Internet 

mrsglobalsteus2prod.blob.core.windows.net 

443 

Agent and SXS stack updates 

AzureCloud 

wvdportalstorageblob.blob.core.windows.net 

443 

Azure portal support 

AzureCloud 

169.254.169.254 

80 

Azure Instance Metadata service endpoint 

N/A 

168.63.129.16 

80 

Session host health monitoring 

N/A 

 

The following table lists optional URLs that your Azure virtual machines can have access to: 

Address 
Outbound TCP port 
Purpose 
Azure Gov 

*.microsoftonline.com 

443 

Authentication to Microsoft Online Services 

login.microsoftonline.us 

*.events.data.microsoft.com 

443 

Telemetry Service 

None 

www.msftconnecttest.com 

443 

Detects if the OS is connected to the internet 

None 

*.prod.do.dsp.mp.microsoft.com 

443 

Windows Update 

None 

login.windows.net 

443 

Sign in to Microsoft Online Services, Microsoft 365 

login.microsoftonline.us 

*.sfx.ms 

443 

Updates for OneDrive client software 

oneclient.sfx.ms 

*.digicert.com 

443 

Certificate revocation check 

None 

*.azure-dns.com 

443 

Azure DNS resolution 

None 

*.azure-dns.net 

443 

Azure DNS resolution 

None 

 

Was this article helpful?

Tell us how we can improve it.