By default, Remote Application Server will install with a Secure Client Gateway and a Publishing Agent. There can only be one master Publishing Agent in a farm; however, multiple Client Secure Gateway access points and resource publishing agents (RDSH Agent) can be deployed where needed.
Below are the firewall requirements for each of the separate Remote Application Server functions:
All Components TCP 135, 445 - remote agent push.
Relating to components tables below:
- External Ports should be enabled and allow incoming traffic from all network nodes.
- Internal Ports need not be enabled for access from the WAN or Internet since they are communication ports for Remote Application Server functions and modules.
SECURE CLIENT GATEWAY
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | UDP | 80 | If RDP-UDP is enabled |
External | TCP | 443 | If SSL is enabled |
External | UDP | 443 | If SSL and RDP-UDP is enabled |
External | TCP | 3389 | If RDP load balancing is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | UDP | 20000 | Gateway Lookup |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Localhost | TCP | 20020 | Communication with NodeJS web server |
NOTE: By default, RDP load balancing is not available on 3389 port for RAS Secure Client Gateway as this feature is not enabled and thus Gateway is not listening for it.
However, there is a possibility to enable it. Connections on this port will not support published items as it's strictly for RDP load balancing.
By default, this port is used only on RD Session Hosts. (see below - Remote Desktop Session Host Agent)
HALB APPLIANCE
Type | Protocol | Port | Commentary |
External | TCP | 80 | |
External | TCP | 443 | If SSL is enabled |
External | TCP | 20009 | If Client Manager is enabled |
External | UDP | 20009 | If Client Manager is enabled |
Internal | TCP | 31006 | Configuration |
Internal | UDP | 31006 | Configuration |
Internal | RAW | 112 | Virtual Router Redundancy Protocol |
PUBLISHING AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 20001 |
Publishing Agent Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication |
Internal | TCP | 20002 | Publishing Agent Service Port – Communications with SecureClientGateway and UI Console |
Internal | TCP | 20003 |
Communications with RDSH agents, RemotePC and VDI Agents. Publishing Agent Service Port - Communication with other Publishing Agent including Tenant's RAS Publishing Agent communication |
Internal | TCP | 20030 | Communication between multiple Publishing Agents |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server
Outbound TCP 443 – Communication with Parallels Licensing Server:
Version 14 and earlier:
erp.2x.com
prm.2x.com
Version 15 and later:
account.parallels.com
license.parallels.com
ras.parallels.com
s.parallels.com
CONSOLE
Outbound TCP 80 – Update checking:
download.parallels.com
Outbound TCP, UDP 80, 8080, 1812, 1813 – Communication with Second Level Authentication server:
2FA Server/s
Outbound TCP 80, 443:
-
www.turbo.net (deprecated in RAS 18.0 and onwards)
- Microsoft resources for downloading FSLogix / Windows Virtual Desktop installers
Outbound UDP 1234 - Discovery of the Wyse brokers.
REMOTE DESKTOP SESSION HOST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | TCP | 30004 | Terminal Server Agent Communication Port |
Internal | UDP | 30004 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30005 | RDSH Agent internal components communication |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
VDI AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 30006 | VDI Agent Communication Port |
Internal | UDP | 30006 | VDI Agent Communication Port |
Internal | TCP | 30007 | VDI Agent Communication Port |
Internal | TCP | 30009 | VDI Agent Communication Port |
Internal | TCP | 30020 | Remote agent pushing |
REMOTE PC AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30005 | Remote PC Agent internal components communication |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
REMOTE APPLICATION SERVER REPORTING
Type | Protocol | Port | Commentary |
Internal | TCP | 30008 | Connection between PA and Remote Application Server Reporting service |
GUEST AGENT
Type | Protocol | Port | Commentary |
Internal | TCP | 135, 49152-65535 | For RemotePC over VDI. DCOM/RPC ports used to check if the guest is powered on and send shutdown, restart or suspend commands. |
Internal | TCP | 3389 | Standard RDP Connections |
Internal | UDP | 3389 | Standard RDP Connections |
Internal | UDP | 30004 | Used to check agent status |
Internal | TCP | 30005 | Guest Agent internal components communication |
Internal | UDP | 30009 | Used to manage components. |
Internal | TCP | 30010 | Used for "Check Agent" task and log retrieval |
Internal | TCP | 30020 | Remote agent pushing |
Internal | TCP | 49179 | Remote Install Push/Takeover of Software |
CLIENT
Type | Protocol | Port | Commentary |
Internal | TCP | 50005 |
Shadowing from RAS Console in case of direct network connection |
PERFORMANCE MONITOR (Applicable for version 16.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 3000 | Grafana (dashboard service) |
Internal | UDP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB |
ENROLLMENT SERVER (Applicable for version 17.1 onwards)
Type | Protocol | Port | Commentary |
Internal | TCP | 30030 | RAS Publishing Agent Sends RAS Enrollment Server connection request |
Internal | UDP | 30030 | Used for the "Check Agent" task. Used to manage components and for troubleshooting. |
Was this article helpful?
Tell us how we can improve it.