Scribd
Upload
16K views3 pages

Firewall Ports Requirements Between RDS Components

The document summarizes the port requirements for firewall configuration between different Remote Desktop Services (RDS) components, including Remote Desktop Connection Broker, Remote Desktop Gateway, Remote Desktop Web Access, Remote Desktop Session Host, Remote Desktop Virtualization Host, and Remote Desktop Licensing Server. Key ports include TCP 443, 3389, 5504, 5985 for communication between RDS components; TCP 8090 for the Sophos firewall portal; and TCP/UDP ports 88, 135, 389, 636, 53 for Active Directory authentication. The document also lists the IP addresses, roles and VLAN assignments for the RDS servers in the environment.

Uploaded by

dadavahid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16K views3 pages

Firewall Ports Requirements Between RDS Components

The document summarizes the port requirements for firewall configuration between different Remote Desktop Services (RDS) components, including Remote Desktop Connection Broker, Remote Desktop Gateway, Remote Desktop Web Access, Remote Desktop Session Host, Remote Desktop Virtualization Host, and Remote Desktop Licensing Server. Key ports include TCP 443, 3389, 5504, 5985 for communication between RDS components; TCP 8090 for the Sophos firewall portal; and TCP/UDP ports 88, 135, 389, 636, 53 for Active Directory authentication. The document also lists the IP addresses, roles and VLAN assignments for the RDS servers in the environment.

Uploaded by

dadavahid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Firewall Ports requirements between RDS

components
From Client to RD Resource
 If using RDWeb
o TCP 443 (HTTPS)
 TCP|UDP 3389: Standard RDP port. Can be configured on host and client to a different port number.

Remote Desktop Connection Broker


(RDCB)
 TCP 5504: connection to RD Web Access
 TCP 3389: connection to RD Session Host
 TCP 3389: connection to non-managed VM pools, managed machines use VMBus to open port.
 TCP 3389: client port for clients not using RD Gateway
 TCP 445|RPC: connection to RD Virtualization Host
 TCP 445|RPC: connection to RD Session Host
 TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Gateway


 For inbound external internet based traffic from RD Clients to the Gateway:
o TCP 443: HTTP (includes RPC over HTTP) over SSL - (configurable using RD Gateway Management
console)
o UDP 3391: RDP/UDP (configurable using RD Gateway Management console) (NOTE: Firewalls that
have directional UDP analysis, such as TMG, require UDP "Send Receive" configured)
 For internal traffic between the Gateway and the required User AD, Resource AD, DNS, NPS etc:
o TCP 88: Kerberos for user authentication
o TCP 135: RPC Endpoint Mapper
o TCP: <>, Port on which NTDS RPC services listens on AD
o TCP|UDP 389: LDAP for user authentication
o TCP|UDP 53: Internal resource name resolution, DNS
o TCP|UDP 389: If using LDAP for Certificate Revocation List (CRL)
o TCP 80: If using HTTP for Certificate Revocation List (CRL)
o TCP 21: If using FTP for Certificate Revocation List (CRL)
o UDP 1812, 1813: If NPS Server is being used
o TCP 5985: WMI and PowerShell Remoting for administration
 For internal traffic from the Gateway and the Internal Remote Desktop resources
o TCP|UDP 3389: RDP (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP
"Send Receive" configured in the UDP protocol)
Remote Desktop Web Access
 If RD Web Access is on a perimeter network
o TCP: <WMI Fixed Port>
o TCP 5504: connection to RD Connection Broker for centralized publishing
o TCP 5985: WMI and PowerShell Remoting for administration

 If ISA is used, please refer to http://www.isaserver.org/articles/2004perimeterdomain.html

Remote Desktop Session Host


 RD License Server Port RPC
 TCP 389|636: Active Directory communication
 TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Virtualization Host


 RD License Server Port RPC
 TCP 389|636: Active Directory communication
 TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Licensing Server


Information for Terminal Server in Windows Server 2008 is
at http://support.microsoft.com/KB/832017#method26 The ports used have not changed in Windows Server 2012
| R2. The summary follows.

TCP
 TCP 135 - RPC for License Server communication and RDSH
 TCP 1024-65535 (randomly allocated) Used for RPC For Windows Server pre-2008 (see next line).
 TCP 49152 - 65535 (randomly allocated) - This is the range in Windows Server 2012, Windows Server 2008
R2, Windows Server 2008
 TCP 445 - SMB
 TCP 443: Communication over the internet to the Microsoft Clearing House
 TCP 5985: WMI and PowerShell Remoting for administration
 TCP 139 - NetBIOS session service

How to configure which ports (if need to set to specifics) http://support.microsoft.com/kb/154596/

NetBIOS
 UDP 137 - NetBIOS Name resolution
 UDP 138 - NetBIOS datagram
 UDP|TCP 389 LDAP - Used with per-user CALs against Active Directory

Database Server
 UDP 1433 – Between all Servers with RDCB
 TCP 1433 - Between all Servers with RDCB

Between Firewall and RDS Servers and DC:

Kerberos & NTLM authentication

 TCP 6677 - License Server communication to Sophps


 TCP 5566 - License Server communication to Sophps
 TCP 639 - Authentication users through Domain Controllers
 TCP 8090 – Sophos Portal link(Port) should be accessible through all clients and servers

RDS Servers

Vlan Name Server Name IP Address Roles

VLAN83 VSRV-RDS-A.mefa.com [192.168.83.253] [RDCB][RDWA][RDSH]

VLAN87 VSRV-RDS.Portal.mefa.com [192.168.87.253] [RDCB][RDWA][RDSH]

VLAN88 VSRV-RDS.N1.mefa.com [192.168.88.253] [RDCB][RDWA][RDSH]

VLAN89 VSRV-RDS.N2.mefa.com [192.168.89.253] [RDCB][RDWA][RDSH]

VLAN85 VSRV-RDS.N3.mefa.com [192.168.85.253] [RDSH]

VLAN84 VSRV-RDS.N4.mefa.com [192.168.84.253] [RDSH]

VLAN88 VSRV-RDS.NDB.mefa.com [192.168.88.100] [Database Server]

VLAN86 VSRV-RDS. DB.mefa.com [192.168.86.100] [Database Server]

Firewall(Sophos):

IP Address: 172.16.16.16

Portal Port(TCP): 8090

Management Port(TCP):4444

You might also like