|
| 1 | +--- |
| 2 | +title: Ports That Are Used by RDS |
| 3 | +description: Introduces the ports that are required to open on firewalls to configure Remote Desktop Services (RDS) correctly. |
| 4 | +ms.date: 02/08/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika |
| 9 | +ms.custom: sap:Remote Desktop Services and Terminal Services\Deployment, configuration, and management of Remote Desktop Services infrastructure, csstroubleshoot |
| 10 | +--- |
| 11 | +# Ports that are used by Remote Desktop Services |
| 12 | + |
| 13 | +This article introduces the ports that need to be open on firewalls to configure Remote Desktop Services (RDS) correctly. |
| 14 | + |
| 15 | +The information and taxonomy are broken down by role, service, and component, and all inbound and outbound ports used are listed. |
| 16 | + |
| 17 | +## From client to RD resource |
| 18 | + |
| 19 | +- TCP 443 (HTTPS): Required if RDWeb is deployed. |
| 20 | +- TCP and UDP 3389: Standard Remote Desktop Protocol (RDP) port. It can be configured to a different port number on the host and client. |
| 21 | + |
| 22 | +## Remote Desktop Connection Broker (RDCB) |
| 23 | + |
| 24 | +- TCP 5504: Used for connections to RD Web Access. |
| 25 | +- TCP 3389: Used for connections to RD Session Host. |
| 26 | +- TCP 3389: Used for connections to non-managed VM pools. Managed machines use Virtual Machine Bus (VMBus) to open ports. |
| 27 | +- TCP 3389: Client port for clients not using RD Gateway. |
| 28 | +- TCP 445 and RPC: Used for connections to RD Virtualization Host. |
| 29 | +- TCP 445 and RPC: Used for connections to RD Session Host. |
| 30 | +- TCP 5985: Used by Windows Management Instrumentation (WMI) and PowerShell Remoting for administration. |
| 31 | + |
| 32 | +## Remote Desktop Gateway |
| 33 | + |
| 34 | +### Inbound external internet-based traffic from RD clients to the Gateway |
| 35 | + |
| 36 | +- TCP 443: Used for HTTP (including RPC over HTTP) over SSL. This port can be configured using the RD Gateway Management console. |
| 37 | +- UDP 3391: Used for RDP over UDP. This port can be configured using the RD Gateway Management console. |
| 38 | + |
| 39 | + > [!NOTE] |
| 40 | + > Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" to be configured. |
| 41 | +
|
| 42 | +### Internal traffic between the Gateway and the required user AD, resource AD, DNS, NPS, and so on |
| 43 | + |
| 44 | +- TCP 88: Used by Kerberos for user authentication. |
| 45 | +- TCP 135: Used by the RPC Endpoint Mapper. |
| 46 | +- TCP 135: Port that NTDS RPC services listens on AD. |
| 47 | +- TCP and UDP 389: Used by the Lightweight Directory Access Protocol (LDAP) for user authentication. It's required when using LDAP for Certificate Revocation Lists (CRLs). |
| 48 | +- TCP and UDP 53: Used by the Domain Name System (DNS) for internal resource name resolution. |
| 49 | +- TCP 80: Required when using HTTP for CRLs. |
| 50 | +- TCP 21: Required when using FTP for CRLs. |
| 51 | +- UDP 1812 and 1813: Required when Network Policy Server (NPS) is used. |
| 52 | +- TCP 5985: Used by WMI and PowerShell Remoting for administration. |
| 53 | + |
| 54 | +### Internal traffic from the Gateway and the internal RD resources |
| 55 | + |
| 56 | +- TCP and UDP 3389: Used by RDP. |
| 57 | + |
| 58 | + > [!Note] |
| 59 | + > Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" to be configured in the UDP protocol. |
| 60 | +
|
| 61 | +## Remote Desktop Web Access |
| 62 | + |
| 63 | +If RD Web Access is on a perimeter network, configure the following ports: |
| 64 | + |
| 65 | +- TCP: \<WMI Fixed Port\> |
| 66 | +- TCP 5504: Used for connections to RDCB for centralized publishing. |
| 67 | +- TCP 5985: Used by WMI and PowerShell Remoting for administration. |
| 68 | + |
| 69 | +## Remote Desktop Session Host |
| 70 | + |
| 71 | +- RD License Server: RPC ports. |
| 72 | +- TCP 389 and 636: Used for AD communication. |
| 73 | +- TCP 5985: Used by WMI and PowerShell Remoting for administration. |
| 74 | + |
| 75 | +## Remote Desktop Virtualization Host |
| 76 | + |
| 77 | +- RD License Server: RPC ports. |
| 78 | +- TCP 389 and 636: Used for AD communication. |
| 79 | +- TCP 5985: Used by WMI and PowerShell Remoting for administration. |
| 80 | + |
| 81 | +## Remote Desktop Licensing Server |
| 82 | + |
| 83 | +For more information, see [RDS Licensing (RDSL)](../networking/service-overview-and-network-port-requirements.md#rds-licensing-rdsl). |
| 84 | + |
| 85 | +### TCP |
| 86 | + |
| 87 | +- TCP 135: Used for RPC for License Server communication and Remote Desktop Session Host. |
| 88 | +- TCP 1024-65535 (randomly allocated): Used for RPC in Windows Server versions that are earlier than Windows Server 2008. |
| 89 | +- TCP 49152-65535 (randomly allocated): Used for RPC in Windows Server 2008 and later versions. |
| 90 | +- TCP 445: Used by the Server Message Block (SMB) protocol. |
| 91 | +- TCP 443: Used for communication over the internet to the Microsoft Clearing House. |
| 92 | +- TCP 5985: Used by WMI and PowerShell Remoting for administration. |
| 93 | +- TCP 139: Used by the NetBIOS session service. |
| 94 | + |
| 95 | +For more information, see [How to configure RPC dynamic port allocation to work with firewalls](../networking/configure-rpc-dynamic-port-allocation-with-firewalls.md). |
| 96 | + |
| 97 | +### NetBIOS |
| 98 | + |
| 99 | +- UDP 137: Used for NetBIOS name resolution. |
| 100 | +- UDP 138: Used by the NetBIOS Datagram Service. |
| 101 | +- UDP and TCP 389: Used by LDAP with per-user Client Access Licenses (CALs) in AD. |
| 102 | + |
| 103 | +From a proxy standpoint, the registry key `HKLM\Software\Microsoft\TermServLicensing\lrwiz\Params` shows the Microsoft service that the RD License Server communicates with. |
0 commit comments