none
RD Gateway - ports and certificates

    Question

  •  

    Hi All,

     

     

    I'm about to publish a RD server via a RD Gateway (both servers will be Windows 2008 R2).

     

    My plan is to place the RDG server in the DMZ (we don't use ISA) and join the RDG server to the domain (we need to authenticate domain users). The RD server will be placed on the internal network and also joined to the domain.

     

    The users will need to log on via a web page, so I plan to install the RD Web access role and the RDG role on the same server. The RDG server will have a public DNS name - remote.domain.com, with a public certificate (we do not want to use self-signed certificates).

     

    Is it correctly understood that I can use the same public certificate for both server roles, when the roles are placed on the same server?

     

    And I will need just one IP adress for the RDG / RD web access server?

     

    And I will need the following port openings in my firewall?

     

    From internet to RDG server:

    Port 80 + 443 (TCP)

     

    From RDG to RD server on internal network:

    Port 3389 (TCP).

    Port 24158 (TCP). WMI traffic - I intend to "lock" this port on RDG and RD server.

     

    From RDG to domain controller on internal network:

    Port 88 (TCP).

    Port 135 (TCP).

    TCP (Port on which NTDS RPC service listens on AD) - I intend to use port 8600 and "lock" this port on the DC.

    Port  389 (TCP + UDP).

    Port 53 (UDP).

     

    Are those all the ports I need?

     

    Anything else I need to be aware of? Thanks!

    Thursday, August 05, 2010 6:39 AM

Answers

  • Hi Rallow,

     

    According to your description, I understand that you want to know the required ports opening in your firewall when you publish a RD Web Access and RD Gateway in the DMZ network.

     

    When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources.

     

    In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:

     

    For your convenience, I have included the Firewall rule configurations required when RD Gateway is in the perimeter network:

    1.Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):

    ·         Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.

    2.Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):

    The internal firewall should allow all communication from the RD Gateway server to internal network resources. Here are the ports that need to be opened on the internal firewall when the corresponding traffic (DNS, RADIUDS, RD Gateway Authentication, etc.) destination point is in the internal network.

    RD Gateway authentication traffic:

    Firewall rules between the perimeter network (RD Gateway) and the internal network (Domain Controller) to authenticate the user:

    • Server Protocol = Kerberos
    • Port = TCP: 88

    The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article .

    • Server Protocol = RPC Endpoint Mapper
    • Port = TCP: 135, TCP: <Port on which NTDS RPC service listens on AD>

    Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authentication methods through a custom authentication plug-in. If RD Gateway is configured with a custom authentication plug-in, contact the vendor of the authentication plug-in to find out which firewall rules are required for RD Gateway authentication.

    RD Gateway authorization traffic:

    Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:

    • Server Protocol = LDAP
    • For LDAP: Port = TCP: 389, UDP: 389

    Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authorization methods through a custom authorization plug-in. If RD Gateway is configured with a custom authorization plug-in, contact the vendor of the authorization plug-in to find out which firewall rules are required for the RD Gateway authorization.

    DNS traffic:

    Firewall rules between the perimeter network and the internal network to resolve the internal network resources:

    • Server Protocol = DNS
    • Port = TCP: 53, UDP: 53

    RDP traffic:

    Firewall rules between the perimeter network and the internal network to forward RDP packets from client:

    • Server Protocol = RDP
    • Port = TCP: 3389

    Certificate Revocation List traffic:

    Firewall rules between the perimeter network and the internal network to contact CRL distribution point to get the certificate revocation list:

    • Server Protocol = LDAP or HTTP or FTP
    • For LDAP: port = TCP: 389, UDP: 389. For HTTP: port = 80. For FTP: Port = 21

    Note: The Certificate Revocation List is needed either to validate the client certificate during smart card authentication or when the certificate deployed on RD Gateway is an enterprise/standalone CA certificate. To know which protocol is needed to contact the CRL distribution point for a certificate, open the certificate and go to the Details tab and look at the CRL Distribution Points field.

    RADIUS traffic:

    If RD Gateway is configured to use a central server running NPS and if the NPS server is not in the perimeter network, then the following additional firewall rules are needed between the perimeter network (RD Gateway) and the internal network (NPS Server).

    • Server Protocol: RADIUS
    • Port = UDP: 1812
    • Server Protocol: RADIUS Accounting
    • Port = UDP: 1813

    3.RD Web Access and RD Gateway on the same server:

    If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

    RD Web Access points to single RD Server or Single RD Server farm:

    This scenario is possible in Windows Server 2008 or higher versions. The WMI service on RD Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

    • Server Protocol: WMI
    • Port = TCP: <WMI Fixed Port>

    RD Web Access points to multiple RD Servers/farms:

    This scenario is possible in Windows Server 2008 R2. The WMI service on RD Web Access Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

    • Server Protocol: WMI
    • Port = TCP: <WMI Fixed Port>

    RD Web Access points to a centralized publishing server (Connection Broker):

    This scenario is possible in Windows Server 2008 R2.

    • Server Protocol = RPC
    • Port = TCP: 5504

    Hope it helps.

    Wilson Jia

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, August 06, 2010 6:59 AM
  • Is it correctly understood that I can use the same public certificate for both server roles, when the roles are placed on the same server? - meaning can I use the same public certificate for the RD web site and for the RDG server role when they are both on the same server?

     

    And I will need just one IP adress for the RDG / RD web access server?

    This is correct, with both roles on the same server, a single IP and TCP 443 are shared by both services and a single certificate is required.
    • Proposed as answer by Aaron.ParkerMVP Friday, August 06, 2010 2:39 PM
    • Marked as answer by Sallow8600 Sunday, August 08, 2010 7:00 PM
    Friday, August 06, 2010 2:26 PM

All replies

  • Hi Rallow,

     

    According to your description, I understand that you want to know the required ports opening in your firewall when you publish a RD Web Access and RD Gateway in the DMZ network.

     

    When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources.

     

    In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:

     

    For your convenience, I have included the Firewall rule configurations required when RD Gateway is in the perimeter network:

    1.Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):

    ·         Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.

    2.Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):

    The internal firewall should allow all communication from the RD Gateway server to internal network resources. Here are the ports that need to be opened on the internal firewall when the corresponding traffic (DNS, RADIUDS, RD Gateway Authentication, etc.) destination point is in the internal network.

    RD Gateway authentication traffic:

    Firewall rules between the perimeter network (RD Gateway) and the internal network (Domain Controller) to authenticate the user:

    • Server Protocol = Kerberos
    • Port = TCP: 88

    The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article .

    • Server Protocol = RPC Endpoint Mapper
    • Port = TCP: 135, TCP: <Port on which NTDS RPC service listens on AD>

    Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authentication methods through a custom authentication plug-in. If RD Gateway is configured with a custom authentication plug-in, contact the vendor of the authentication plug-in to find out which firewall rules are required for RD Gateway authentication.

    RD Gateway authorization traffic:

    Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:

    • Server Protocol = LDAP
    • For LDAP: Port = TCP: 389, UDP: 389

    Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authorization methods through a custom authorization plug-in. If RD Gateway is configured with a custom authorization plug-in, contact the vendor of the authorization plug-in to find out which firewall rules are required for the RD Gateway authorization.

    DNS traffic:

    Firewall rules between the perimeter network and the internal network to resolve the internal network resources:

    • Server Protocol = DNS
    • Port = TCP: 53, UDP: 53

    RDP traffic:

    Firewall rules between the perimeter network and the internal network to forward RDP packets from client:

    • Server Protocol = RDP
    • Port = TCP: 3389

    Certificate Revocation List traffic:

    Firewall rules between the perimeter network and the internal network to contact CRL distribution point to get the certificate revocation list:

    • Server Protocol = LDAP or HTTP or FTP
    • For LDAP: port = TCP: 389, UDP: 389. For HTTP: port = 80. For FTP: Port = 21

    Note: The Certificate Revocation List is needed either to validate the client certificate during smart card authentication or when the certificate deployed on RD Gateway is an enterprise/standalone CA certificate. To know which protocol is needed to contact the CRL distribution point for a certificate, open the certificate and go to the Details tab and look at the CRL Distribution Points field.

    RADIUS traffic:

    If RD Gateway is configured to use a central server running NPS and if the NPS server is not in the perimeter network, then the following additional firewall rules are needed between the perimeter network (RD Gateway) and the internal network (NPS Server).

    • Server Protocol: RADIUS
    • Port = UDP: 1812
    • Server Protocol: RADIUS Accounting
    • Port = UDP: 1813

    3.RD Web Access and RD Gateway on the same server:

    If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

    RD Web Access points to single RD Server or Single RD Server farm:

    This scenario is possible in Windows Server 2008 or higher versions. The WMI service on RD Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

    • Server Protocol: WMI
    • Port = TCP: <WMI Fixed Port>

    RD Web Access points to multiple RD Servers/farms:

    This scenario is possible in Windows Server 2008 R2. The WMI service on RD Web Access Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

    • Server Protocol: WMI
    • Port = TCP: <WMI Fixed Port>

    RD Web Access points to a centralized publishing server (Connection Broker):

    This scenario is possible in Windows Server 2008 R2.

    • Server Protocol = RPC
    • Port = TCP: 5504

    Hope it helps.

    Wilson Jia

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, August 06, 2010 6:59 AM
  • Hi Wilson Jia, 

     

    Thank you very much for your help so far. I think I've got the ports covered now. What about my other two questions?

     

    Is it correctly understood that I can use the same public certificate for both server roles, when the roles are placed on the same server? - meaning can I use the same public certificate for the RD web site and for the RDG server role when they are both on the same server?

     

    And I will need just one IP adress for the RDG / RD web access server?

     

    Thanks!

     

    Friday, August 06, 2010 12:57 PM
  • Is it correctly understood that I can use the same public certificate for both server roles, when the roles are placed on the same server? - meaning can I use the same public certificate for the RD web site and for the RDG server role when they are both on the same server?

     

    And I will need just one IP adress for the RDG / RD web access server?

    This is correct, with both roles on the same server, a single IP and TCP 443 are shared by both services and a single certificate is required.
    • Proposed as answer by Aaron.ParkerMVP Friday, August 06, 2010 2:39 PM
    • Marked as answer by Sallow8600 Sunday, August 08, 2010 7:00 PM
    Friday, August 06, 2010 2:26 PM
  • Thanks Aaron - really appreciate your help!
    Sunday, August 08, 2010 7:01 PM