This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Firewall Ports requirements between RDS components - 2016

Question
0

Sign in to vote
Hello,

We implemented an RDS Farm 2016 with the following components:

- Two servers with RD web & gateway in the same machine (on DMZ)

- Two RD Broker high available (on internal network)

- Two RD hosts (on internal network)

- One RD License server (on local network)

During the implementation, we opened all ports between components on DMZ & Local Network. and Farm successfully tested.

Now we have to implement the firewall policies between these components, our questions is:

What are the ports needed between RD web&Gateway in DMZ (on the same machine) and all RD components, AD and DNS,... in local network.

Please advise,

We appreciate your help,

Thanks,

Hassan Al Kak
- Edited by Amy Wang_ Wednesday, November 29, 2017 8:05 AM Removed personal email address
Tuesday, November 14, 2017 7:30 AM

All replies

0

Sign in to vote
Hi,

Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):
Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.

Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):

RD Gateway authentication traffic
Kerberos Port = TCP: 88

Server protocol RPC endpoint mapper
TCP 135 and the port where your NTDS RPC Service is listening on.

RD Gateway authorization Traffic
Default: Port = TCP/389 UDP/389

DNS Traffic
Port TCP/53, UDP 53

RDP Traffic
Port = TCP/3389

Certificate Revocation list traffic
Server protocols are LDAP OR HTTPS or FTP
for LDAP TCP/389,UDP/389 for Http = 80 for FTP 21

of RD Gaetway if configured to use a central server running NPS the following firewall rule should alse be made
Protocol Radius
Port 1812
Radius Accounting
1813

If the RD Web Access point to a connetncation broker
than TCP/5504 should be open to
- Proposed as answer by Amy Wang_ Thursday, November 23, 2017 9:15 AM
Tuesday, November 14, 2017 9:00 AM
0

Sign in to vote

Hello,

Thanks for your reply,

We appreciate if we can more clarify the ports between Source and Destination. per example:

- RD Gateway authentication traffic Kerberos Port = TCP: 88 "this rule between RD gateway and who ? " (AD ?, RD components ?.....)

We appreciate more details if possible,

Thanks,

Hassan Al Kak

Tuesday, November 14, 2017 9:14 AM
0

Sign in to vote

Hi For a full specification i you could best read the following article

https://cloudblogs.microsoft.com/enterprisemobility/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules/

this explains excaclty what communcation is between specific servers.

Tuesday, November 14, 2017 9:18 AM
0

Sign in to vote
- RD Gateway authentication traffic Kerberos Port = TCP: 88 "this rule between RD gateway and who ?

Hi,

That is between RD Gateway and Domain Controller.

RDS 2012: Which ports are used during deployment

https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

Best Regards,

Amy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Amy Wang_ Wednesday, November 29, 2017 1:48 AM
Thursday, November 16, 2017 10:10 AM
0

Sign in to vote

How would you go about changing 389 to 636 instead? I have been looking for an article to define this, but haven't had much luck.

Thanks

Wednesday, January 17, 2018 8:00 PM