Firewall Ports requirements between RDS components - 2016 RRS feed

  • Question

  • Hello,

    We implemented an RDS Farm 2016 with the following components:

    - Two servers with RD web & gateway in the same machine (on DMZ)

    - Two RD Broker high available (on internal network)

    - Two RD hosts (on internal network)

    - One RD License server (on local network)

    During the implementation, we opened all ports between components on DMZ & Local Network. and Farm successfully tested.

    Now we have to implement the firewall policies between these components, our questions is:

    What are the ports needed between RD web&Gateway in DMZ (on the same machine) and all RD components, AD and DNS,... in local network.

    Please advise,

    We appreciate your help,


    Hassan Al Kak

    • Edited by Amy Wang_Moderator Wednesday, November 29, 2017 8:05 AM Removed personal email address
    Tuesday, November 14, 2017 7:30 AM

All replies

  • Hi,

    Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):
    Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.
    Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):
    RD Gateway authentication traffic
    Kerberos Port = TCP: 88
    Server protocol RPC endpoint mapper
    TCP 135 and the port where your NTDS RPC Service is listening on.
    RD Gateway authorization Traffic
    Default: Port =  TCP/389 UDP/389
    DNS Traffic
    Port TCP/53, UDP 53
    RDP Traffic
    Port = TCP/3389
    Certificate Revocation list traffic
    Server protocols are LDAP OR HTTPS or FTP
    for LDAP TCP/389,UDP/389 for Http = 80 for FTP 21
    of RD Gaetway if configured to use a central server running NPS  the following firewall rule should alse be made
    Protocol Radius
    Port 1812
    Radius Accounting
    If the RD Web Access point to a connetncation broker
    than TCP/5504 should be open to
    Tuesday, November 14, 2017 9:00 AM
  • Hello,

    Thanks for your reply,

    We appreciate if we can more clarify the ports between Source and Destination. per example:

    - RD Gateway authentication traffic Kerberos Port = TCP: 88 "this rule between RD gateway and who ? " (AD ?, RD components ?.....)

    We appreciate more details if possible,


    Hassan Al Kak

    Tuesday, November 14, 2017 9:14 AM
  • Hi For a full specification i you could best read the following article

    this explains excaclty what communcation is between specific servers.

    Tuesday, November 14, 2017 9:18 AM
  • - RD Gateway authentication traffic Kerberos Port = TCP: 88 "this rule between RD gateway and who ?


    That is between RD Gateway and Domain Controller.

    RDS 2012: Which ports are used during deployment

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, November 16, 2017 10:10 AM
  • How would you go about changing 389 to 636 instead? I have been looking for an article to define this, but haven't had much luck. 


    Wednesday, January 17, 2018 8:00 PM