locked
RDP 3389 port - does it need to be opened both directions for client vs server communication? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello everyone,

    Would someone kindly clarify for me if port 3389 for Remote desktop is to be open both directions on a network firewall?

    Is both TCP & UDP required ?

    Is there a recent KB article you could link please?

    I am trying to setting a discussion with our network team where they claim it need only be open one direction.

    Example:

    Windows domain environment

    Client is windows 10
    portqry to server shows FILTERED on TCP

    Server is 2012
    portqry to client shows NOT LISTENING

    Thank you very much

    Andy

    Wednesday, March 1, 2017 3:38 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes, traffic would be bidirectional. Also something here might help.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/01/11/remote-desktop-protocol-rdp-10-avch-264-improvements-in-windows-10-and-windows-server-2016-technical-preview/

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Wednesday, March 1, 2017 4:19 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Dave,

    thank you for the feedback about bi-directional...however that answers less than half my questions :)

    is there a KB article from MS that clearly defines this for my network team?...they want proof of course :)

    is it TCP and UDP?

    thank you so much

    Andy

    Wednesday, March 1, 2017 5:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Wednesday, March 1, 2017 5:10 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    Is this for direct communication between RDP client and server over internal (LAN) network?  In other words, no RD Gateway or other proxy device involved, correct?

    If yes then you need incoming TCP port 3389 and UDP port 3389 allowed to the server from/to ephemeral ports on client.

    Server TCP/UDP 3389  <-->  Client ephemeral range or Any

    RDP firewall requirements are well known for almost 20 years now with most enterprise firewalls having a pre-defined template/rule definition for it.  The only thing relatively new is the addition of UDP 3389 starting with Windows Server 2012.  In my experience the pre-defined rules in most firewalls will not include UDP 3389 since it is fairly new so you will need to add it.

    -TP

    Wednesday, March 1, 2017 5:37 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dave...this is more precise thank you very much

    .https://blogs.technet.microsoft.com/windowsserver/2012/05/08/windows-server-2012-remote-desktop-services-rds/

    .....This is a great article on RDS for 2012 server and answers my specific question about TCP vs UDP

    Intelligent Transports.  We support UDP as well as TCP.  UDP provides a better experience over a lossy WAN network but, is not always possible dependent on the routers, and firewalls involved.  RDP will automatically use TCP when UDP cannot be used to ensure connectivity and the best possible experience

    https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

    ......This article substantiates the need for both TCP and UDP

    From Client to RD Resource
    TCP|UDP 3389:  Standard RDP port

    .....and the comments suggest the bi-directional is required

       
    26 Jun 2015 8:18 AM

    This document doesn't really address the concept of directionality....
    Our firewall setup requires us to explicitly define all rules as {source} -> {destination} on {TCP/UDP port}. In other words, "open this port on this component" isn't sufficient.

    ....and

    In addition to @Chamberlin72, we also got bitten by rule required in the opposite direction to expected.

    thank you Dave...I will mark as correct answer

    Wednesday, March 1, 2017 5:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you TP,

    You are correct in the scenario that this is straight RDP using mstsc to a server on a LAN.

    It is  from a W10 computer.

    Local windows firewall off on all profiles for both host and target.

    The second article that Dave listed also made some suggestion about opening ephemeral ports...however that was in reference to the Licensing server

    To clarify...are you suggesting that to use RDP in this straight forward manner, I need the ephemeral ports opened?

    I rather doubt that but am open to being corrected of course :)
    Please provide a MS KB article with that evidence and I will add your answer as correct as well.

    Thank you

    Andy

    Wednesday, March 1, 2017 6:09 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    Here is an article below about port requirement for RDS for your reference.

    RDS 2012: Which ports are used during deployment?

    https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 2, 2017 3:09 PM