To configure Remote Desktop Services correctly for internet access or any time where firewalls are used, it is useful to know what ports are required.

The information / taxonomy is broken down by role service/component, and lists all inbound/outbound ports used.

From Client to RD Resource

If using RDWeb
- TCP 443 (HTTPS)
TCP|UDP 3389: Standard RDP port. Can be configured on host and client to a different port number.

Remote Desktop Connection Broker (RDCB)

TCP 5504: connection to RD Web Access
TCP 3389: connection to RD Session Host
TCP 3389: connection to non-managed VM pools, managed machines use VMBus to open port.
TCP 3389: client port for clients not using RD Gateway
TCP 445|RPC: connection to RD Virtualization Host
TCP 445|RPC: connection to RD Session Host
TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Gateway

For inbound external internet based traffic from RD Clients to the Gateway:
- TCP 443: HTTP (includes RPC over HTTP) over SSL - (configurable using RD Gateway Management console)
- UDP 3391: RDP/UDP (configurable using RD Gateway Management console) (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" configured)
For internal traffic between the Gateway and the required User AD, Resource AD, DNS, NPS etc:
- TCP 88: Kerberos for user authentication
- TCP 135: RPC Endpoint Mapper
- TCP: <>, Port on which NTDS RPC services listens on AD
- TCP|UDP 389: LDAP for user authentication
- TCP|UDP 53: Internal resource name resolution, DNS
- TCP|UDP 389: If using LDAP for Certificate Revocation List (CRL)
- TCP 80: If using HTTP for Certificate Revocation List (CRL)
- TCP 21: If using FTP for Certificate Revocation List (CRL)
- UDP 1812, 1813: If NPS Server is being used
- TCP 5985: WMI and PowerShell Remoting for administration
For internal traffic from the Gateway and the Internal Remote Desktop resources
- TCP|UDP 3389: RDP (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" configured in the UDP protocol)

Remote Desktop Web Access

If RD Web Access is on a perimeter network
- TCP: <WMI Fixed Port>
- TCP 5504: connection to RD Connection Broker for centralized publishing
- TCP 5985: WMI and PowerShell Remoting for administration

If ISA is used, please refer to http://www.isaserver.org/articles/2004perimeterdomain.html

Remote Desktop Session Host

RD License Server Port RPC
TCP 389|636: Active Directory communication
TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Virtualization Host

RD License Server Port RPC
TCP 389|636: Active Directory communication
TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Licensing Server

Information for Terminal Server in Windows Server 2008 is at http://support.microsoft.com/KB/832017#method26 The ports used have not changed in Windows Server 2012 | R2. The summary follows.

TCP

TCP 135 - RPC for License Server communication and RDSH
TCP 1024-65535 (randomly allocated) Used for RPC For Windows Server pre-2008 (see next line).
TCP 49152 - 65535 (randomly allocated) - This is the range in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
TCP 445 - SMB
TCP 443: Communication over the internet to the Microsoft Clearing House
TCP 5985: WMI and PowerShell Remoting for administration
TCP 139 - NetBIOS session service

How to configure which ports (if need to set to specifics) http://support.microsoft.com/kb/154596/

NetBIOS

UDP 137 - NetBIOS Name resolution
UDP 138 - NetBIOS datagram
UDP|TCP 389 LDAP - Used with per-user CALs against Active Directory

From a proxy standpoint, the regkey HKLM\Software\Microsoft\TermServLicensing\lrwiz\Params shows the Microsoft service that the RD LS communicates with. e.g. clearinghouse.one.microsoft.com

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

RDS 2012: Which ports are used during deployment?