To configure Remote Desktop Services correctly for internet access or any time where firewalls are used, it is useful to know what ports are required.   A detailed guide for perimeter networks is here.

The information / taxonomy is broken down by role service/component, and lists all inbound/outbound ports used.

From Client to RD Resource

  • If using RDWeb
    • TCP 443 (HTTPS)
  • TCP|UDP 3389:  Standard RDP port. Can be configured on host and client to a different port number.

Remote Desktop Connection Broker (RDCB)

  • TCP 5504: connection to RD Web Access
  • TCP 3389: connection to RD Session Host
  • TCP 3389: connection to non-managed VM pools, managed machines use VMBus to open port.
  • TCP 3389: client port for clients not using RD Gateway
  • TCP 445|RPC: connection to RD Virtualization Host
  • TCP 445|RPC: connection to RD Session Host
  • TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Gateway

  • For inbound external internet based traffic from RD Clients to the Gateway:
    • TCP 443:  HTTP (includes RPC over HTTP) over SSL - (configurable using RD Gateway Management console)
    • UDP 3391:  RDP/UDP (configurable using RD Gateway Management console) (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive"  configured)
  • For internal traffic between the Gateway and the required User AD, Resource AD, DNS, NPS etc:
    • TCP 88: Kerberos for user authentication
    • TCP 135: RPC Endpoint Mapper
    • TCP: <>, Port on which NTDS RPC services listens on AD
    • TCP|UDP 389:  LDAP for user authentication
    • TCP|UDP 53: Internal resource name resolution, DNS
    • TCP|UDP 389: If using LDAP for Certificate Revocation List (CRL)  
    • TCP 80:  If using HTTP for Certificate Revocation List (CRL)  
    • TCP 21:  If using FTP for Certificate Revocation List (CRL)  
    • UDP 1812, 1813: If NPS Server is being used
    • TCP 5985: WMI and PowerShell Remoting for administration
  • For internal traffic from the Gateway and the Internal Remote Desktop resources
    • TCP|UDP 3389: RDP (NOTE: Firewalls that have directional UDP analysis, such as TMG, require UDP "Send Receive" configured in the UDP protocol)

Remote Desktop Web Access

  • If RD Web Access is on perimeter network
    • TCP: <WMI Fixed Port>
    • TCP 5504: connection to RD Connection Broker for centralized publishing
    • TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Session Host

  • RD License Server Port RPC
  • TCP 389|636: Active Directory communication
  • TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Virtualization Host

  • RD License Server Port RPC
  • TCP 389|636: Active Directory communication
  • TCP 5985: WMI and PowerShell Remoting for administration

Remote Desktop Licensing Server

Information for Terminal Server in Windows Server 2008 is at http://support.microsoft.com/KB/832017#method26  The ports used have not changed in Windows Server 2012 | R2.  The summary follows.

TCP

  • TCP 135 - RPC  for License Server communication and RDSH
  • TCP 1024-65535 (randomly allocated)  Used for RPC For Windows Server pre-2008 (see next line).
  • TCP 49152 - 65535 (randomly allocated) -  This is the range in Windows Server 2012,  Windows Server 2008 R2, Windows Server 2008
  • TCP 445 - SMB
  • TCP 443: Communication over the internet to the Microsoft Clearing House
  • TCP 5985: WMI and PowerShell Remoting for administration
  • TCP 139 - NetBIOS session service

How to configure which ports (if need to set to specifics) http://support.microsoft.com/kb/154596/

NetBIOS

  • UDP 137 - NetBIOS Name resolution
  • UDP 138 - NetBIOS datagram
  • UDP|TCP 389   LDAP - Used with per user CALs against Active Directory

From a proxy standpoint, the regkey HKLM\Software\Microsoft\TermServLicensing\lrwiz\Params shows the Microsoft service that the RD LS communicates with.  e.g. clearinghouse.one.microsoft.com