Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
HALB
HALB
VRRP
112
HALB to HALB communication used for automatic assignment of VIP to active HALB.
RAS Secure Gateway in Forwarding Mode
TCP, UDP
80, 443
Management and user session connections.
RAS Secure Gateway in Normal Mode
TCP, UDP
TCP, UDP
80, 443
20009
Management and user session connections.
Device Manager shadowing via Firewall (indirect network connection).
The following diagram illustrates communication ports used in Parallels RAS.
The above diagram include SAML SSO components such as RAS Enrollment Server, however it does not include Tenant Broker.
Tip: If you are reading the PDF version of this guide, click the following link to view the full-sized diagram in a web browser: https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/index.htm#47092.
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocol | Ports | Description |
---|---|---|---|---|
Parallels Client
HALB
TCP, UDP
TCP, UDP
80, 443
20009
Management and user session connections.
Device Manager shadowing via Firewall (indirect network connection).
RAS Secure Gateway Forwarding mode
TCP, UDP
TCP, UDP
UDP
80, 443
3389
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Secure Gateway lookup broadcast.
RAS Secure Gateway Normal mode
TCP, UDP
TCP, UDP
TCP, UDP
UDP
80, 443,
3389
20009
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Device Manager shadowing via Firewall (indirect network connection)
Secure Gateway Lookup Broadcast
Session host (VDI, RDS, RemotePC)
TCP, UDP
3389
Used for user session connections in Direct Mode only. RDP connection is always encrypted.
Azure Virtual Desktop Services
TCP
UDP
443
3390
Azure Virtual Desktop Gateway connection
Used for user session connections in ShortPath mode only.
Microsoft site
TCP
443
Download Microsoft Remote Desktop (MSRDC) client
Parallels site
TCP
80, 443
Check for updates and download Parallels Client
Web browser (HTML5) and Let's Encrypt service
RAS Web Admin Service [RAS Management Portal]
TCP
20443
Admin access to HTML5 based Management Portal of RAS environment
HALB
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB
RAS Secure Gateway
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode)
RAS Secure Gateway in Forwarding mode
RAS Secure Gateway in Normal mode
TCP, UDP
TCP, UDP
80, 443
3389
Management and user session connections.
Optional - Used for user session if RDP Load Balancing is enabled.
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Secure Gateway in Normal mode
Remote Desktop Services
TCP, UDP
3389
RDP Connections.
RAS Connection Broker
TCP
TCP, UDP
20002
20009
RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only).
Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
Localhost
TCP
20020
Communication with User Portal web server (NodeJS).
RAS Reporting Service
MS SQL
TCP
1433
Store RAS activity information
SSRS
TCP
8085, 443
Enumeration of reports (incl. custom reports)
RAS Provider Agent
RAS Connection Broker
TCP
20003
Connection Broker communication port.
RAS Guest Agent
TCP
UDP
30010
30009
TCP is used to send the commands.
UDP is used during the initial handshake.
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only.
Hyper-V
TCP
135, 49152-65535
Used to check if the host is powered on and send export, import, delete, shutdown, restart or suspend commands.
Nutanix AHV (AOS)
TCP
9440
Used to check if the host is powered on and sends clone, delete, shutdown, restart commands (RestAPI calls, PoSH, remote ncli).
VMWare
TCP
443
Used to check if the host is powered on and sends clone, delete, shutdown, restart and suspend commands.
Microsoft Azure
TCP
443
Used to check if the guest is powered on and sends clone, shutdown, restart commands (via REST).
Azure Virtual Desktop
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
AWS
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
Scale
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
Remote PC over VDI
TCP
135, 49152-65535
Used to check if the host is powered on and sends shutdown, restart or suspend commands.
SSRS
Microsoft SQL Server
TCP
1433
RAS Console is connected to RAS Reporting
RAS PowerShell
RAS RD Session Host Agent
TCP
30004
Log retrieval
RAS Guest Agent
TCP
30010
Log retrieval
RAS Remote PC Agent
TCP
30004
Log retrieval
RAS Provider Agent
TCP
30006
Log retrieval
RAS Connection Broker
TCP
20002, 20001
Communication with GA and Redundancy
Used during publishing to browse for installed applications or single file/folder browsing.
RAS Enrollment Server
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
UDP
20003
20003
Settings synchronization and performance counters.
Deny Connection Request
Certificate Authority (CA)
TCP
TCP
135
dynamic range
49152 - 65535
DCOM/RPC ports
For Active Directory and Active Directory Domain Services port requirements, please see the following article: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx.
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
The Azure virtual machines you create for Azure Virtual Desktop must have access to the following URLs in the Azure commercial cloud:
Address | Outbound TCP port | Purpose | Service tag |
---|---|---|---|
The following table lists optional URLs that your Azure virtual machines can have access to:
Address | Outbound TCP port | Purpose | Azure Gov |
---|---|---|---|
For up to date information, please also visit the Microsoft website at https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list#required-url-check-tool.
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
RAS RD Session Host Agent
RAS Connection Broker
TCP, UDP
20003
Used for communications with RAS Connection Brokers.
Localhost
TCP
30005
For internal commands (memshell, printer redirector).
FSlogix
TCP
443
Download FSlogix installer
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Enrollment Server
TCP
30030
RAS RD Session Host Agent (PrlsSCDriver) connects to get logon credentials.
RAS Web Administration Service
RAS RD Session Host Agent
TCP
30004
Log retrieval
RAS Guest Agent
TCP
30010
Log retrieval
RAS Provider Agent
TCP
30006
Log retrieval
RAS Connection Broker
TCP
20002, 20001 30020
Communication with GA and Redundancy
Used during publishing to browse for installed applications or single file/folder browsing.
30020 - remote agent pushing (pre-RAS 18).
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445
Remote Install Push/Takeover of Software (pre-RAS 18).
RAS Reporting Service
TCP
3000
Integration of RAS Reporting in Management Portal iFrame
*.wvd.microsoft.com
443
Service traffic
AzureVirtualDesktop
gcs.prod.monitoring.core.windows.net
443
Agent traffic
AzureCloud
production.diagnostics.monitoring.core.windows.net
443
Agent traffic
AzureCloud
*xt.blob.core.windows.net
443
Agent traffic
AzureCloud
*eh.servicebus.windows.net
443
Agent traffic
AzureCloud
*xt.table.core.windows.net
443
Agent traffic
AzureCloud
*xt.queue.core.windows.net
443
Agent traffic
AzureCloud
catalogartifact.azureedge.net
443
Azure Marketplace
AzureCloud
kms.core.windows.net
1688
Windows activation
Internet
mrsglobalsteus2prod.blob.core.windows.net
443
Agent and SXS stack updates
AzureCloud
wvdportalstorageblob.blob.core.windows.net
443
Azure portal support
AzureCloud
169.254.169.254
80
Azure Instance Metadata service endpoint
N/A
168.63.129.16
80
Host health monitoring
N/A
https://download.parallels.com/ras/Configuration_01-20-2022.zip
443
Joining a host to a host pool
AzureVirtualDesktop
*.microsoftonline.com
443
Authentication to Microsoft Online Services
login.microsoftonline.us
*.events.data.microsoft.com
443
Telemetry Service
None
www.msftconnecttest.com
443
Detects if the OS is connected to the internet
None
*.prod.do.dsp.mp.microsoft.com
443
Windows Update
None
login.windows.net
443
Sign in to Microsoft Online Services, Microsoft 365
login.microsoftonline.us
*.sfx.ms
443
Updates for OneDrive client software
oneclient.sfx.ms
*.digicert.com
443
Certificate revocation check
None
*.azure-dns.com
443
Azure DNS resolution
None
*.azure-dns.net
443
Azure DNS resolution
None
Tenant - RAS Connection Broker
Tenant Broker - RAS Connection Broker
TCP
20003
Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses
RAS Guest Agent (used by Azure Virtual Desktop)
Provider Agent
TCP, UDP
30006
Communication with Provider Agent
Subnet broadcast is sent to find Provider Agent
Regular UDP heartbeats
Localhost
TCP
30005
For internal commands - memshell, printer redirector)
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB
RAS Enrollment Server
TCP
30030
RAS Guest Agent (PrlsSCDriver) connects to get logon credentials
FSlogix
TCP
443
Download FSlogix installer
RAS Console
RAS Reporting
TCP
30008
RAS Console is connected to primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings).
SSRS
TCP
443
Reports retrieval.
HALB
TCP, UDP
31006
Used for configuration.
Parallels Client
TCP
50005
Shadowing from the RAS Console in case of direct network connection.
RAS RD Session Host Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
RAS Guest Agent
TCP
UDP
30010
30009
Used to manage components. Used for the "Check Agent" task.
RAS Remote PC Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
RAS Provider Agent
UDP, TCP
30006
Used for the "Check Agent" task.
Used to manage component.
MFA Server(s)
TCP, UDP
8080, 80, 1812, 1813
Deepnet / Safenet / Radius
Microsoft site
TCP
80, 443
Check for updates and download Parallels Client
Parallels site
TCP
80
Check for updates and download Parallels Client
RAS Secure Gateway
TCP
80, 443
Set the log level or clear/retrieve the log file
Prefers to connect to the normal port (80 by default), falls back to the SSL port (443 by default) if the normal port is disabled
RAS Performance Monitor
TCP
20002, 20001
RAS browser plugin connection to Grafana.
RAS Connection Broker
TCP
20002, 20001
Communication with Connection Broker and redundancy.
RAS Enrollment Server
TCP, UDP
30030
Used for the "Check Agent" task.
Used to manage components and for troubleshooting.
Wyse Broker
UDP
1234 (outbound only)
68 (inbound only)
Wyse broker discovery request broadcast packet (V_WYSEBCAST).
Wyse broker discovery reply packet (V_WYSETEST).
SMTP
TCP
587
RAS Console can send test emails using port specified in the Mailbox settings (+SSL/TLS)
RAS Remote PC Agent
RAS Connection Broker
TCP, UDP
20003
Used for communications with RAS Connection Brokers
Localhost
TCP
30005
For internal commands - memshell, printer redirector)
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB
RAS Enrollment Server
TCP, UDP
30030
RAS Remote PC (PrlsSCDriver) connects to get logon credentials
FSlogix
TCP
443
Download FSlogix installer
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
RAS Connection Broker
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
20001
20030
Redundancy service.
Communication between RAS Connection Brokers running in the same site.
Parallels Licensing Server
TCP
443
RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com).
Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section).
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS RD Session Host Agent
TCP, UDP
30004
Server for Connection Broker requests.
RAS Provider Agent
TCP, UDP
30006
Provider Agent communication port.
RAS Remote PC Agent
TCP, UDP
30004
Remote PC Agent Communication Port (agent state, counters and session information)
2FA Server(s)
TCP, UDP
8080, 80
1812, 1813
Deepnet/ Safenet
Radius
RAS Enrollment Server
TCP
30030
RAS Connection Broker Sends RAS Enrollment Server connection Request
RAS Reporting
TCP
30008
Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS).
RAS Remote Installer Service
TCP
30020
Remote agent pushing
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445, 49179
Remote Install Push/Takeover of Software
SMTP
TCP
587
Notifdispatcher is the service which sends the emails using port specified in the Mailbox settings (+SSL/TLS)
Let's Encrypt Service
TCP
80, 443
Communication between the Let's Encrypt client (available in the primary Connection Broker) and a Let's Encrypt server.