Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Web browser (HTML5) and Let's Encrypt service
RAS Web Admin Service [RAS Management Portal]
TCP
20443
Admin access to HTML5 based Management Portal of RAS environment
HALB
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB
RAS Secure Gateway
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode)
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
The following diagram illustrates communication ports used in Parallels RAS.
The above diagram include SAML SSO components such as RAS Enrollment Server, however it does not include Tenant Broker.
Tip: If you are reading the PDF version of this guide, click the following link to view the full-sized diagram in a web browser: https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/index.htm#47092.
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocol | Port | Description |
---|
Parallels Client
HALB
TCP, UDP
TCP, UDP
80, 443
20009
Management and user session connections.
Device Manager shadowing via Firewall (indirect network connection).
RAS Secure Gateway Forwarding mode
TCP, UDP
TCP, UDP
UDP
80, 443
3389
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Secure Gateway lookup broadcast.
RAS Secure Gateway Normal mode
TCP, UDP
TCP, UDP
TCP, UDP
UDP
80, 443,
3389
20009
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Device Manager shadowing via Firewall (indirect network connection)
Secure Gateway Lookup Broadcast
Session host (VDI, RDS, RemotePC)
TCP, UDP
3389
Used for user session connections in Direct Mode only. RDP connection is always encrypted.
Azure Virtual Desktop Services
TCP
UDP
443
3390
Azure Virtual Desktop Gateway connection
Used for user session connections in ShortPath mode only.
Microsoft site
TCP
443
Download Microsoft Remote Desktop (MSRDC) client
Parallels site
TCP
80, 443
Check for updates and download Parallels Client
RAS Secure Gateway in Forwarding mode
RAS Secure Gateway in Normal mode
TCP, UDP
TCP, UDP
80, 443
3389
Management and user session connections.
Optional - Used for user session if RDP Load Balancing is enabled.
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Secure Gateway in Normal mode
Remote Desktop Services
TCP, UDP
3389
RDP Connections.
RAS Connection Broker
TCP
TCP, UDP
20002
20009
RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only).
Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
Localhost
TCP
20020
Communication with User Portal web server (NodeJS).
RAS Connection Broker
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
20001
20030
Redundancy service.
Communication between RAS Connection Brokers running in the same site.
Parallels Licensing Server
TCP
443
RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com).
Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section).
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS RD Session Host Agent
TCP, UDP
30004
Server for Connection Broker requests.
RAS Provider Agent
TCP, UDP
30006
Provider Agent communication port.
RAS Remote PC Agent
TCP, UDP
30004
Remote PC Agent Communication Port (agent state, counters and session information)
2FA Server(s)
TCP, UDP
8080, 80
1812, 1813
Deepnet/ Safenet
Radius
RAS Enrollment Server
TCP
30030
RAS Connection Broker Sends RAS Enrollment Server connection Request
RAS Reporting
TCP
30008
Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS).
RAS Remote Installer Service
TCP
30020
Remote agent pushing
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445, 49179
Remote Install Push/Takeover of Software
SMTP
TCP
587
Notifdispatcher is the service which sends the emails using port specified in the Mailbox settings (+SSL/TLS)
Let's Encrypt Service
TCP
80, 443
Communication between the Let's Encrypt client (available in the primary Connection Broker) and a Let's Encrypt server.
HALB | HALB | VRRP | 112 | HALB to HALB communication used for automatic assignment of VIP to active HALB. |
RAS Secure Gateway in Forwarding Mode | TCP, UDP | 80, 443 | Management and user session connections. |
RAS Secure Gateway in Normal Mode | TCP, UDP TCP, UDP | 80, 443 20009 | Management and user session connections. Device Manager shadowing via Firewall (indirect network connection). |
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocol | Port | Description |
---|
Source | Destination | Protocol | Port | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
RAS Console | RAS Reporting | TCP | 30008 | RAS Console is connected to primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings). |
SSRS | TCP | 443 | Reports retrieval. |
HALB | TCP, UDP | 31006 | Used for configuration. |
Parallels Client | TCP | 50005 | Shadowing from the RAS Console in case of direct network connection. |
RAS RD Session Host Agent | UDP, TCP | 30004 | Used for the "Check Agent" task. Used to manage components. |
RAS Guest Agent | TCP UDP | 30010 30009 | Used to manage components. Used for the "Check Agent" task. |
RAS Remote PC Agent | UDP, TCP | 30004 | Used for the "Check Agent" task. Used to manage components. |
RAS Provider Agent | UDP, TCP | 30006 | Used for the "Check Agent" task. Used to manage component. |
MFA Server(s) | TCP, UDP | 8080, 80, 1812, 1813 | Deepnet / Safenet / Radius |
Microsoft site | TCP | 80, 443 | Check for updates and download Parallels Client |
Parallels site | TCP | 80 | Check for updates and download Parallels Client |
RAS Secure Gateway | TCP | 80, 443 | Set the log level or clear/retrieve the log file Prefers to connect to the normal port (80 by default), falls back to the SSL port (443 by default) if the normal port is disabled |
RAS Performance Monitor | TCP | 20002, 20001 | RAS browser plugin connection to Grafana. |
RAS Connection Broker | TCP | 20002, 20001 | Communication with Connection Broker and redundancy. |
RAS Enrollment Server | TCP, UDP | 30030 | Used for the "Check Agent" task. Used to manage components and for troubleshooting. |
Wyse Broker | UDP | 1234 (outbound only) 68 (inbound only) | Wyse broker discovery request broadcast packet (V_WYSEBCAST). Wyse broker discovery reply packet (V_WYSETEST). |
SMTP | TCP | 587 | RAS Console can send test emails using port specified in the Mailbox settings (+SSL/TLS) |
RAS PowerShell | RAS RD Session Host Agent | TCP | 30004 | Log retrieval |
RAS Guest Agent | TCP | 30010 | Log retrieval |
RAS Remote PC Agent | TCP | 30004 | Log retrieval |
RAS Provider Agent | TCP | 30006 | Log retrieval |
RAS Connection Broker | TCP | 20002, 20001 | Communication with GA and Redundancy Used during publishing to browse for installed applications or single file/folder browsing. |
SSRS | Microsoft SQL Server | TCP | 1433 | RAS Console is connected to RAS Reporting |
RAS Reporting Service | MS SQL | TCP | 1433 | Store RAS activity information |
SSRS | TCP | 8085, 443 | Enumeration of reports (incl. custom reports) |
RAS Web Administration Service | RAS RD Session Host Agent | TCP | 30004 | Log retrieval |
RAS Guest Agent | TCP | 30010 | Log retrieval |
RAS Provider Agent | TCP | 30006 | Log retrieval |
RAS Connection Broker | TCP | 20002, 20001 30020 | Communication with GA and Redundancy Used during publishing to browse for installed applications or single file/folder browsing. 30020 - remote agent pushing (pre-RAS 18). |
RAS RD Session Host Agent RAS Guest Agent RAS Remote PC Agent RAS Connection Broker RAS Secure Gateway RAS Enrollment Server | TCP | 135, 445 | Remote Install Push/Takeover of Software (pre-RAS 18). |
RAS Reporting Service | TCP | 3000 | Integration of RAS Reporting in Management Portal iFrame |
RAS Provider Agent | RAS Connection Broker | TCP | 20003 | Connection Broker communication port. |
RAS Guest Agent | TCP UDP | 30010 30009 | TCP is used to send the commands. UDP is used during the initial handshake. |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only. |
Hyper-V | TCP | 135, 49152-65535 | Used to check if the host is powered on and send export, import, delete, shutdown, restart or suspend commands. |
Nutanix AHV (AOS) | TCP | 9440 | Used to check if the host is powered on and sends clone, delete, shutdown, restart commands (RestAPI calls, PoSH, remote ncli). |
VMWare | TCP | 443 | Used to check if the host is powered on and sends clone, delete, shutdown, restart and suspend commands. |
Microsoft Azure | TCP | 443 | Used to check if the guest is powered on and sends clone, shutdown, restart commands (via REST). |
Azure Virtual Desktop | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
AWS | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
Scale | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
Remote PC over VDI | TCP | 135, 49152-65535 | Used to check if the host is powered on and sends shutdown, restart or suspend commands. |
For Active Directory and Active Directory Domain Services port requirements, please see the following article: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx.
Source | Destination | Protocol | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
RAS Enrollment Server
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
UDP
20003
20003
Settings synchronization and performance counters.
Deny Connection Request
Certificate Authority (CA)
TCP
TCP
135
dynamic range
49152 - 65535
DCOM/RPC ports
RAS Guest Agent (used by Azure Virtual Desktop)
Provider Agent
TCP, UDP
30006
Communication with Provider Agent
Subnet broadcast is sent to find Provider Agent
Regular UDP heartbeats
Localhost
TCP
30005
For internal commands - memshell, printer redirector)
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB
RAS Enrollment Server
TCP
30030
RAS Guest Agent (PrlsSCDriver) connects to get logon credentials
FSlogix
TCP
443
Download FSlogix installer
Tenant - RAS Connection Broker | Tenant Broker - RAS Connection Broker | TCP | 20003 | Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses |
RAS Remote PC Agent | RAS Connection Broker | TCP, UDP | 20003 | Used for communications with RAS Connection Brokers |
Localhost | TCP | 30005 | For internal commands - memshell, printer redirector) |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB |
RAS Enrollment Server | TCP, UDP | 30030 | RAS Remote PC (PrlsSCDriver) connects to get logon credentials |
FSlogix | TCP | 443 | Download FSlogix installer |
RAS RD Session Host Agent | RAS Connection Broker | TCP, UDP | 20003 | Used for communications with RAS Connection Brokers. |
Localhost | TCP | 30005 | For internal commands (memshell, printer redirector). |
FSlogix | TCP | 443 | Download FSlogix installer |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB. |
RAS Enrollment Server | TCP | 30030 | RAS RD Session Host Agent (PrlsSCDriver) connects to get logon credentials. |
The Azure virtual machines you create for Azure Virtual Desktop must have access to the following URLs in the Azure commercial cloud:
Address | Outbound TCP port | Purpose | Service tag |
---|---|---|---|
The following table lists optional URLs that your Azure virtual machines can have access to:
Address | Outbound TCP port | Purpose | Azure Gov |
---|---|---|---|
For up to date information, please also visit the Microsoft website at https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list#required-url-check-tool.
*.wvd.microsoft.com
443
Service traffic
AzureVirtualDesktop
gcs.prod.monitoring.core.windows.net
443
Agent traffic
AzureCloud
production.diagnostics.monitoring.core.windows.net
443
Agent traffic
AzureCloud
*xt.blob.core.windows.net
443
Agent traffic
AzureCloud
*eh.servicebus.windows.net
443
Agent traffic
AzureCloud
*xt.table.core.windows.net
443
Agent traffic
AzureCloud
*xt.queue.core.windows.net
443
Agent traffic
AzureCloud
catalogartifact.azureedge.net
443
Azure Marketplace
AzureCloud
kms.core.windows.net
1688
Windows activation
Internet
mrsglobalsteus2prod.blob.core.windows.net
443
Agent and SXS stack updates
AzureCloud
wvdportalstorageblob.blob.core.windows.net
443
Azure portal support
AzureCloud
169.254.169.254
80
Azure Instance Metadata service endpoint
N/A
168.63.129.16
80
Host health monitoring
N/A
https://download.parallels.com/ras/Configuration_01-20-2022.zip
443
Joining a host to a host pool
AzureVirtualDesktop
*.microsoftonline.com
443
Authentication to Microsoft Online Services
login.microsoftonline.us
*.events.data.microsoft.com
443
Telemetry Service
None
www.msftconnecttest.com
443
Detects if the OS is connected to the internet
None
*.prod.do.dsp.mp.microsoft.com
443
Windows Update
None
login.windows.net
443
Sign in to Microsoft Online Services, Microsoft 365
login.microsoftonline.us
*.sfx.ms
443
Updates for OneDrive client software
oneclient.sfx.ms
*.digicert.com
443
Certificate revocation check
None
*.azure-dns.com
443
Azure DNS resolution
None
*.azure-dns.net
443
Azure DNS resolution
None