Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This section is to be used as guidance to provide clarity on Microsoft license requirements in a Parallels RAS environment while not used as an exclusive list. It is recommended to refer to your Microsoft licensing partner for further information.
Microsoft license requirements include:
Any Windows Server and Desktop Operating System (OS) to be used.
Windows Server OS to be accessed must be covered by Microsoft Windows Server Client Access Licenses (CALs).
If Windows Server is accessed remotely (for non-administrative work) then you need Remote Desktop Service (RDS) access license:
RDS CALs are required for users or devices that want to utilize Remote Desktop Service functionality on Windows Server. The following types of RDS CAL are available:
RDS Device CAL: Permits one device (used by any user) to use Remote Desktop Services functionality on any of your servers.
RDS User CAL: Permits one user (using any device) to use Remote Desktop Services functionality on any of your servers.
RDS External Connector: Permits multiple external users to access a single Remote Desktop server. If you have multiple servers, you need multiple external connectors in addition to any required Windows Server External Connectors.
You may choose to combine RDS Device CALs and RDS User CALs simultaneously with the server software. Regular User or Device CALs are required in addition to the RDS User or RDS Device CALs.
RDS SAL is a service that provides a Microsoft Remote Desktop Service Subscriber Access License (called an "RDS SAL") on Virtual Machines created in Compute Resource. This makes it possible for three or more users to connect to a remote desktop (RD Session Host) for a specific Virtual Machine in Compute Resource (for SPLA partners).
Read more:
License your RDS deployment with client access licenses (CALs): https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license.
Licensing of Microsoft Desktop Application Software for use with Windows Server RDS https://download.microsoft.com/download/3/d/4/3d42bdc2-6725-4b29-b75a-a5b04179958b/desktop_application_with_windows_server_remote_desktop_services.pdf.
In case using Microsoft Hyper-V as a hypervisor, Microsoft Windows Server Operating System (OS) Licenses are required
Read more:
Windows Server 2022 license datasheet https://www.microsoft.com/en-us/windows-server/pricing.
Windows Server 2019 license datasheet https://download.microsoft.com/download/7/C/E/7CED6910-C7B2-4196-8C55-208EE0B427E2/Windows_Server_2019_licensing_datasheet_EN_US.pdf.
Windows Server 2016 license datasheet https://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-138C5701F174/WS2016LicensingDatasheet.pdf.
In case using Virtual Desktop Infrastructure (VDI), Windows Software Assurance or Azure Virtual Desktop Access (VDA) licenses are required. Microsoft licenses Windows by access device:
Virtual desktop access rights are a benefit of Windows Client Software Assurance (SA). Customers who intend to use PCs covered under SA have access to their VDI desktops at no additional charge.
Customers who want to use devices that do not qualify for Windows Client SA, such as thin clients, will need to license those devices with Azure Virtual Desktop Access (VDA) in order to access a Windows VDI desktop. Windows VDA is also applicable to third-party devices, such as contractor or employee-owned PCs.
Read more:
Windows 11 licensing portal https://www.microsoft.com/en-us/Licensing/product-licensing/windows.
Windows 10 licensing portal https://www.microsoft.com/en-us/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr3.
Licensing Windows desktop operating system for use with virtual machines guide https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf.
Licensing the Windows Desktop for VDI Environments https://docs.microsoft.com/en-us/answers/storage/temp/12620-microsoft-vdi-and-vda-faq-v3-0.pdf.
Microsoft Online business services, such as Microsoft 365 or Microsoft Azure, require Microsoft Entra ID for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Microsoft Entra ID with access to all the free features. To enhance your Microsoft Entra ID implementation, you can also add paid capabilities by upgrading to Microsoft Entra ID Premium P1 or Premium P2 licenses.
Read more:
Microsoft Entra ID Implementations https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Azure hybrid benefits https://azure.microsoft.com/en-us/pricing/hybrid-benefit/
Access to Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-session, Windows 10 Enterprise and Windows 11 Enterprise desktops and apps is provided at no additional cost (excluding compute, storage and networking costs) if you have one of the following per user licenses:
Microsoft 365 E3/E5
Microsoft 365 A3/A5/Student Use Benefits
Microsoft 365 F3
Microsoft 365 Business Premium
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 VDA per user
Access to desktops powered by Windows Server Remote Desktop Services running Windows Server 2012 R2 and newer is provided at no additional cost (excluding compute, storage and networking costs) if you have a per-user or per-device RDS CAL license with active Software Assurance (SA).
Read more:
Azure Virtual Desktop pricing overview https://azure.microsoft.com/en-us/pricing/details/virtual-desktop/
You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:
Microsoft 365 E3/E5
Microsoft 365 A3/A5/ Student Use Benefits
Microsoft 365 F1/F3
Microsoft 365 Business
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 VDA per user
Remote Desktop Services (RDS) Client Access License (CAL)
Remote Desktop Services (RDS) Subscriber Access License (SAL)
FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed.
Read more:
FSLogix Overview https://docs.microsoft.com/en-us/fslogix/overview.
SQL Server is required if using Parallels RAS Reporting. SQL Server installation may be based on:
SQL Express which is free but has a database size limit of 10 GB.
SQL Server commercial edition Standard or Enterprise, using Core based licenses or Server + CAL based licenses.
Read more:
SQL Server 2019 licensing guide https://download.microsoft.com/download/6/6/0/66078040-86d8-4f6e-b0c5-e9919bbcb537/SQL%20Server%202019%20Licensing%20guide.pdf
App-V is not licensed on its own, but included in other license agreements such as Microsoft Volume Licensing, Windows Software Assurance Microsoft, Remote Desktop Services (RDS) CAL, as part of a wider Microsoft licensing agreement. For instance, with an RDS CAL (either per-user or per-device), App-V client may be used on RD Session Host to deliver App-V applications.
To license App-V correctly it is recommended you to engage with a Microsoft Partner (solution provider) knowledgeable on Microsoft Volume Licensing (list of Microsoft Partners: https://pinpoint.microsoft.com/en-us/search?type=companies&competency=100010).
For a detailed list of Microsoft Volume Licensing Product Terms please see https://www.microsoftvolumelicensing.com/Downloader.aspx?documenttype=PT&lang=English.
The following diagram illustrates communication ports used in Parallels RAS.
The above diagram include SAML SSO components such as RAS Enrollment Server, however it does not include Tenant Broker.
Tip: If you are reading the PDF version of this guide, click the following link to view the full-sized diagram in a web browser: https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/index.htm#47092.
| Source | Destination | Protocols | Ports | Description |
|---|---|---|---|---|
| Source | Destination | Protocols | Ports | Description |
|---|---|---|---|---|
RAS Console
RAS Reporting
TCP
30008
RAS Console is connected to primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings).
SSRS
TCP
443
Reports retrieval.
HALB
TCP, UDP
31006
Used for configuration.
Parallels Client
TCP
50005
Shadowing from the RAS Console in case of direct network connection.
RAS RD Session Host Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
RAS Guest Agent
TCP
UDP
30009
30010
Used for the "Check Agent" task.
Used to manage components.
RAS Remote PC Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
RAS Provider Agent
UDP, TCP
30006
Used for the "Check Agent" task.
Used to manage component.
MFA Server(s)
TCP, UDP
8080, 80, 1812, 1813
Deepnet / Safenet / Radius
Microsoft site
TCP
80, 443
Check for updates and download Parallels Client
Parallels site
TCP
80
Check for updates and download Parallels Client
RAS Performance Monitor
TCP
3000
RAS browser plugin connection to Grafana.
RAS Connection Broker
TCP
20002, 20001
Communication with Connection Broker and redundancy.
RAS Enrollment Server
TCP, UDP
30030
Used for the "Check Agent" task.
Used to manage components and for troubleshooting.
Wyse Broker
UDP
1234 (outbound only)
68 (inbound only)
Wyse broker discovery request broadcast packet (V_WYSEBCAST).
Wyse broker discovery reply packet (V_WYSETEST).
SMTP
TCP
587
RAS Console can send test emails using port specified in the Mailbox settings (+SSL/TLS)
ource
Destination
Protocols
Ports
Description
RAS Reporting Service
MS SQL
TCP
1433
Store RAS activity information
SSRS
TCP
8085, 443
Enumeration of reports (incl. custom reports)
HALB
HALB
VRRP
112
HALB to HALB communication used for automatic assignment of VIP to active HALB.
RAS Secure Gateway in Forwarding Mode
TCP, UDP
80, 443
Management and user session connections.
RAS Secure Gateway in Normal Mode
TCP, UDP
TCP, UDP
80, 443
20009
Management and user session connections.
Device Manager shadowing via Firewall (indirect network connection).
Source | Destination | Protocols | Ports | Description |
RAS Provider Agent | RAS Connection Broker | TCP | 20003 | Connection Broker communication port. |
RAS Guest Agent | TCP UDP | 30010 30009 | TCP is used to send the commands. UDP is used during the initial handshake. |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only. |
Hyper-V | TCP | 135, 49152-65535 | Used to check if the host is powered on and send export, import, delete, shutdown, restart or suspend commands. |
Nutanix AHV (AOS) | TCP | 9440 | Used to check if the host is powered on and sends clone, delete, shutdown, restart commands (RestAPI calls, PoSH, remote ncli). |
VMWare | TCP | 443 | Used to check if the host is powered on and sends clone, delete, shutdown, restart and suspend commands. |
Microsoft Azure | TCP | 443 | Used to check if the guest is powered on and sends clone, shutdown, restart commands (via REST). |
Azure Virtual Desktop | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
AWS | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
Scale | TCP | 443 | Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST). |
Remote PC over VDI | TCP | 135, 49152-65535 | Used to check if the host is powered on and sends shutdown, restart or suspend commands. |
For Active Directory and Active Directory Domain Services port requirements, please see the following article: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx.
| Source | Destination | Protocols | Ports | Description |
|---|---|---|---|---|
Note: Ports 80 and 443 must be open for incoming requests when using Let's Encrypt.
Source
Destination
Protocols
Ports
Description
RAS RD Session Host Agent
RAS Connection Broker
TCP, UDP
20003
Used for communications with RAS Connection Brokers.
Localhost
TCP
30005
For internal commands (memshell, printer redirector).
FSlogix
TCP
443
Download FSlogix installer
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Enrollment Server
TCP
30030
RAS RD Session Host Agent (PrlsSCDriver) connects to get logon credentials.
ource
Destination
Protocols
Ports
Description
RAS Enrollment Server
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
UDP
20003
20003
Settings synchronization and performance counters.
Deny Connection Request
Certificate Authority (CA)
TCP
TCP
135
dynamic range
49152 - 65535
DCOM/RPC ports
RAS Secure Gateway in Forwarding mode
RAS Secure Gateway in Normal mode
TCP, UDP
TCP, UDP
80, 443
3389
Management and user session connections.
Optional - Used for user session if RDP Load Balancing is enabled.
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Secure Gateway in Normal mode
Remote Desktop Services
TCP, UDP
3389
RDP Connections.
RAS Connection Broker
TCP
TCP, UDP
20002
20009
RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only).
Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
Localhost
TCP
20020
Communication with User Portal web server (NodeJS).
Source
Destination
Protocols
Ports
Description
RAS Web Administration Service
RAS RD Session Host Agent
TCP
30004
Log retrieval
RAS Guest Agent
TCP
30010
Log retrieval
RAS Provider Agent
TCP
30006
Log retrieval
RAS Connection Broker
TCP
20002, 20001 30020
Communication with GA and Redundancy
Used during publishing to browse for installed applications or single file/folder browsing.
30020 - remote agent pushing (pre-RAS 18).
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445
Remote Install Push/Takeover of Software (pre-RAS 18).
RAS Reporting Service
TCP
3000
Integration of RAS Reporting in Management Portal iFrame
Source
Destination
Protocols
Ports
Description
SSRS
Microsoft SQL Server
TCP
1433
RAS Console is connected to RAS Reporting
Source
Destination
Protocols
Ports
Description
Web browser (HTML5) and Let's Encrypt service
RAS Web Admin Service [RAS Management Portal]
TCP
20443
Admin access to HTML5 based Management Portal of RAS environment
HALB
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB Note: Ports 80 and 443 must be open for incoming requests when using Let's Encrypt.
RAS Secure Gateway
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) Note: Ports 80 and 443 must be open for incoming requests when using Let's Encrypt.
Source | Destination | Protocols | Ports | Description |
Parallels Client | HALB | TCP, UDP TCP, UDP | 80, 443 20009 | Management and user session connections. Device Manager shadowing via Firewall (indirect network connection). |
RAS Secure Gateway Forwarding mode | TCP, UDP TCP, UDP UDP | 80, 443 3389 20000 | Management and user session connections. Optional - Used for user session if RDP load balancing is enabled (Standard RDP). Secure Gateway lookup broadcast. |
RAS Secure Gateway Normal mode | TCP, UDP TCP, UDP TCP, UDP UDP | 80, 443, 3389 20009 20000 | Management and user session connections. Optional - Used for user session if RDP load balancing is enabled (Standard RDP). Device Manager shadowing via Firewall (indirect network connection) Secure Gateway Lookup Broadcast |
Session host (VDI, RDS, RemotePC) | TCP, UDP | 3389 | Used for user session connections in Direct Mode only. RDP connection is always encrypted. |
Azure Virtual Desktop Services | TCP UDP | 443 3390 | Azure Virtual Desktop Gateway connection Used for user session connections in ShortPath mode only. |
Microsoft site | TCP | 443 | Download Microsoft Remote Desktop (MSRDC) client |
Parallels site | TCP | 80, 443 | Check for updates and download Parallels Client |
Source | Destination | Protocols | Ports | Description |
Tenant - RAS Connection Broker | Tenant Broker - RAS Connection Broker | TCP | 20003 | Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses |
Source | Destination | Protocols | Ports | Description |
RAS Guest Agent (used by Azure Virtual Desktop) | Provider Agent | TCP, UDP | 30006 | Communication with Provider Agent Subnet broadcast is sent to find Provider Agent Regular UDP heartbeats |
Localhost | TCP | 30005 | For internal commands - memshell, printer redirector) |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB |
RAS Enrollment Server | TCP | 30030 | RAS Guest Agent (PrlsSCDriver) connects to get logon credentials |
FSlogix | TCP | 443 | Download FSlogix installer |
| Source | Destination | Protocols | Ports | Description |
|---|---|---|---|---|
RAS Connection Broker
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
20001
20030
Redundancy service.
Communication between RAS Connection Brokers running in the same site.
Parallels Licensing Server
TCP
443
RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com).
Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section).
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS RD Session Host Agent
TCP, UDP
30004
Server for Connection Broker requests.
RAS Provider Agent
TCP, UDP
30006
Provider Agent communication port.
RAS Remote PC Agent
TCP, UDP
30004
Remote PC Agent Communication Port (agent state, counters and session information)
2FA Server(s)
TCP, UDP
8080, 80
1812, 1813
Deepnet/ Safenet
Radius
RAS Enrollment Server
TCP
30030
RAS Connection Broker Sends RAS Enrollment Server connection Request
RAS Reporting
TCP
30008
Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS).
RAS Remote Installer Service
TCP
30020
Remote agent pushing
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445, 49179
Remote Install Push/Takeover of Software
SMTP
TCP
587
Notifdispatcher is the service which sends the emails using port specified in the Mailbox settings (+SSL/TLS)
Let's Encrypt Service
TCP
80, 443
Communication between the Let's Encrypt client (available in the primary Connection Broker) and a Let's Encrypt server.
The Azure virtual machines you create for Azure Virtual Desktop must have access to the following URLs in the Azure commercial cloud:
The following table lists optional URLs that your Azure virtual machines can have access to:
For up to date information, please also visit the Microsoft website at .
Address | Outbound TCP port | Purpose | Service tag |
*.wvd.microsoft.com | 443 | Service traffic | AzureVirtualDesktop |
gcs.prod.monitoring.core.windows.net | 443 | Agent traffic | AzureCloud |
production.diagnostics.monitoring.core.windows.net | 443 | Agent traffic | AzureCloud |
*xt.blob.core.windows.net | 443 | Agent traffic | AzureCloud |
*eh.servicebus.windows.net | 443 | Agent traffic | AzureCloud |
*xt.table.core.windows.net | 443 | Agent traffic | AzureCloud |
*xt.queue.core.windows.net | 443 | Agent traffic | AzureCloud |
catalogartifact.azureedge.net | 443 | Azure Marketplace | AzureCloud |
kms.core.windows.net | 1688 | Windows activation | Internet |
mrsglobalsteus2prod.blob.core.windows.net | 443 | Agent and SXS stack updates | AzureCloud |
wvdportalstorageblob.blob.core.windows.net | 443 | Azure portal support | AzureCloud |
169.254.169.254 | 80 | Azure Instance Metadata service endpoint | N/A |
168.63.129.16 | 80 | Host health monitoring | N/A |
https://download.parallels.com/ras/Configuration_01-20-2022.zip | 443 | Joining a host to a host pool | AzureVirtualDesktop |
Address | Outbound TCP port | Purpose | Azure Gov |
*.microsoftonline.com | 443 | Authentication to Microsoft Online Services | login.microsoftonline.us |
*.events.data.microsoft.com | 443 | Telemetry Service | None |
www.msftconnecttest.com | 443 | Detects if the OS is connected to the internet | None |
*.prod.do.dsp.mp.microsoft.com | 443 | Windows Update | None |
login.windows.net | 443 | Sign in to Microsoft Online Services, Microsoft 365 | login.microsoftonline.us |
*.sfx.ms | 443 | Updates for OneDrive client software | oneclient.sfx.ms |
*.digicert.com | 443 | Certificate revocation check | None |
*.azure-dns.com | 443 | Azure DNS resolution | None |
*.azure-dns.net | 443 | Azure DNS resolution | None |
| ID | Name | Description |
|---|---|---|
| ID | Name | Description |
|---|---|---|
ras_gw_tot_conn
Total connections
The total number of Connections with the Gateway.
ras_gw_tot_threads
Total threads
The total number of threads running on the Gateway.
ras_gw_rpd_sess
RDP tunneled sessions
The number of tunneled RDP sessions.
ras_gw_rpd_sess_s
RDP SSL tunneled sessions
The number of tunneled RDP sessions over SSL.
ras_gw_html
HTTP connections
The number of tunneled HTTP sockets
ras_gw_html_s
HTTPS connections
The number of tunneled HTTPS sockets
ras_gw_html5
HTML5 connections
The number of tunneled HTTP5 sockets
ras_gw_html5_s
HTML5 SSL connections
The number of tunneled HTTP5 sockets over SSL
ras_gw_cm
Device Manager connections
The number of Parallels Device Manager connections
ras_gw_cm_s
Device Manager SSL connections
The number of Parallels Device Manager connections over SSL
ras_gw_wyse
Wyse connections
The number of Wyse connections
ras_gw_wyse_s
Wyse SSL connections
The number of Wyse connections over SSL
ras_gw_rdpudp
RDP UDP tunneled sessions
The number of RDP UDP connections
ras_gw_rdpudp_s
RDP UDP DTLS tunneled sessions
The number of RDP UDP connections over DTLS
ras_gw_cache_sock
Cached sockets
The number of cached sockets between Gateway and Connection Broker
ras_gw_idle_threads
Idle threads
The number of idle threads on the Gateway
ras_gw_client
Client connections
The number of Parallels Client connections
ras_gw_client_s
Client SSL connections
The number of Parallels Client connections over SSL
ras_pa_avg_client_connection_time
Average time for client connection
The average client connection time.
ras_pa_avg_client_auth_time
Average time for user authentication
The average time taken to authenticate a user.
ras_pa_avg_client_policy_time
Average time to retrieve user policy
The average time taken to retrieve the user's policy.
ras_pa_avg_client_rep_time
Average time to send client telemetry
The average time taken to send client telemetry. Used by CEP.
ras_pa_avg_client_applist_time
Average time to retrieve user's published items
The average time taken to retrieve user's published items list.
ras_pa_avg_client_appicons_time
Average time to retrieve icons
The average time taken to retrieve published items icons.
ras_pa_avg_client_getidle_time
Average time to start up a request
The average time taken for the start up request.
act_sess
Active RDS sessions
The number of active RDS Sessions.
disc_sess
Disconnected RDS sessions
The number of disconnected RDS Sessions.
Source
Destination
Protocols
Ports
Description
RAS PowerShell
RAS RD Session Host Agent
TCP
30004
Log retrieval
RAS Guest Agent
TCP
30010
Log retrieval
RAS Remote PC Agent
TCP
30004
Log retrieval
RAS Provider Agent
TCP
30006
Log retrieval
RAS Connection Broker
TCP
20002, 20001
Communication with GA and Redundancy
Used during publishing to browse for installed applications or single file/folder browsing.