It seems to be a need to know the used ports by the Remote Desktop RD Gateway. Find a short overview bellow:
Internet –> Gateway WAN NIC:
UDP: 3391 (You have to enable UDP on the RD Gateway)
Gateway LAN NIC –> Session Host Servers:
TCP / UDP: 3389
Gateway LAN NIC –> Connection Broker Servers:
TCP / UDP: 3389
Gateway LAN NIC –> Domain Controllers:
TCP / UDP: 88
TCP / UDP: 389
TCP / UDP: 53
TCP / UDP: 445
TCP Dynamic Ports (NTDS RPC service )
Connection Broker Servers –> Gateway LAN NIC
TCP 5985 (WS-Management and PowerShell Remoting)
TCP: 3389 (Remote Desktop)
Let me know if this helps.
4 thoughts on “RDS – RD Gateway Ports”
Great post clear and concise – thank you! One question, I am about to do this for my WS12R2 RD WebAccess and Gateway Servers (both roles on the same box), just wanted to know if there any other ports specific to RD Web Access I need to open and lastly the “TCP Dynamic Ports (NTDS RPC service )” – do I set this on the DC and how can I set this? Please do let us know. Many thanks!
The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article here: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
Great post! Thanks. One additional note- if you are running RDWeb and RD Gateway on the same server(s) in the DMZ and you want to allow password resets for off-net users via RDWeb, you will also need to allow traffic on TCP/UDP port 464 to flow from your RDWeb servers in the DMZ to your AD DS servers in the LAN.
Thanks for posting that. Cheerio, Al