RDS – RD Gateway Ports

It seems to be a need to know the used ports by the Remote Desktop RD Gateway. Find a short overview bellow:

Internet –> Gateway WAN NIC:

TCP: 443
UDP: 3391 (You have to enable UDP on the RD Gateway)

Gateway LAN NIC –> Session Host Servers:

TCP / UDP: 3389

Gateway LAN NIC –> Connection Broker Servers:

TCP / UDP: 3389
TCP: 5504
TCP: 5985

Gateway LAN NIC –> Domain Controllers:

TCP / UDP: 88
TCP: 135
UDP: 123
UDP 137
TCP: 139
TCP / UDP: 389
TCP: 3268
TCP / UDP: 53
TCP / UDP: 445
TCP: 5985
TCP Dynamic Ports (NTDS RPC service )

Connection Broker Servers –> Gateway LAN NIC

TCP 5985 (WS-Management and PowerShell Remoting)
TCP: 3389 (Remote Desktop)

Let me know if this helps.


4 thoughts on “RDS – RD Gateway Ports”

  1. Great post clear and concise – thank you! One question, I am about to do this for my WS12R2 RD WebAccess and Gateway Servers (both roles on the same box), just wanted to know if there any other ports specific to RD Web Access I need to open and lastly the “TCP Dynamic Ports (NTDS RPC service )” – do I set this on the DC and how can I set this? Please do let us know. Many thanks!


    1. Hi Naz,
      The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article here: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port


  2. Great post! Thanks. One additional note- if you are running RDWeb and RD Gateway on the same server(s) in the DMZ and you want to allow password resets for off-net users via RDWeb, you will also need to allow traffic on TCP/UDP port 464 to flow from your RDWeb servers in the DMZ to your AD DS servers in the LAN.


Leave a Reply to Naz Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: