Windows Server 2008, 2012/R2, 2016 Firewall Configuration for Parallels RAS

To use Parallels RAS on Windows Server 2008 R2 up to Windows Server 2016 with Windows Firewall enabled, a number of ports must be opened for the Parallels RAS components to communicate.

List of TCP and UDP Ports Used by Parallels RAS

The figure below shows the most common ports used by the Parallels RAS component to communicate when running on different machines:

Parallels RAS Diagram

Figure 1

Note: In Figure 1, the “>>” implies direction. If Server A is connecting to Server B, it will show “A >> B.” Therefore, you should open the following ports for the Parallels RAS components to work:

Gateway 

TCP Ports 80 and 443

UDP Port 20000

Publishing Agent 

TCP Ports 20001, 20002 and 20003

TS Agent 

TCP Port 30004

UDP Port 30004

VDS Agent 

TCP Port 30007

UDP Port 30007

For a detailed and complete list of all the ports that the Parallels RAS components use to communicate, please refer to the Port Reference section in the Parallels Remote Application Server Administrator’s Guide.

Start your free Parallels RAS 30-day trial today!  

Default Windows Server Firewall Configuration

The Windows Firewall is enabled by default on all profiles on a Windows Server operating system. The default configuration has the following rules:

The Windows Firewall configuration is already set to allow all outgoing connections, therefore only ports for incoming connections should be opened. These must be configured in the “Inbound Rules,” as explained below.

Windows Firewall Configuration

There are three different ways to open ports in Windows Server 2008/2012 R2 and Windows Server 2016. You can do so by using either:

Opening Ports on the Windows Firewall Using GUI

To open a port in the firewall using the GUI in Windows Server 2008/2012 R2 and Windows Server 2016, follow the steps below:

  1. Log in using an administrator account.
  2. Click Start > Administrative Tools > Windows Firewall with Advanced Security

Windows Firewall

Figure 2

  1. Click on Inbound Rules on the left of the MMC (Figure 3), and then on New Rule on the Right of the MMC (Figure 4).

Inbound Rules

Figure 3                                                                                Figure 4

There are five steps to open a port and accept incoming connections with the wizard:

For this example, we will open TCP port 20002 on servers that are running the Parallels RAS Publishing Agents role:

  1. Rule Type section – select “Port” and click “Next”. Windows Server
  2. Protocol and Ports section – select “TCP” as the type of protocol and type “20002″ in the “Specific local ports” input field: Windows Server
  3. Action section – select “Allow the Connection” and click “Next”. Windows Server 2008
  4. Profile section – select all three options and click  “Next“.  If you wish to limit the connection to a  particular profile,  select only the profiles that are appropriate to your setup. For this example, we will open the port on all profiles.

Windows Server

  1. Name  section – enter a “Name” for this rule. It is recommended to list the port number in the name so the rule is easily recognizable. For example, the new rule could be named ”Pub_Agent_20002_IN”. Click ”Finish“ when ready. Windows Server

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Firewall Using Command Line (netsh)

To open a port on the Windows Firewall using the netsh command line, follow the procedure below:

  1. Login to the server using an administrator account.
  2. Run the Command Prompt as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Command line Below is an explanation of the format of the netsh command: Command line Note: By default, netsh opens the specified port on all profiles. If you want to specify a specific profile, use the profile parameter: profile=public|private|domain

To open additional ports, repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Firewall Using PowerShell

To open a port in the Windows Firewall using PowerShell commands, follow the procedure below (only applies to 2012 R2 and 2016 Windows Server OS):

  1. Log in using an administrator account.
  2. Run the Windows PowerShell as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Windows Server

Below is an explanation of the format of the New-NetFirewallRule PowerShell command:

Windows Server

Note: Default New-NetFirewallRule opens the specified port in all profiles. To specify a specific profile, add the –Profile parameter to the command with one of the following options:

-Profile=public|private|domain

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.


References

Windows Server 2012 Firewall | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/

Windows Server 2008 R2, 2012 Firewall | https://technet.microsoft.com/en-us/library/cc753558(v=ws.11).aspx

Opening ports in the Windows Server firewall | https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx

Fasthosts Windows Server Firewall | https://help.fasthosts.co.uk/app/answers/detail/a_id/2032/~/setup-a-windows-server-firewall

Raskspace | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/

Leave a Reply

Your email address will not be published. All fields are required.