Windows Server 2008 R2 onwards Firewall Configuration for Parallels RAS

To use Parallels RAS on Windows Server 2008 R2 up to Windows Server 2019 with Windows Firewall enabled, several ports must be opened for the Parallels RAS components to communicate.

List of TCP and UDP Ports Used by Parallels RAS

The figure below shows the most common ports used by the Parallels RAS component to communicate when running on different machines:

Parallels RAS Diagram

Figure 1

Note: In Figure 1, the “>>” implies direction. If Server A is connecting to Server B, it will show “A >> B.” Therefore, you should open the following ports for the Parallels RAS components to work:

Gateway 

TCP Ports 80 and 443

UDP Port 20000

Publishing Agent 

TCP Ports 20001, 20002 and 20003

TS Agent 

TCP Port 30004

UDP Port 30004

VDS Agent 

TCP Port 30007

UDP Port 30007

For a detailed and complete list of all the ports that the Parallels RAS components use to communicate, please refer to the Port Reference section in the Parallels Remote Application Server Administrator’s Guide.

Start your free Parallels RAS 30-day trial today!  

Default Windows Server Firewall Configuration

The Windows Firewall is enabled by default on all profiles on a Windows Server operating system. The default configuration has the following rules:

The Windows Firewall configuration is already set to allow all outgoing connections; therefore, only ports for incoming connections should be opened. These must be configured in the “Inbound Rules,” as explained below.

Windows Firewall Configuration

There are three different ways to open ports in Windows Server 2008/2012 R2/2016 and Windows Server 2019. You can do so by using either:

Opening Ports on the Windows Server Firewall Using GUI

To open a port in the firewall using the GUI in Windows Server 2008/2012 R2/2016 and Windows Server 2019, follow the steps below:

  1. Log in using an administrator account.
  2. Click Start > Administrative Tools > Windows Firewall with Advanced Security

Windows Firewall

Figure 2

  1. Click on Inbound Rules on the left of the MMC (Figure 3), and then on New Rule on the Right of the MMC (Figure 4).

Inbound Rules

Figure 3                                                                                Figure 4

There are five steps to open a port and accept incoming connections with the wizard:

For this example, we will open TCP port 20002 on servers that are running the Parallels RAS Publishing Agents role:

  1. Rule Type section – select “Port” and click “Next”. Windows Server
  2. Protocol and Ports section – select “TCP” as the type of protocol and type “20002″ in the “Specific local ports” input field: Windows Server
  3. Action section – select “Allow the Connection” and click “Next”. Windows Server 2008
  4. Profile section – select all three options and click  “Next”.  If you wish to limit the connection to a  particular profile,  select only the profiles that are appropriate to your setup. For this example, we will open the port on all profiles.

Windows Server

  1. Name  section – enter a “Name” for this rule. It is recommended to list the port number in the name, so the rule is easily recognizable. For example, the new rule could be named ”Pub_Agent_20002_IN”. Click ”Finish” when ready. Windows Server

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Server Firewall Using Command Line (netsh)

To open a port on the Windows Firewall using the netsh command line, follow the procedure below:

  1. Login to the server using an administrator account.
  2. Run the Command Prompt as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Command line Below is an explanation of the format of the netsh command: Command line Note: By default, netsh opens the specified port on all profiles. If you want to specify a specific profile, use the profile parameter: profile=public|private|domain

To open additional ports, repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Firewall Using PowerShell

To open a port in the Windows Firewall using PowerShell commands, follow the procedure below (only applies to 2012 R2 and 2016 Windows Server OS):

  1. Log in using an administrator account.
  2. Run the Windows PowerShell as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Windows Server

Below is an explanation of the format of the New-NetFirewallRule PowerShell command:

Windows Server

Note: Default New-NetFirewallRule opens the specified port in all profiles. To specify a specific profile, add the –Profile parameter to the command with one of the following options:

-Profile=public|private|domain

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

How to check if the Port is Open

To check if a port is open or not, you need to activate Telnet, which by default is not installed in Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019. The easiest way to install the Telnet client is via the command line as follows:

1. Launch the command prompt as an Administrator

2. Execute the command below:

dism /Online /Enable-feature /FeatureName:TelnetClient

install telnet

You can also activate Telnet via GUI if you follow the steps outlined in this link.

3. Next, check if a port is open by typing the command using the format below:

telnet [IP address] [port]

In the above command specification, the IP address is the IP address of the server hosting Parallels RAS. At the same time, the port is the port number, which in this case can be 20002. You can check the IP address of the local server by issuing the command below:

ipconfig

For example, if you execute the above command and find that your IP address is 173.20.39.40, you can check if a port 20002 is open or not by issuing the command below:

telnet 173.20.39.40 20002

windows firewall test port

When you see a blank screen, it indicates port 20002 is open on the server—meaning the test is successful. However, when you see receive a “connecting …” or an error message, it indicates port 20002 is not open on the server.

Start your free Parallels RAS 30-day trial today!  


References

Windows Server 2012 Firewall | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/

Windows Server 2008 R2, 2012 Firewall | https://technet.microsoft.com/en-us/library/cc753558(v=ws.11).aspx

Opening ports in the Windows Server firewall | https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx

Fasthosts Windows Server Firewall | https://help.fasthosts.co.uk/app/answers/detail/a_id/2032/~/setup-a-windows-server-firewall

Rackspace | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/