Configuring the Windows Server 2008, 2012/R2, and 2016 Firewall to Open Ports for Parallels RAS

To use Parallels RAS on Windows Server 2008 R2 up to Windows Server 2016 with Windows Firewall enabled, a number of ports must be opened for the Parallels RAS components to communicate. 

List of TCP and UDP Ports Used by Parallels RAS 

The figure below shows the most common ports used by the Parallels RAS component to communicate when running on different machines: 

Windows Server

Figure 1

Note: In Figure 1, the “>>” implies direction. If Server A is connecting to Server B, it will show “A >> B.” Therefore, you should open the following ports for the Parallels RAS components to work: 

Gateway 

TCP Ports 80 and 443 

UDP Port 20000 

Publishing Agent 

TCP Ports 20001, 20002 and 20003 

TS Agent 

TCP Port 30004 

UDP Port 30004 

VDS Agent 

TCP Port 30007 

UDP Port 30007 

For a detailed and complete list of all the ports that the Parallels RAS components use to communicate, please refer to the Port Reference section in the Parallels Remote Application Server Administrator’s Guide. 

Start your free Parallels RAS 30-day trial today!   

Default Windows Server Firewall Configuration 

The Windows Firewall is enabled by default on all profiles on a Windows Server operating system. The default configuration has the following rules: 

Since the Windows Firewall configuration is already set to allow all outgoing connections, only ports for incoming connections must be opened. These must be configured in the “Inbound Rules,” as explained below. 

Configuring the Windows Firewall 

There are three different ways to open ports in Windows Server 2008/2012 R2 and Windows Server 2016. You can do so by using either the MMC, the command line (netsh), or PowerShell commands (just for 2012R2 and 2016). 

Opening Ports on the Windows Firewall Using GUI 

To open a port in the firewall using the GUI in Windows Server 2008/2012 R2 and Windows Server 2016, follow the below steps: 

  1. Log in using an administrator account. 
  2. Click Start > Administrative Tools > Windows Firewall with Advanced Security

Windows Server

Figure 2

  1. Click on Inbound Rules on the left of the MMC (Figure 3), and then on New Rule on the Right of the MMC (Figure 4).

Windows Server

Figure 3                                                                                Figure 4

The wizard to open a port and accept incoming connections has five steps: Rule Type, Protocol and Ports, Action, Profile, and Name. For this example, we will open TCP port 20002 on servers that are running the Parallels RAS Publishing Agents role:

  1. In the Rule Type section, select “Port” and click “Next”.
    Windows Server
  2. In the Protocol and Ports section, select “TCP” as the type of protocol and type “20002″ in the “Specific local ports” input field:
    Windows Server
  3. In the Action section, select “Allow the Connection” and click “Next”.
    Windows Server 2008
  4. In the Profile section, select all three options and click Next. If you wish to limit the connection to a particular profileselect only the profiles you think are appropriate to your setup. For this example, we will open the port on all profiles.

Windows Server

  1. In the Namesection, enter a “Name” for this rule. It is recommended to list the port number in the name so the rule is easily recognizable. For example, name the new rule ”Pub_Agent_20002_IN”. Click Finish when ready.
    Windows Server

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Firewall Using Command Line (netsh)

To open a port on the Windows Firewall using the netsh command line, follow the below procedure:

  1. Login to the server using an administrator account.
  2. Run the Command Prompt as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Windows Server

Below is an explanation of the format of the netsh command:

Windows Server 2008

Note: By default, netsh opens the specified port on all profiles. If you want to specify a specific profile, use the profile parameter:

profile=public|private|domain

To open additional ports, repeat the above procedure for each additional port and/or protocol you’d like to open in each server.

Opening Ports on the Windows Firewall Using PowerShell

To open a port in the Windows Firewall using PowerShell commands, follow the below procedure (applies only for 2012 R2 and 2016 Windows Server OS):

  1. Log in using an administrator account.
  2. Run the Windows PowerShell as Administrator.
  3. Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:

Windows Server

Below is an explanation of the format of the New-NetFirewallRule PowerShell command:

Windows Server

Note: Default New-NetFirewallRule opens the specified port in all profiles. If you want to specify a specific profile, add the –Profile parameter to the command with one of the following options:

-Profile=public|private|domain

Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.


References

Manage firewall settings – https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/

Add or edit firewall rules – https://technet.microsoft.com/en-us/library/cc753558(v=ws.11).aspx

Opening ports in the firewall – https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx