Windows Server 2008 R2 onwards Firewall Configuration for Parallels RAS
To use Parallels RAS on Windows Server 2008 R2 up to Windows Server 2019 with Windows Firewall enabled, several ports must be opened for the Parallels RAS components to communicate.
List of TCP and UDP Ports Used by Parallels RAS
The figure below shows the most common ports used by the Parallels RAS component to communicate when running on different machines:
Figure 1
Note: In Figure 1, the “>>” implies direction. If Server A is connecting to Server B, it will show “A >> B.” Therefore, you should open the following ports for the Parallels RAS components to work:
Gateway
TCP Ports 80 and 443
UDP Port 20000
Publishing Agent
TCP Ports 20001, 20002 and 20003
TS Agent
TCP Port 30004
UDP Port 30004
VDS Agent
TCP Port 30007
UDP Port 30007
For a detailed and complete list of all the ports that the Parallels RAS components use to communicate, please refer to the Port Reference section in the Parallels Remote Application Server Administrator’s Guide.
Start your free Parallels RAS 30-day trial today!
Default Windows Server Firewall Configuration
The Windows Firewall is enabled by default on all profiles on a Windows Server operating system. The default configuration has the following rules:
- Inbound connections that do not match a rule are blocked.
- Outbound connections that do not match a rule are allowed.
The Windows Firewall configuration is already set to allow all outgoing connections; therefore, only ports for incoming connections should be opened. These must be configured in the “Inbound Rules,” as explained below.
Windows Firewall Configuration
There are three different ways to open ports in Windows Server 2008/2012 R2/2016 and Windows Server 2019. You can do so by using either:
- MMC
- The command line (netsh)
- PowerShell commands (only for 2012R2 and 2016)
Opening Ports on the Windows Server Firewall Using GUI
To open a port in the firewall using the GUI in Windows Server 2008/2012 R2/2016 and Windows Server 2019, follow the steps below:
- Log in using an administrator account.
- Click Start > Administrative Tools > Windows Firewall with Advanced Security
Figure 2
- Click on Inbound Rules on the left of the MMC (Figure 3), and then on New Rule on the Right of the MMC (Figure 4).
Figure 3 Figure 4
There are five steps to open a port and accept incoming connections with the wizard:
- Rule Type
- Protocol and Ports
- Action
- Profile
- Name
For this example, we will open TCP port 20002 on servers that are running the Parallels RAS Publishing Agents role:
- Rule Type section – select “Port” and click “Next”.
- Protocol and Ports section – select “TCP” as the type of protocol and type “20002″ in the “Specific local ports” input field:
- Action section – select “Allow the Connection” and click “Next”.
- Profile section – select all three options and click “Next”. If you wish to limit the connection to a particular profile, select only the profiles that are appropriate to your setup. For this example, we will open the port on all profiles.
- Name section – enter a “Name” for this rule. It is recommended to list the port number in the name, so the rule is easily recognizable. For example, the new rule could be named ”Pub_Agent_20002_IN”. Click ”Finish” when ready.
Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.
Opening Ports on the Windows Server Firewall Using Command Line (netsh)
To open a port on the Windows Firewall using the netsh command line, follow the procedure below:
- Login to the server using an administrator account.
- Run the Command Prompt as Administrator.
- Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:
Below is an explanation of the format of the netsh command: Note: By default, netsh opens the specified port on all profiles. If you want to specify a specific profile, use the profile parameter: profile=public|private|domain
To open additional ports, repeat the above procedure for each additional port and/or protocol you’d like to open in each server.
Opening Ports on the Windows Firewall Using PowerShell
To open a port in the Windows Firewall using PowerShell commands, follow the procedure below (only applies to 2012 R2 and 2016 Windows Server OS):
- Log in using an administrator account.
- Run the Windows PowerShell as Administrator.
- Execute the following command to open the TCP port 20002 on the servers running the Publishing Agents role:
Below is an explanation of the format of the New-NetFirewallRule PowerShell command:
Note: Default New-NetFirewallRule opens the specified port in all profiles. To specify a specific profile, add the –Profile parameter to the command with one of the following options:
-Profile=public|private|domain
Repeat the above procedure for each additional port and/or protocol you’d like to open in each server.
How to check if the Port is Open
To check if a port is open or not, you need to activate Telnet, which by default is not installed in Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019. The easiest way to install the Telnet client is via the command line as follows:
1. Launch the command prompt as an Administrator
2. Execute the command below:
dism /Online /Enable-feature /FeatureName:TelnetClient
You can also activate Telnet via GUI if you follow the steps outlined in this link.
3. Next, check if a port is open by typing the command using the format below:
telnet [IP address] [port]
In the above command specification, the IP address is the IP address of the server hosting Parallels RAS. At the same time, the port is the port number, which in this case can be 20002. You can check the IP address of the local server by issuing the command below:
ipconfig
For example, if you execute the above command and find that your IP address is 173.20.39.40, you can check if a port 20002 is open or not by issuing the command below:
telnet 173.20.39.40 20002
When you see a blank screen, it indicates port 20002 is open on the server—meaning the test is successful. However, when you see receive a “connecting …” or an error message, it indicates port 20002 is not open on the server.
Start your free Parallels RAS 30-day trial today!
References
Windows Server 2012 Firewall | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/
Windows Server 2008 R2, 2012 Firewall | https://technet.microsoft.com/en-us/library/cc753558(v=ws.11).aspx
Opening ports in the Windows Server firewall | https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx
Fasthosts Windows Server Firewall | https://help.fasthosts.co.uk/app/answers/detail/a_id/2032/~/setup-a-windows-server-firewall
Rackspace | https://support.rackspace.com/how-to/managing-the-windows-server-2012-firewall/