This is a great response from the RDV team regarding communication ports RD Gateway uses:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS

According to your description, I understand that you want to know the required ports opening in your firewall when you publish a RD Web Access and RD Gateway in the DMZ network.

When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources.

In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:

  • To authenticate users
  • To authorize users
  • To resolve the DSN names of internal resources
  • To forward RDP packets from the client
  • To get the Certificate Revocation List
  • To send RADIUS requests (in a central NPS server scenario)
  • For your convenience, I have included the Firewall rule configurations required when RD Gateway is in the perimeter network:

1.Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):

·         Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.

2.Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):

The internal firewall should allow all communication from the RD Gateway server to internal network resources. Here are the ports that need to be opened on the internal firewall when the corresponding traffic (DNS, RADIUDS, RD Gateway Authentication, etc.) destination point is in the internal network.

RD Gateway authentication traffic:

Firewall rules between the perimeter network (RD Gateway) and the internal network (Domain Controller) to authenticate the user:

  • Server Protocol = Kerberos
  • Port = TCP: 88

The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article .

  • Server Protocol = RPC Endpoint Mapper
  • Port = TCP: 135, TCP: <Port on which NTDS RPC service listens on AD>

Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authentication methods through a custom authentication plug-in. If RD Gateway is configured with a custom authentication plug-in, contact the vendor of the authentication plug-in to find out which firewall rules are required for RD Gateway authentication.

RD Gateway authorization traffic:

Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:

  • Server Protocol = LDAP
  • For LDAP: Port = TCP: 389, UDP: 389

Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authorization methods through a custom authorization plug-in. If RD Gateway is configured with a custom authorization plug-in, contact the vendor of the authorization plug-in to find out which firewall rules are required for the RD Gateway authorization.

DNS traffic:

Firewall rules between the perimeter network and the internal network to resolve the internal network resources:

  • Server Protocol = DNS
  • Port = TCP: 53, UDP: 53

RDP traffic:

Firewall rules between the perimeter network and the internal network to forward RDP packets from client:

  • Server Protocol = RDP
  • Port = TCP: 3389

Certificate Revocation List traffic:

Firewall rules between the perimeter network and the internal network to contact CRL distribution point to get the certificate revocation list:

  • Server Protocol = LDAP or HTTP or FTP
  • For LDAP: port = TCP: 389, UDP: 389. For HTTP: port = 80. For FTP: Port = 21

Note: The Certificate Revocation List is needed either to validate the client certificate during smart card authentication or when the certificate deployed on RD Gateway is an enterprise/standalone CA certificate. To know which protocol is needed to contact the CRL distribution point for a certificate, open the certificate and go to the Details tab and look at the CRL Distribution Points field.

RADIUS traffic:

If RD Gateway is configured to use a central server running NPS and if the NPS server is not in the perimeter network, then the following additional firewall rules are needed between the perimeter network (RD Gateway) and the internal network (NPS Server).

  • Server Protocol: RADIUS
  • Port = UDP: 1812
  • Server Protocol: RADIUS Accounting
  • Port = UDP: 1813
  • 3.RD Web Access and RD Gateway on the same server:

If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

RD Web Access points to single RD Server or Single RD Server farm:

This scenario is possible in Windows Server 2008 or higher versions. The WMI service on RD Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

  • Server Protocol: WMI
  • Port = TCP: <WMI Fixed Port>

RD Web Access points to multiple RD Servers/farms:

This scenario is possible in Windows Server 2008 R2. The WMI service on RD Web Access Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.

  • Server Protocol: WMI
  • Port = TCP: <WMI Fixed Port>

RD Web Access points to a centralized publishing server (Connection Broker):

This scenario is possible in Windows Server 2008 R2.

  • Server Protocol = RPC
  • Port = TCP: 5504

Hope it helps.

Wilson Jia