Network Ports Related to HyperV

I firmly believe that HyperV is best implemented using HyperV Server and remote management techniques. Set it up once and never
connect to its console again. With a bit of creativity, you can even deploy vendorsupplied firmware updates without accessing a local
session. My approach does not enjoy community consensus; in fact, Im unaware of any general agreement on the matter at all. One
thing I do know for certain is that humans follow the path of least resistance. If option A is more difficult than option B, almost everyone
will follow option B. Even people that take the hard road a few times at first will eventually fall back to the easy route, especially in times
of distress.
With all of that said, I also firmly believe that digital security needs to be taken seriously. You may be in a lowsecurity environment that
doesnt handle any sensitive information, but there is still a basic level of expected due diligence. Attackers are sometimes out to steal
storage space and network bandwidth, not information. You have a responsibility to at least attempt to prevent that from happening.
Even if you dont feel like you owe to your current employer for whatever reason, you might want to work somewhere else someday. No
prospective employer will be impressed if you have developed poor security habits. Good security practice involves firewalls. Yes,
theyre annoying when they inhibit legitimate traffic, but they are a simple and effective way to stop the most common assaults.
This article has two purposes. The first is to succinctly lay out the TCP/IP network ports information for HyperV management and
activities. This allows you to configure firewalls as necessary. The second is to help you through some configuration dos and donts. This
article might have information that helps you connect to workgroupjoined HyperV host, but it was not written with that usage in mind. I
have not heard any compelling reason for that configuration to exist, therefore, I will not waste any further energy enabling it.

Inbound HyperVRelated TCP/IP Ports

The rules table below is used on 2012 R2 and should also apply to 2012. Every firewall configuration is a bit different. The following
diagram gives a generalized idea of where youll be working:

1/6

Location of Firewall Rules

HyperV Host Inbound Rules
TCP
Management IP
Port &
Target
UDP
All
Management IP CNO
3389
dynamic
5985
Management IP
ports
(49152
5986
Management IP
65535)

Management stations
Source

Console access
Purpose

Management servers and stations RDS broker

Management servers and stations RDS broker

Server Manager and other tools that use Remote Procedure

Call
WSMan and WMI notably used by PowerShell Remoting

Management servers and stations SCVMM

Secure WSMan and WMI

6600
80

Live Migration IPs

Management IP

Other HyperV hosts that can Live Migrate to this host

Other HyperV hosts that can replicate to this host

Live Migration when using standard TCP or compressed TCP

modes Replica (only if using insecure traffic)
HyperV

135

Management IP

Management servers and stations RDS broker

RPC Endpoint Mapper (sometimes for WMI as well)

443

Management IP

Other HyperV hosts that can replicate to this host

VMM servers

HyperV Replica (only if using secure traffic) and System Center

VMM

445

Management IP and
Cluster IPs Live
Migration IPs if using
SMB mode

Management servers and stations that would copy

files to this host members of the same cluster Live
Migration sources if using SMB mode RDS broker

Inbound file copy cluster

communications Cluster Shared Volumes
redirected access Live Migration if using
SMB mode

2179

Management IP CNO
Management servers and stations RDS broker
Communication to Virtual Machine
http://www.altaro.com/hyperv/networkportsrelatedhyperv/?utm_medium=email&utm_source=Act
Management Service
On+Software&utm_content=email&utm_campaign=New%20HyperV%20Hub%20blog%20post&utm_term=N

The above table should be mostly selfexplanatory. There are a handful of notes:
You probably dont need to open all dynamic ports. Ive only seen the first five or six ever actually being used. The problem is, if Microsoft has documented the true
range of used ports anywhere, I have never found it. I only stumbled on the necessity to open the ports at all via netstat and Wireshark traces from failing
connections. PSS didnt even know about them.
For the best outcomes, do not use any firewalls at all on clusteronly networks. The above will work, but (unscientifically), the Wireshark traces Ive seen on cluster
networks suggest that it uses other undocumented methods for communications that are likely more efficient. This would not apply to cluster andclient networks
such as the management network. Keep all of your clusteronly networks in the same layer2 network with no routers, preferably in a VLAN or otherwise isolated
network.
CNO is cluster name object. Server Manager in particular wants to be able to talk to it. In reality, it maps directly to the management IP of the host that currently
maintains the cluster core resources and as long as Server Manager can reach that, everything will be fine even if Server Manager is displeased. If you can ignore
Server Managers complaints, so can I.
RDS is Remote Desktop Services. I hope the clarification isnt necessary, but this is for virtual machine RDS and not sessionbased RDS.
2/6

Very few things have any need to use 5986 because WSMan traffic is always encrypted. Your host will only be listening on 5986 if you enable secure WSMan with a
specially configured WinRM listener.

Outbound HyperVRelated TCP/IP Ports

Most institutions wont block traffic outbound. However, you might need to use it to configure the inbound firewalls on other hosts. Its
also helpful if you have interim hardware firewalls. The rules are presented from the perspective of the following diagram:

3/6

HyperVRelated Outbound Firewall Rules

HyperV Host Outbound Rules
Port

Target

Source

Purpose

All dynamic
ports
(4915265535)

Management IP of other HyperV hosts RDS broker

Management IP

Server Manager and other tools that use

Remote Procedure Call if you will manage
one host from
another RDS broker if using
RDS

80

Other HyperV hosts that this host will replicate to

Management IP

HyperV Replica (only if using insecure

traffic)

135

Management IP

Management servers and

stations RDS broker

RPC Endpoint Mapper

(sometimes for WMI as well)

443

Other HyperV hosts that this host will replicate to SCVMM

Management IP

HyperV Replica (only if using

secure traffic) and System Center VMM

445

SMB 3 systems that present VM storage to this host SMB 2+

targets with files this host needs to access, such as ISO SCVMM
library hosts Live Migration target hosts if using SMB other
members of the same cluster
RDS broker

Management IPs cluster

network IPs RDS User
Profile Disk share

File copy SMB access Live Migrations in

SMB mode cluster communications Cluster
Shared
Volume communications RDS
UPD host

3260

iSCSI Portals and Targets

iSCSI discovery and initiator IPs

iSCSI

6600

Other hosts this machine can Live Migrate to

Live Migration IPs

Live Migration when using

standard TCP or compressed TCP modes

There isnt much else to say with this table.

4/6

Other HyperV Firewall Rules

Port

Target

Source

Purpose

All dynamic
ports
(4915265535)

All RDS hosts besides RDS broker

RDS broker

UDP 3391

Same rules as 3389

Same rules as 3389

Server Manager and other tools that use

Remote Procedure Call the RDS
to
his orisher
VDI virtual machine
broker
a central
management
hub is enabled, higherWhen
this transport

TCP/UDP 53

DNS servers

Everyone

80

RDS Clients

RDS web

389
5504

Domain
Controllers
RDS
Broker

Domain
members
RDS
Web

443

RDS Clients

RDS web

Standardfrom
AD authentication
Handoff
web authenticator to the
RDS
broker
VDIs web access is a standard

5985

RDS Gateway

RDS Broker

IIS site
RDS Broker control of RDS Gateway

443

RDS Gateway

RDS Clients

8100

SCVMM

Management stations

443

RDS virtual machines

RDS Clients

Clienttogateway connections handled via

443
Connect VMM console to VMM server
service
If gateway is not used, clients

8530 (default)

Windows Server Update Services hosts

All Windows/Windows
Server/Hyperv Server

authenticate directly to their own VMs on

Windows Updates may be configured to
443
use another port

686

Domain Controllers

Domain members

AD authentication using LDAPS secure

authentication is now also available on
the 389 port

3389

RDS virtual machines in unmanaged pools

RDS Broker

ClienttoVM connectivity

3389

RDS Broker

RDS Gateway

Gateway facilitating of clienttoVM

connectivity

performing UDP is used for the

connection.
DNS lookupsDuplicate all of the port
3389 rules to UDP 3391.
VDIs web access is a standard
IIS site

3389
portsrelatedhyperv/?utm_medium=email&utm_source=ActOn+Software&utm_content=email&utm_campaign=New%20Hyper
RDS Clients
If an RDS gateway is not used, everyone
RDS virtual machines
is connected directly

Other HyperV Related Traffic

Since I included port information for RDS, I might as well round it out with port information for RDS that doesnt involve the hosts
themselves. Ill also include additional port information for System Center Virtual Machine Manager. While Im at it, Ill throw in some
5/6

common ports just for the sake of completeness. I think the source/destination fields should be enough to help you figure out where to
place these rules.
A few notes here:
I didnt include all of the VMM rules. A more comprehensive list is available on the TechNet wiki. My real complaint with that list is that it
does not include source/destination information and not all of the rules are obvious. For instance, you do need the Hyper V hosts to be
able to talk to the SCVMM server on port 443.
There is a similar TechNet wiki article for Remote Desktop Services, but the parts that arent difficult to sort out are just wrong and its
overall state is such that, in good conscience, I cannot link it. Through some indirect channels, I have been left with the impression that
the RDS teams opinion on ever making that page useful or correct is thats not our job. I have created the entries on these lists
through Wireshark traces and observed trial and error. I can say that they have all worked just fine for me, but you might need to do
some sleuthing of your own if you are doing some sort of configuration that I am not. PSS only has access to the same broken list so they
will not be able to help you further, unless you dont know how to use network traces or netstat to locate blocked ports.

6/6