Académique Documents
Professionnel Documents
Culture Documents
I firmly believe that HyperV is best implemented using HyperV Server and remote management techniques. Set it up once and never
connect to its console again. With a bit of creativity, you can even deploy vendorsupplied firmware updates without accessing a local
session. My approach does not enjoy community consensus; in fact, Im unaware of any general agreement on the matter at all. One
thing I do know for certain is that humans follow the path of least resistance. If option A is more difficult than option B, almost everyone
will follow option B. Even people that take the hard road a few times at first will eventually fall back to the easy route, especially in times
of distress.
With all of that said, I also firmly believe that digital security needs to be taken seriously. You may be in a lowsecurity environment that
doesnt handle any sensitive information, but there is still a basic level of expected due diligence. Attackers are sometimes out to steal
storage space and network bandwidth, not information. You have a responsibility to at least attempt to prevent that from happening.
Even if you dont feel like you owe to your current employer for whatever reason, you might want to work somewhere else someday. No
prospective employer will be impressed if you have developed poor security habits. Good security practice involves firewalls. Yes,
theyre annoying when they inhibit legitimate traffic, but they are a simple and effective way to stop the most common assaults.
This article has two purposes. The first is to succinctly lay out the TCP/IP network ports information for HyperV management and
activities. This allows you to configure firewalls as necessary. The second is to help you through some configuration dos and donts. This
article might have information that helps you connect to workgroupjoined HyperV host, but it was not written with that usage in mind. I
have not heard any compelling reason for that configuration to exist, therefore, I will not waste any further energy enabling it.
1/6
Management stations
Source
Console access
Purpose
6600
80
135
Management IP
443
Management IP
445
Management IP and
Cluster IPs Live
Migration IPs if using
SMB mode
2179
Management IP CNO
Management servers and stations RDS broker
Communication to Virtual Machine
http://www.altaro.com/hyperv/networkportsrelatedhyperv/?utm_medium=email&utm_source=Act
Management Service
On+Software&utm_content=email&utm_campaign=New%20HyperV%20Hub%20blog%20post&utm_term=N
The above table should be mostly selfexplanatory. There are a handful of notes:
You probably dont need to open all dynamic ports. Ive only seen the first five or six ever actually being used. The problem is, if Microsoft has documented the true
range of used ports anywhere, I have never found it. I only stumbled on the necessity to open the ports at all via netstat and Wireshark traces from failing
connections. PSS didnt even know about them.
For the best outcomes, do not use any firewalls at all on clusteronly networks. The above will work, but (unscientifically), the Wireshark traces Ive seen on cluster
networks suggest that it uses other undocumented methods for communications that are likely more efficient. This would not apply to cluster andclient networks
such as the management network. Keep all of your clusteronly networks in the same layer2 network with no routers, preferably in a VLAN or otherwise isolated
network.
CNO is cluster name object. Server Manager in particular wants to be able to talk to it. In reality, it maps directly to the management IP of the host that currently
maintains the cluster core resources and as long as Server Manager can reach that, everything will be fine even if Server Manager is displeased. If you can ignore
Server Managers complaints, so can I.
RDS is Remote Desktop Services. I hope the clarification isnt necessary, but this is for virtual machine RDS and not sessionbased RDS.
2/6
Very few things have any need to use 5986 because WSMan traffic is always encrypted. Your host will only be listening on 5986 if you enable secure WSMan with a
specially configured WinRM listener.
3/6
Target
Source
Purpose
All dynamic
ports
(4915265535)
Management IP
80
Management IP
135
Management IP
443
Management IP
445
3260
iSCSI
6600
4/6
Target
Source
Purpose
All dynamic
ports
(4915265535)
RDS broker
UDP 3391
TCP/UDP 53
DNS servers
Everyone
80
RDS Clients
RDS web
389
5504
Domain
Controllers
RDS
Broker
Domain
members
RDS
Web
443
RDS Clients
RDS web
Standardfrom
AD authentication
Handoff
web authenticator to the
RDS
broker
VDIs web access is a standard
5985
RDS Gateway
RDS Broker
IIS site
RDS Broker control of RDS Gateway
443
RDS Gateway
RDS Clients
8100
SCVMM
Management stations
443
RDS Clients
8530 (default)
All Windows/Windows
Server/Hyperv Server
686
Domain Controllers
Domain members
3389
RDS Broker
ClienttoVM connectivity
3389
RDS Broker
RDS Gateway
3389
portsrelatedhyperv/?utm_medium=email&utm_source=ActOn+Software&utm_content=email&utm_campaign=New%20Hyper
RDS Clients
If an RDS gateway is not used, everyone
RDS virtual machines
is connected directly
common ports just for the sake of completeness. I think the source/destination fields should be enough to help you figure out where to
place these rules.
A few notes here:
I didnt include all of the VMM rules. A more comprehensive list is available on the TechNet wiki. My real complaint with that list is that it
does not include source/destination information and not all of the rules are obvious. For instance, you do need the Hyper V hosts to be
able to talk to the SCVMM server on port 443.
There is a similar TechNet wiki article for Remote Desktop Services, but the parts that arent difficult to sort out are just wrong and its
overall state is such that, in good conscience, I cannot link it. Through some indirect channels, I have been left with the impression that
the RDS teams opinion on ever making that page useful or correct is thats not our job. I have created the entries on these lists
through Wireshark traces and observed trial and error. I can say that they have all worked just fine for me, but you might need to do
some sleuthing of your own if you are doing some sort of configuration that I am not. PSS only has access to the same broken list so they
will not be able to help you further, unless you dont know how to use network traces or netstat to locate blocked ports.
6/6