Windows Deployment Services and Firewalls

by Mitch Tulloch [Published on 29 Feb. 2012 / Last Updated on 29 Feb. 2012]

How to run a WDS server from behind a firewall.

Windows Deployment Services (WDS) uses DHCP, PXE, TFTP, RPC, SMB and (optionally) multicasting when it deploys images to target systems. So if you want to deploy images from a WDS server that's behind a firewall, you need to make sure certain firewall ports are open.

  • The following TCP ports need to be open for WDS to work across a firewall: 135 and 5040 for RPC and 137 thru 139 for SMB.
  • The following UDP ports need to be open for WDS to work across a firewall: 67, 69, and 4011 for DHCP and TFTP; 64001 through 65000 (random ports from this range are used by TFTP and for multicasting); and 68 if DHCP authorization is required on the server.

Note that some ports such as 5040 for RPC can be modified by configuring the WDS server.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see .

Latest Contributions

Featured Links