Windows Deployment Services and Firewalls

by Mitch Tulloch [Published on 29 Feb. 2012 / Last Updated on 29 Feb. 2012]

How to run a WDS server from behind a firewall.

Windows Deployment Services (WDS) uses DHCP, PXE, TFTP, RPC, SMB and (optionally) multicasting when it deploys images to target systems. So if you want to deploy images from a WDS server that's behind a firewall, you need to make sure certain firewall ports are open.

  • The following TCP ports need to be open for WDS to work across a firewall: 135 and 5040 for RPC and 137 thru 139 for SMB.
  • The following UDP ports need to be open for WDS to work across a firewall: 67, 69, and 4011 for DHCP and TFTP; 64001 through 65000 (random ports from this range are used by TFTP and for multicasting); and 68 if DHCP authorization is required on the server.

Note that some ports such as 5040 for RPC can be modified by configuring the WDS server.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

Featured Links