TruGrid RDS Manager - Data Collector Service - Network Access Requirements

TruGrid RDS Manager Enterprise

Data Collector Service - Network Access Requirements


1. Overview

The TruGrid RDS Manager Enterprise Data Collector (TruGrid-RDSM-DC.exe) is a headless Windows service that runs on a designated server - typically the RD Connection Broker or a dedicated management host - and periodically polls each RDS session host in the environment to collect session, performance, and availability data.


This document describes all inbound and outbound network access the service requires, the underlying protocols used, and the recommended firewall rules necessary for correct operation.


2. Outbound Access to RDS Session Hosts

The Data Collector queries each session host directly using RPC/DCOM-based interfaces. WinRM (PowerShell Remoting) is NOT used - all communication relies on native Windows RPC.


2.1 Session Enumeration - quser / WTS API

Session state (Active, Idle, Disconnected), usernames, session IDs, and idle times are retrieved via two mechanisms:


  • quser /server:<hostname> -- a subprocess call that uses RPC to contact the Remote Desktop Services stack on each host.
  • WTS API P/Invoke (WTSOpenServer / WTSEnumerateSessions / WTSQuerySessionInformation) -- used to obtain the client IP address and client machine name for each connected session.


Required ports on each session host:


  • TCP 135 -- RPC Endpoint Mapper (mandatory; used to negotiate the dynamic port for all subsequent RPC calls).
  • TCP 49152-65535 -- Dynamic (ephemeral) RPC ports. Windows negotiates one of these ports per RPC connection via the Endpoint Mapper.


Note: The dynamic port range can be restricted on the session hosts via Group Policy or netsh. The built-in Windows Firewall rule group 'Remote Desktop Services - Shadow (TCP-In)' and 'Windows Management Instrumentation (WMI)' cover most of what is needed.


2.2 Performance and System Metrics - WMI

CPU utilisation, memory usage, and per-process metrics are collected via Windows Management Instrumentation (WMI) using the ManagementScope class targeting each session host remotely.


WMI also runs over DCOM/RPC and therefore uses the same ports as section 2.1:


  • TCP 135 -- RPC Endpoint Mapper.
  • TCP 49152-65535 -- Dynamic RPC ports.


The WMI service (winmgmt) must be running and reachable on each session host. Remote WMI access must be permitted in the Windows Firewall on each host (enable the built-in 'Windows Management Instrumentation (WMI)' firewall rule group).


2.3 What Is NOT Required

The following protocols are NOT used by the Data Collector and do not need to be opened:


  • WinRM / PowerShell Remoting (TCP 5985 / 5986) -- Invoke-Command and New-PSSession both fail silently from the service account context. All remote operations use RPC/DCOM instead.
  • SMB (TCP 445) -- no file-share access to session hosts is required.
  • SSH (TCP 22) -- not used.
  • SNMP (UDP 161) -- not used.


3. Outbound Access to Active Directory

The Data Collector queries Active Directory to resolve AllowedUsers group membership (access control) and to support the AD browse dialogs in the Config application. These queries use the System.DirectoryServices API (LDAP).


Required ports to Domain Controllers:


  • TCP/UDP 389 -- LDAP (standard, unencrypted or with STARTTLS).
  • TCP 636 -- LDAPS (LDAP over SSL), if your environment enforces LDAPS.
  • TCP 3268 -- Global Catalog (used when querying across domains).
  • TCP/UDP 88 -- Kerberos (required for Windows Authentication / Negotiate).
  • TCP/UDP 53 -- DNS (name resolution for session hosts and AD lookups).


In most domain-joined environments these ports are already open between servers by default. No additional firewall rules are typically needed for AD access.


4. Inbound Access - Enterprise Client and Config Application

The Data Collector hosts an ASP.NET Core Web API and SignalR hub that the Enterprise Client and Config application connect to. The following inbound ports must be open on the server running the Data Collector service:


  • TCP 5743 (default) -- HTTP. Used for all API calls (REST + SignalR hub at /hubs/rdsm) when HTTPS is not configured.
  • TCP 5744 (default, optional) -- HTTPS. Used when 'Use HTTPS' is enabled in the Config application. Requires a valid certificate (self-signed or CA-issued).


Both ports are configurable in the Data Collector settings. Authentication is performed via Windows Authentication (Negotiate/Kerberos or NTLM), so client machines must also be able to reach a Domain Controller for credential validation.


5. Service Account Requirements

The Windows service account under which TruGrid-RDSM-DC.exe runs must have the following permissions on each RDS session host:


  • Member of the local Administrators group -- required for WTS API access (WTSOpenServer) and remote WMI queries.
  • Alternatively, membership in the local 'Remote Management Users' and 'Performance Monitor Users' groups may be sufficient for read-only WMI queries, but full Administrator rights are recommended for reliable session management operations (logoff, disconnect, reset, send message).


Recommended: Use a dedicated domain service account (e.g. DOMAIN\tg-rdsm-svc) and add it to the local Administrators group on all managed RDS session hosts via Group Policy (Restricted Groups or Preferences).


6. Summary - Firewall Rules Required


The table below summarizes all required firewall rules for the server running the Data Collector service.


Direction

Protocol / Port

Destination / Source

Purpose

Required?

Outbound

TCP 135

RDS Session Hosts

RPC Endpoint Mapper (WTS + WMI)

Required

Outbound

TCP 49152-65535

RDS Session Hosts

Dynamic RPC ports (WTS API, quser, WMI)

Required

Outbound

TCP/UDP 389

Domain Controllers

LDAP - AD group membership queries

Required

Outbound

TCP/UDP 88

Domain Controllers

Kerberos authentication

Required

Outbound

TCP/UDP 53

DNS Servers

Name resolution

Required

Outbound

TCP 636

Domain Controllers

LDAPS (if enforced by environment)

Conditional

Outbound

TCP 3268

Domain Controllers

Global Catalog (multi-domain environments)

Conditional

Inbound

TCP 5743

Admin workstations / Enterprise Client hosts

HTTP - API and SignalR hub

Required

Inbound

TCP 5744

Admin workstations / Enterprise Client hosts

HTTPS - API and SignalR hub (if enabled)

Conditional

N/A

TCP 5985/5986

RDS Session Hosts

WinRM - NOT used; do not open

Not required


The relevant GPO setting for WMI (TCP 135 and Related Dynamic Ports):


Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules


a. Create a new inbound rule for:
  • Rule Type: Predefined
  • Predefined rule: Remote Procedure Call (RPC)


This covers TCP 135. There is a second predefined rule you also need:

  • Predefined rule: Remote Procedure Call (RPC-EPMAP)


b. For the dynamic port range (49152–65535), use:
  • Predefined rule: Remote Procedure Call - RPC Dynamic Ports



c. For WMI specifically, there is a dedicated predefined rule group:


  • Predefined rule: Windows Management Instrumentation (WMI)


This enables all three rules WMI needs (WMI-In, DCOM-In, and Async-In) in one step.




Link the GPO to the OU containing the RDS session hosts (not domain-wide), and enable only:


  1. Remote Procedure Call (RPC) — TCP 135 inbound
  2. Remote Procedure Call - RPC Dynamic Ports — TCP 49152–65535 inbound
  3. Windows Management Instrumentation (WMI) — all three sub-rules


Scope each rule to the source IP of the Data Collector server to limit exposure.

Updated on: 05/03/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!