For each session, NoMachine uses a number of i) ports that are used only locally on server or client side and ii) TCP ports.
Ports used locally must be free to let the session start but don't need any change in the router or firewall configuration to allow access from outside.
Ports must be open on the firewall or router when they are necessary for data communication between client and server or client and node in case of multi-node environments. All communications through ports listening on external interfaces are encrypted and require the user to be authenticated against the authentication sub-system of that host (e.g. PAM).
For each new session (regardless of whether it's a connection to the physical desktop or a new virtual desktop or custom session on Linux), NoMachine needs:
a) A port defined by 11000 + display. Display is the value set in the DisplayBase server configuration key, by default 1001. So the port used by the first connection will be 11000 + 1001 = 12001. This port is used locally.
b) A port, used locally, to let the nxserver process started for the session communicate with the principal nxserver service. Number of this port starts from 20000 and it's incremented by one when a new session is created.
A hidden key in the server configuration file allows to define a different base value for this port. Just add the ServerSlaveBase key at the end of the server.cfg file, e.g.:
NOTE: This setting will be applied only to new sessions.
c) The server daemon process (nxserver --daemon ) uses a random port selected in the range between value set for ServerSlaveBase
(by default 20000) and (ServerSlaveBase + 10000). This port is used locally.
d) NoMachine uses a local port defined by 25000 + display. When a session is started, the nxnode process listens on it. If the virtual desktop/custom session is reconnected or the user connects to that session is shadow mode, the new nxnode process uses this port to communicate with the nxnode process of the original session.
e) NoMachine also runs a session monitor listening on a port defined by 24000 + display. This port is used locally.
The NoMachine display service (embedded in the nxnode program) uses a TCP port which number is defined by the value set in the DisplayBase server configuration key + 6000. By default, DisplayBase is set to 1001. This means that NoMachine will try to start the display service on port 1001 + 6000 = 7001 firstly.
If this port is already in use, NoMachine will look for a free port by incrementing DisplayBase up to the value set in the DisplayLimit server configuration key.
This applies to both the display service started to allow connections to the physical desktop (when an X server is available) and to the display service started for each new virtual desktop.
Notes for Linux
This port (7001 for example) is used to receive connections from X clients (according to X.org implementation).
The NoMachine display service for connecting users to the physical display listens on the loopback interface.
The NoMachine display service for virtual desktops listens instead on all interfaces.
It's possible to disable listening on all TCP ports and force the display service to listen only on unix sockets. To do that, edit the /usr/NX/etc/node.cfg file and set:
DisplayServerExtraOptions "-nolisten tcp"
This will apply to all new virtual desktops without the need to restart the NoMachine server.
The MDNS service (available since version 4.1 and used to publish the computer presence over the LAN, see FR10K02770) uses the UDP port 5353. This is a service that operates only on a LAN.
Broadcasting of the server information can be disabled from the NoMachine User Interface in 'Server preferences' ( 'Don't advertise the computer on the network').
On the client side, for each session NoMachine uses a port defined by 12000 + display for activities (locally) and a port defined by 10000 + display for the font channel.
Ports for network services
NoMachine services ( the NoMachine Network Service nxd to accept connections by NX protocol, the SSH server nxsshd on Windows and the HTTP Server nxhtd) are configured to listen on default ports. These ports are configurable:
i) via the User Interface (Server preferences -> Network services -> Edit)
ii) or the server configuration file (the NoMachine_installation_dir/etc/server.cfg file).
NXD and the NX and UDP protocols
The Network Server (nxd) listens by default on port 4000.
This port must be open between client and server: this is mandatory to allow connections by NX protocol.
Connections by NX protocol can use UDP communication for multimedia data.
When UDP is enabled, data can travel on TCP and UDP streams at the same time.
Only multimedia communication however can be routed through UDP, when enabled. This means that the other data traffic is still sent via TCP.
UDP communication for multimedia uses by default a range of ports between 4011 and 4999.
These ports must be open between client and the remote host where the session will be run. In case of multinode environments, the UDP port must be open on each of the remote Terminal Server Nodes; in case of multiserver environment, the UDP port must be open on each of the servers federated under the Cloud Server.
If these ports are not available, multimedia traffic will fall back to TCP communication.
UDP can be disabled on client side, in the connection settings -> NX protocol -> Advanced panel.
Note that UDP communication is always disabled when using SSH protocol.
You can retrieve information about which ports are used from the NoMachine Menu inside the session: open it by clicking on the page peel
in the upper right corner of the window, and access the 'Connection' panel. The 'Service type' field reports such information.
Service type: NX on port 4000 with RT port 4537
means that the Network Server nxd is listening on port 4000. "RT" stays for "Real Time" and indicates the port used for UDP protocol.
The system SSHD, NXSSHD and the SSH PROTOCOL
NoMachine on Linux and Mac uses the system SSH server. The SSH server on Linux and Mac OS X is listening by default on port 22.
On Windows, NoMachine uses its built-in SSH server (nxsshd) which is listening on port 4022 instead.
Port 22 or 4022 (if the server is on Windows) must be open between client and server. This is mandatory to allow connections by SSH protocol.
NXHTD and the HTTP protocol
The NoMachine HTTP server (nxhtd) is listening by default on port 4080 and 4443 for secure HTTP connections. These ports must be open between the user's device and server. This is mandatory to allow sessions from the web.
If the router on server side supports UPnP, NoMachine will try to map ports for NX, SSH and HTTPS by instructing the router to forward external port to the service.
External ports are selected randomly from the 20000 - 30000 range. At session startup we also try with UPnP to map UDP ports. If successful, external and internal ports are the same port number.
Port forwarding can be enabled/disabled via the NoMachine User Interface ('Server preferences') or in the server configuration file.
Ports for services (automatic updates, audio, connect network ports and printers, forward USB devices)
- Automatic updates require that hosts with NoMachine client or server installed have access to the NoMachine update server on port 4000 and use the TCP protocol.
- The service for audio support as well as services for connecting printers and disks don't require any port.
- The service for connecting a network port, as the name says, opens a port so that it can be accessed by third party applications. The port is used only locally, i.e. on a LAN.
- The service for connecting USB devices uses ports 5473 and 5483 locally. A new port is opened between client and server for each USB device. Port number is defined by 5040 + x where 'x' is the first free port retrieved starting from number 5040.