The purpose of this document is to describe network requirements for Chrome Remote Desktop to work properly on your network. This document also describes some underlying details of the Chrome Remote Desktop protocol and peer-to-peer (P2P) connection negotiation process.
Use this guide if you have a highly restrictive private network, and/or are having challenges getting Chrome Remote Desktop working on your network.
List of ports and protocols required
URL allow rules for Chrome Remote Desktop
To access Chrome Remote Desktop, users need to be able to navigate to the specific URLs listed below. Your network must allow outbound access to these URLs.
In the Google Admin console, on the Users & browsers and Managed guest sessions settings pages, you can use the URL blocking setting to control access to URLs. For information about how to allow or block URLs, go to Set Chrome policies for users or browsers.
Read about URLAllowlist and URLBlocklist policies.
|
URL |
Action |
|---|---|
|
instantmessaging-pa.googleapis.com |
Allow |
|
remotedesktop.google.com |
Allow |
|
remotedesktop-pa.googleapis.com |
Allow |
Generic firewall rules required for Chrome Remote Desktop on private networks
For a list of Google services IP ranges, go to Google Cloud documentation.
IP addresses are dynamic depending on location. While it is possible to have a device with connectivity only through explicit IP/port/protocol based firewall rules, the rules will be a moving target due to the dynamic behavior of IP address assignments. Google uses a service hosted at gstatic.com to dynamically look up localized IPs for various services.
One IP essential for Chrome Remote Desktop is not returned by the script since it does not have a DNS URL: 74.125.247.128. This is the IP for the signaling service used to facilitate TURN/STUN connections, described below. This will be used only if:
- Firewall traversal is set to Enable firewall traversal, and
- Enable the use of relay servers is selected.
For information about the Firewall traversal setting, go to Set Chrome policies for users or browsers. Read about RemoteAccessHostAllowRelayedConnection and RemoteAccessHostFirewallTraversal.
|
Source |
Destination |
Port |
Protocol |
Action |
|---|---|---|---|---|
|
Private network IP Range |
Google Services IP ranges |
443 + 3478 |
TCP + UDP |
Allow |
|
Private network IP Range |
Private network IP Range |
Dynamic range, possible to limit using UDP port range. For information about the UDP port range setting, go to Set Chrome policies for users or browsers. Read about RemoteAccessHostUdpPortRange policy. |
TCP + UDP |
Allow |
|
Private network IP Range |
74.125.247.128 |
Dynamic range, possible to limit. For information about the UDP port range setting, go to Set Chrome policies for users or browsers. Read about RemoteAccessHostUdpPortRange policy. |
TCP + UDP |
Allow |
Protocol Details
Chrome Remote Desktop connection types are configurable via enterprise policy. Connections between Chrome Remote Desktop client and host are initially negotiated web requests to Google services. Once a connection is instantiated, a P2P connection facilitates the live session.
P2P Connection types
P2P connections are established using the Interactive Connectivity Establishment (ICE) protocol and Web Real-Time Communication (WebRTC). The connection mode is either Direct, STUN, or TURN/relay.
- Direct
- The 2 devices communicate directly via their actual IPs.
- STUN—In the Admin console, ;Firewall traversal is set to Enable firewall traversal,
- The 2 devices communicate using the internet / subnet addressable IPs exposed via their respective routers/firewalls.
- Enabling STUN requires opening up port 3478 and allowing STUN packets
- TURN/Relay—In the Admin console, Enable the use of relay servers is selected.
- Packets are sent to a Google service and relayed through Google data center(s) to the other end of the connection.
- Enabling TURN also requires opening port 3478 for UDP / TCP (one or both) traffic. UDP is preferred over TCP due to superior performance. Chrome Remote Desktop will fallback to TCP if UDP is blocked.
Admin console flow
When creating a Chrome Remote Desktop session in the Admin console, the workflow is as follows:
- In the Admin console, admin selects machine to connect to using Chrome Remote Desktop.
- Client machine sends request to cloud API via Admin console UI to start remote session with selected device.
- Google Cloud services sends a command to the managed host ChromeOS device.
- The RemoteCommand service on the managed host ChromeOS device registers a new support host instance with the Chrome Remote Desktop service using an OAuth access token.
- The Chrome Remote Desktop host instance returns an access code that is a combination of its Host ID and a secret code.
- The RemoteCommand service sends the access code from the host to the Admin console.
- The Google Cloud service returns connection information to the client.
- The client admin console opens the Chrome Remote Desktop website with the access code as a URL parameter.
- The connection proceeds through the P2P setup steps per Direct/STUN/TURN methods, depending on your policy settings.
- Live view is streamed via UDP or TCP on a dynamically assigned port, with a port range configurable via enterprise policy.
Chrome Enterprise policy list
To find Chrome Remote Desktop policies, go to the Chrome Enterprise policy list and type remote in the Search policies box. See all the policies listed in the Remote access section.