Portainer Agent on Windows: Fixing LAN Access

ByJorge Pereira
Tags: , , ,

Disclaimer:  I work for Dell Technology Services as a Workforce Transformation Solutions Principal.    It is my passion to help guide organizations through the current technology transition specifically as it relates to Workforce Transformation.  Visit Dell Technologies site for more information.  Opinions are my own and not the views of my employer.

Portainer makes managing Docker containers simple, and the Portainer Agent allows you to manage multiple Docker hosts from a central Portainer instance. But if you’re running Docker Desktop on Windows, making the agent accessible from other computers on your local network can be tricky.
In this post, I show how to solve this common LAN connectivity issue.

The goal is to access the agent from another computer on the LAN

Note: Please see my other post about Updating Docker Containers

Note: Written with the help of my research team 🙂 including: (Google Gemini, Google Notebook LM, Microsoft Copilot, Perplexity.ai, Claude.ai and others as needed)

My Setup

We were running:

  • Windows 11 with Docker Desktop (WSL2 backend)
  • Portainer Agent in a Docker container
  • Full Portainer running on a different Windows 11 computer on my LAN.

The agent was started with the typical command:

docker run -d -p 9100:9001 --name portainer_agent --restart=always `
  -v /var/run/docker.sock:/var/run/docker.sock `
  -v /var/lib/docker/volumes:/var/lib/docker/volumes `
  -v /:/host `
  portainer/agent:2.33.5

Locally, everything worked:

curl http://localhost:9100/ping
# Output: Agent successful

The Problem

When trying to access the agent from any other PC on my LAN:

curl http://192.168.4.39:9100/ping

We got errors like:

Client sent an HTTP request to an HTTPS server

or

context deadline exceeded

Cause: On Windows with Docker Desktop + WSL2, published ports bind only to localhost by default. Also, wslrelay.exe can intercept ports, preventing LAN access.

The Solution

1. Pick a free port

We ran the agent on 9100 instead of 9001 to avoid conflicts.

2. Set up a persistent port proxy

This forwards LAN traffic to the agent inside Docker Desktop:

Open PowerShell as Administrator:

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9100 connectaddress=127.0.0.1 connectport=9100
  • 0.0.0.0 → listens on all network interfaces
  • 127.0.0.1:9100 → where the agent is running inside Docker

3. Allow the port through Windows Firewall

netsh advfirewall firewall add rule name="PortainerAgent" dir=in action=allow protocol=TCP localport=9100

4. Test from another computer

curl http://192.168.4.39:9100/ping
# Output: Agent successful

Now the Portainer Agent is reachable from any computer on the local network.

Tips & Notes

  • The portproxy and firewall rules are persistent across reboots.
  • If your Windows PC uses DHCP, consider a static LAN IP or keep listenaddress=0.0.0.0.
  • The agent should never be exposed directly to the internet without proper TLS.

Conclusion

Running the Portainer Agent on Windows with Docker Desktop is straightforward — once you know how to make it accessible on your LAN. Using a different port and a persistent port proxy solves the common issue where the agent works locally but cannot be reached from other devices.