Active Directory Firewall Ports

  1. Home
  2. Knowledge Base
  3. PeopleProvision
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeopleSearch
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeopleUpdate
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeoplePassword
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeopleNexus
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeopleEnroll
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. PeopleMinder
  4. Active Directory Firewall Ports
  1. Home
  2. Knowledge Base
  3. IISADMPWD Replacement
  4. Active Directory Firewall Ports

You might want to set up a Web Active Directory solution in your DMZ and have it work with an Active Directory server behind the firewall on your internal network. You need to open up the appropriate ports to allow this communication from your DMZ to domain controllers behind the firewall on your internal network.

The following information helps you understand the Active Directory firewall ports you should open from your DMZ to your internal network to allow communication from a DMZ machine to an internal Active Directory domain controller. These ports relate to Active Directory and you should only need to open them if you do not have a Global Catalog (GC) or Domain Controller (DC) in your DMZ.

There might be some RPC ports that you need to open in addition and that question is probably best answered by your Microsoft technical account manager. The references also contain good information to help you gather more information.

Minimum Ports to Open

You need to open at least the following two ports from your DMZ to your internal network to allow basic Active Directory communication

    • Lightweight Directory Access Protocol (LDAP): 389
    • Remote Procedure Call (RPC) to support Active Directory replication: 445

Optional Ports to Open

To enable replication over dynamic RPC, configure your firewall to permit the following (from Microsoft “Active Directory Replication over Firewalls” article in References section).

    • RPC endpoint mapper: 135/tcp, 135/udp
    • Network basic input/output system (NetBIOS) name service: 137/tcp, 137/udp
    • NetBIOS datagram service: 138/udp
    • NetBIOS session service: 139/tcp
    • RPC dynamic assignment: 1024-65535/tcp
    • Server message block (SMB) over IP (Microsoft-DS): 445/tcp, 445/udp
    • Lightweight Directory Access Protocol (LDAP): 389/tcp
    • LDAP ping: 389/udp
    • LDAP over SSL: 636/tcp
    • Global catalog LDAP: 3268/tcp
    • Global catalog LDAP over SSL: 3269/tcp
    • Kerberos: 88/tcp, 88/udp
    • Domain Name Service (DNS): 53/tcp1, 53/udp
    • Windows Internet Naming Service (WINS) resolution (if required): 1512/tcp, 1512/udp
    • WINS replication (if required): 42/tcp, 42/udp

References

Was this article helpful?

Related Articles

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×