Active directory required port communication between forest to forest | domain to domain | clients to domain controllers. Below are the port details which we have to allow for successful communication.
In general, firewall separates the domain controllers communication, ports to be allowed in firewall.
All below listed ports are not required in all scenarios. For example, if the firewall separates members and DCs, you don't have to open the FRS or DFSR ports. Also, if you know that no clients use LDAP with SSL/TLS, you don't have to open ports 636 and 3269.
In general, firewall separates the domain controllers communication, ports to be allowed in firewall.
All below listed ports are not required in all scenarios. For example, if the firewall separates members and DCs, you don't have to open the FRS or DFSR ports. Also, if you know that no clients use LDAP with SSL/TLS, you don't have to open ports 636 and 3269.
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
udp 123 for time service
udp for netlogon and netbios
TCP 139
Client Port(s)
|
Server Port
|
Service
|
49152
-65535/UDP
|
123/UDP
|
W32Time
|
49152
-65535/TCP
|
135/TCP
|
RPC
Endpoint Mapper
|
49152
-65535/TCP
|
464/TCP/UDP
|
Kerberos
password change
|
49152
-65535/TCP
|
49152-65535/TCP
|
RPC
for LSA, SAM, Netlogon (*)
|
49152
-65535/TCP/UDP
|
389/TCP/UDP
|
LDAP
|
49152
-65535/TCP
|
636/TCP
|
LDAP
SSL
|
49152
-65535/TCP
|
3268/TCP
|
LDAP
GC
|
49152
-65535/TCP
|
3269/TCP
|
LDAP
GC SSL
|
53,
49152 -65535/TCP/UDP
|
53/TCP/UDP
|
DNS
|
49152
-65535/TCP
|
49152
-65535/TCP
|
FRS
RPC (*)
|
49152
-65535/TCP/UDP
|
88/TCP/UDP
|
Kerberos
|
49152
-65535/TCP/UDP
|
445/TCP
|
SMB
(**)
|
49152
-65535/TCP
|
49152-65535/TCP
|
DFSR
RPC (*)
|
Protocol
|
TCP
|
UDP
|
ICMP
| |
RDP
|
Remote
Desktop
|
3389
| ||
DNS
|
DNS
Download
|
53
| ||
DNS
Queries
|
53
| |||
WINS Replication
|
WINS
|
42
| ||
WINS
|
42
| |||
ICMP
|
echo-request
|
8
| ||
info-request
|
15
| |||
mast
request
|
17
| |||
timestamp
|
13
| |||
NetBIOS Services
|
Name
Resolution Service
|
137
|
137
| |
Datagram Services (Browsing)
|
138
| |||
Session
Service (net use)
|
139
| |||
SMB
|
Input
|
445
| ||
Output
|
445
| |||
Remote Storm
|
1025
| |||
NTP
|
NTP
|
123
| ||
NTP
|
123
| |||
Content Replication
|
Content_Repl
|
507
| ||
Kerberos
|
Kerberos-Secure
|
750
| ||
Kerberos_v5
|
88 +
464
| |||
Kerberos_v5
|
88 +
464
| |||
LDAP
|
LDAP
|
389
| ||
LDAP
|
389
| |||
LDAP
over SSL/TLS
|
636
|
636
| ||
Global
Catalog
|
3268
| |||
Global
Catalog over SSL/TSL
|
3269
| |||
Replication
|
Active
Directory
|
RPCSS Dynamic
| ||
FRS
|
RPCSS Dynamic
| |||
Microsoft CIFS
|
Microsoft-CIFS
(DS)
|
445
| ||
Microsoft-CIFS
(DS)
|
445
| |||
RPC – Cert Services (+)
|
RPC
|
135
| ||
SNMP
|
SNMP
Agent
|
161
| ||
SNMP
Trap
|
162
| |||
ASP.Net State Service
|
42424
| |||
Link State Algorithm Routing
|
691
| |||
TCP – High Ports (Cert Services)
|
>
1023
|
1024
- 65535
|
Reference: https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
No comments:
Post a Comment