Active Directory Firewall Ports

Active Directory Firewall Ports

You might want to set up a Web Active Directory solution in your DMZ and have it work with an Active Directory server behind the firewall on your internal network. You need to open up the appropriate ports to allow this communication from your DMZ to domain controllers behind the firewall on your internal network.

The following information helps you understand the Active Directory firewall ports you should open from your DMZ to your internal network to allow communication from a DMZ machine to an internal Active Directory domain controller. These ports relate to Active Directory and you should only need to open them if you do not have a Global Catalog (GC) or Domain Controller (DC) in your DMZ.

There might be some RPC ports that you need to open in addition and that question is probably best answered by your Microsoft technical account manager. The references also contain good information to help you gather more information.

Minimum Ports to Open

You need to open at least the following two ports from your DMZ to your internal network to allow basic Active Directory communication

    • Lightweight Directory Access Protocol (LDAP): 389
    • Remote Procedure Call (RPC) to support Active Directory replication: 445

Optional Ports to Open

To enable replication over dynamic RPC, configure your firewall to permit the following (from Microsoft “Active Directory Replication over Firewalls” article in References section).

    • RPC endpoint mapper: 135/tcp, 135/udp
    • Network basic input/output system (NetBIOS) name service: 137/tcp, 137/udp
    • NetBIOS datagram service: 138/udp
    • NetBIOS session service: 139/tcp
    • RPC dynamic assignment: 1024-65535/tcp
    • Server message block (SMB) over IP (Microsoft-DS): 445/tcp, 445/udp
    • Lightweight Directory Access Protocol (LDAP): 389/tcp
    • LDAP ping: 389/udp
    • LDAP over SSL: 636/tcp
    • Global catalog LDAP: 3268/tcp
    • Global catalog LDAP over SSL: 3269/tcp
    • Kerberos: 88/tcp, 88/udp
    • Domain Name Service (DNS): 53/tcp1, 53/udp
    • Windows Internet Naming Service (WINS) resolution (if required): 1512/tcp, 1512/udp
    • WINS replication (if required): 42/tcp, 42/udp

References

    • Related Articles

    • Configuring Active Directory applications in a DMZ

      There are a number of approaches to setting up Active Directory-empowered applications like Web Active Directory provides. Our web-enabled applications require access to Active Directory from public internet-facing servers and many organizations are ...

    • How is the communication channel from Web Active Directory products to Active Directory secured?

      Web Active Directory products often talk to Active Directory. These communications are secured using a programatically-created secure, signed and sealed channel. This means that all requests to and from Web Active Directory applications and Active ...

    • Check effective permissions in Active Directory

      Description You can check the effective permissions in Active Directory to determine the privileges that one account has on another account. Notes Web Active Directory products typically use a service account to connect to Active Directory and ...

    • Why do Active Directory Permissions Revert After I Set Them?

      Active Directory has a feature that keeps privileged users like Domain Admins from locking themselves out of Active Directory by incorrectly setting permissions. The AdminSDHolder object and its Active Directory worker code is used by Domain ...

    • Replicate Attributes to the Active Directory Global Catalog

      If you search the Global Catalog and notice that some attribute values aren’t populated in the Summary Results page of PeopleSearch or PeopleUpdate, it’s likely because the attributes are not replicated in the Global Catalog that you are searching. ...