Virtualisation Technology Architecture and Industry Comments from the Front-Lines
  Home  |   Contact  |   Syndication    |   Login
  25 Posts | 0 Stories | 27 Comments | 1 Trackbacks

News

Archives

Post Categories

Altiris

Blogs Active Directory

Blogs Citrix

Blogs Messaging and Mobility

Blogs MS TS

Blogs VMware

Citrix Technology Professionals (CTP)

Hot Topic: Application Virtualisation

Peers

Social Networking

Tools - Application Packaging

Tools - Citrix

Vendors SSL VPN

Vendors SSO

Vendors Virtualisation

WinPE

Active Directory and Firewall Ports

I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls.  Here are my findings and all is working so, hope this helps someone else.

 

 

  TCP UDP ICMP
RDP Remote Desktop 3389    
DNS DNS Download 53    
DNS Queries   53  
WINS Replication WINS 42    
WINS   42  
ICMP echo-request     8
info-request     15
mast request     17
timestamp     13
NetBIOS Services Name Resolution Service  137 137  
Datagram  Services (Browsing)   138  
Session Service (net use) 139    
SMB Input 445    
Output   445  
Remote Storm   1025    
NTP NTP 123    
NTP   123  
Content Replication Content_Repl 507    
Kerberos Kerberos-Secure   750  
Kerberos_v5 88 + 464    
Kerberos_v5   88 + 464  
LDAP LDAP 389    
LDAP   389  
LDAP over SSL/TLS 636 636  
Global Catalog 3268    
Global Catalog over SSL/TSL 3269    
Replication Active Directory RPCSS Dynamic    
FRS RPCSS Dynamic    
Microsoft CIFS Microsoft-CIFS (DS)  445    
Microsoft-CIFS (DS)   445  
RPC – Cert Services (+) RPC 135    
SNMP SNMP Agent   161  
SNMP Trap 162    
ASP.Net State Service   42424    
Link State Algorithm Routing   691    
TCP – High Ports  (Cert Services) > 1023 1024 - 65535    
  • Share This Post:
  • Share on Twitter
  • Share on Facebook
  • Share on Technorati
posted on Wednesday, May 09, 2007 2:34 AM

Feedback

# re: Active Directory and Firewall Ports 5/25/2007 11:48 AM Aumie
This is excellent; I've been looking for something like this as well. Thanks for making it available.

# re: Active Directory and Firewall Ports 5/31/2007 12:29 PM nsg
I really do hope that this is the definitive guide as I have never found anything that is definitive, not even on the MS support site.

# re: Active Directory and Firewall Ports 7/16/2007 5:30 AM Jack Nielsen
Good work! Thank you!

# re: Active Directory and Firewall Ports 2/25/2009 4:20 AM drew
Sweet, thanks!

I've used this, combined with Microsoft's info on how to restrict RPC services to a limited port list (5000-5100 in this case), and with the power of MS Excel (quick incrementing of port #'s) have created this that can be cut/paste into a command prompt window... I may have missed some, and you may want services open to more that just your subnet (or 3389 RDP not open to all ips) so use at your own risk ;-)

commands start here:
------------------------
netsh firewall add portopening tcp 3389 139_tcp_AD_PORTS enable
netsh firewall add portopening tcp 139 139_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 445 445_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 137 137_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 138 138_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 53 53_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 53 53_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42 42_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 42 42_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 137 137_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 1025 1025_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 123 123_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 123 123_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 507 507_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 750 750_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 88 88_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 88 88_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 464 464_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 464 464_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 389 389_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 636 636_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 445 445_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 161 161_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 162 162_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42424 42424_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5000 5000_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5001 5001_tcp_AD_PORTS enable subnet

.... ports omitted due to post size limitations (tcp 5002-5099) ...

netsh firewall add portopening tcp 5100 5100_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 5000 5000_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 5001 5001_udp_AD_PORTS enable subnet

.... more ports omitted due to post size limitations (udp 5002-5099) ...

netsh firewall add portopening udp 5100 5100_udp_AD_PORTS enable subnet

# re: Active Directory and Firewall Ports 5/22/2009 5:08 AM Jordy Guillon
Very handy. Thanks!

# re: Active Directory and Firewall Ports 7/9/2009 6:08 AM hamid rezaie
thanks a lot very usful

# re: Active Directory and Firewall Ports 7/24/2009 8:27 AM Dan
This helped me out a great deal, thanks a lot!

# re: Active Directory and Firewall Ports 10/10/2009 10:59 AM Adam
Thanks mate - worked like a charm ^.^

It's always good to see a list of errors suddenly disapear. lol.

# re: Active Directory and Firewall Ports 10/12/2009 3:41 AM Business Directory
That's great, I never thought about Active Directory like that before.


# re: Active Directory and Firewall Ports 11/23/2009 11:47 PM traslochi intercontinentali
Wow, I never knew that Active Directory . That's pretty interesting…


# re: Active Directory and Firewall Ports 11/24/2009 9:10 PM Ganesan K
Very good information on all tech peoples

# re: Active Directory and Firewall Ports 12/8/2009 12:15 AM mvblack
Thanks a lot

# re: Active Directory and Firewall Ports 2/11/2010 11:14 AM oz2
Try Microsofts official web page for info...
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

# re: Active Directory and Firewall Ports 4/8/2010 8:24 AM Surfboy1971
Does anyone know what firewall ports have to be opened between a
client device and a server that is part of a Windows Active Directory
Domain.


In my example the client is NOT in the same domain as the server.


The Windows 2003 server that is part of the domain does not have the NetBIOS over TCP/IP service installed in its networking configuration. However the client "might" have this service as it might be a Windows 2000 server, or Windows 2003 server with the NetBIOS service installed.


Therefore do I need to open ports:
135 (RPC)
137, 138, 139 (NetBIOS)
1024-65535 (which I can limit to 5000-6000) RPC dynamic ports
53 (DNS)
389/636 (LDAP/Secure LDAP)
3268 (Global Catalog)


OR do I just need:
135 (RPC)
1024-65535 (which I can limit to 5000-6000) RPC dynamic ports


I have read all sorts of pages on the internet that discuss client to
server comms but they all assume the client is in the same domain as
the server. In my case they are not.
Personally I don't see why the client, who is not in the domain,
needs to be able to communicate over the DNS and Global Catalog and
LDAP ports because it is NOT the one authenticating the user, it is
the server, so obviously the server needs those ports opened up to its
domain controllers. Also it doesn't need the NetBIOS ports as the Windows 2003 server does not have the NetBIOS over TCP/IP service installed (regardless of whether the client has it or not)


Many thanks

# re: Active Directory and Firewall Ports 4/15/2010 2:21 AM Firdaus
Terima kasih :)

# re: Active Directory and Firewall Ports 8/20/2010 2:30 AM mohamad
i need all ports activ directory for on firewall

# re: Active Directory and Firewall Ports 1/8/2011 12:04 PM emad
port number

# lovely 3/15/2011 2:41 AM Tory Burch Shoes on sale
l like this article~~
cool~~
thanks for your sharing!!!
I am sure that all visitors will find that very useful


# re: Active Directory and Firewall Ports 3/17/2011 12:22 AM Tory burch outlet
Thanks for the useful information.

# re: Active Directory and Firewall Ports 4/21/2011 1:23 AM newtoryburchoutlet
Thanks so much for providing individuals with such a spectacular possiblity to read critical reviews from this web site. It is always very useful and also full of amusement for me personally and my office acquaintances to visit your web site no less than three times weekly to read the fresh guidance you have got. Of course, we are usually amazed for the surprising things served by you. Selected 3 tips in this post are clearly the finest we’ve had.


# re: Active Directory and Firewall Ports 4/29/2011 1:18 PM Bizkit Barrel
Bless you Pal. This was very helpful when I was working on a firewall.

# re: Active Directory and Firewall Ports 11/13/2011 3:23 AM monty
hi please find this

# re: Active Directory and Firewall Ports 1/17/2012 5:14 PM Mario
Oh, man. I had a weekend. We went down to, uh, Tijuana, Mexico, ya know. And there was this guy there and he was all, "Hey, you gotta come and check out one of these shows." And, you know, it's a woman fuckin' a horse. And you get there and you're thinking "Oh, a woman fuckin' a horse." And you get there, and it is not as a great as you thought it would be. It's kinda gross. I mean, it was really givin' it to her. To be honest, we all just felt bad for her. Kinda felt bad for the horse.

Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification: