Original URL: | https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services/ |
Post name: | Firewall Rules for Active Directory Certificate Services |
Original author: | oshekel |
Posting date: | 2010-06-25T14:54:00+00:00 |
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment
Protocol |
Port |
From |
To |
Action |
Comments |
Kerberos |
464 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: Kerberos (network port tcp/464) |
LDAP |
389 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/389) |
LDAP |
636 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/636) |
DCOM/RPC |
Random port above port 1023 |
·Certificate Enrollment Web Services · All XP clients requesting certs
|
CA |
Allow |
Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us |
HTTPS |
443 |
All clients requesting certs |
Certificate Enrollment Web Services
|
Allow |
Source: Windows 7 client Destination:
Service: https (network port tcp/443) Certificate Enrollment Web Services |
Comments: