Retired Microsoft Blog disclaimer
This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL: https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services/
Post name: Firewall Rules for Active Directory Certificate Services
Original author: oshekel
Posting date: 2010-06-25T14:54:00+00:00


Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

Protocol

Port

From

To

Action

Comments

Kerberos

464

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: Kerberos (network port tcp/464)

LDAP

389

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/389)

LDAP

636

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/636)

DCOM/RPC

Random port above port 1023

·Certificate Enrollment Web Services

· All XP clients requesting certs

CA

Allow

Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us

HTTPS

443

All clients requesting certs

Certificate Enrollment Web Services

Allow

Source: Windows 7 client

Destination:

Service: https (network port tcp/443)

Certificate Enrollment Web Services


Share this article:

Comments:

Comments are closed.