Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, April 12, 2019 7:46 AM
Dear Support,
Our VM is on Azure and Certificate Authority (CA) server is on-premises.
Could we only need follow the below web site to set Firewall port as follows?
Could we only need to open the below incoming port on DC, CA and outgoing port on Azure VM?
Could we need to open the internal Windows Firewall port?
Could we only open the incoming port on certificate server and outgoing port on client from (49152-65535)?
Could we also need open firewall port (49152-65535) on certificate server and client?
- Client to domain controller
Kerberos port 88 (UDP/TCP)
Ldap (TCP 389)
RPC (tcp 135)
RPC on dynamic port (>1023 TCP) - Client to certificate server(s) with the template available
RPC (TCP 135)
Dynamic RPC (TCP > 1023) for CA servers on windows 2003 and earlier
Dynamic RPC (TCP > 49151) for CA servers on newer windows OS's
Reference:
MS - Certificate autoenrollment behind a firewall
http://myitpath.blogspot.com/2016/07/ms-certificate-autoenrollment-behind.html
Thanks!
Best Regards,
Daniel
All replies (3)
Monday, April 15, 2019 7:26 AM
Hi,
Thanks for your post.
We need to open all in and out ports on domain controller and CA, and do not need to configure these settings on clients. There are dynamic ports on clients.
The two different parts of firewall rules should be configured respectively on DC and CA, including both Inbound Rules and Outbound Rules. Set the Local port to the specified port and Remote port to Any.
And here is a similar issue for a reference.
Thank you for your support and understanding.
Best Regards ,
Kallen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, April 18, 2019 3:18 AM
Dear Kallen,
For you answer, we need open all in and out ports on Domain Controller (Port 88, 389, 135, 1024-65535) and CA (Port 135, 49152-65535).
Could we also need to open in and out Firewall ports (Port 135, 49152-65535) on member server because they are separated between the Firewall?
Reference:
Certificate Services (Port Requirements)
https://social.technet.microsoft.com/Forums/en-US/f8b1e6c6-9065-4348-8521-6d20995a6a5c/certificate-services-port-requirements?forum=winserversecurity
#1, From Clients to CA: Port 135 and then 49152-65535 for the dynamic high level port. Port 80/443 is only needed if you plan to install and use the Certificate Authority Web Enrollment role. Otherwise all interactionis via RPC/DCOM on the ports I listed.
#2 The Initial connection is port 135 at which time it will find out which high level to use instead. The client will then switch from 135 to the high level port to talk to the CA.
Best Regards,
Daniel
Monday, April 29, 2019 9:14 AM
Hi,
Is there any feature or role on your member servers? If not, we could think of member servers as clients.
So that we do not need to open Firewall ports on member servers.
Thanks for your support and understanding. Hope above information could help.
Best regards,
Kallen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].