Blog Post

Core Infrastructure and Security Blog
1 MIN READ

Firewall Rules for Active Directory Certificate Services

NoMoePwds's avatar
NoMoePwds
Icon for Microsoft rankMicrosoft
Jan 24, 2020

First published on TECHNET on Jun 25, 2010

 

 

 

 

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

 

 

 

 

The information was developed by Microsoft Consultant Services during one of our customer engagements

 

 

 

 


Protocol

 

 


Port

 

 


From

 

 


To

 

 


Action

 

 


Comments

 

 


Kerberos

 

 


464

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination : DC

 

 


Service : Kerberos (network port tcp/464)

 

 


LDAP

 

 


389

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination: DC

 

 


Service: LDAP (network port tcp/389)

 

 


LDAP

 

 


636

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination: DC

 

 


Service: LDAP (network port tcp/636)

 

 


DCOM/RPC

 

 


Random port above port 1023


· Certificate Enrollment Web Services

 

 


· All XP clients requesting certs

 

 


 


CA


Allow

 

 


Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us

 

 


HTTPS

 

 


443

 

 


All clients requesting certs

 

 


Certificate Enrollment Web Services


 


 


Allow

 

 


Source: Windows 7 client

 

 


Destination:


 


Service: https (network port tcp/443)

 

 


Certificate Enrollment Web Services

 

 

Updated Nov 09, 2023
Version 3.0
  • Barry_Wood's avatar
    Barry_Wood
    Copper Contributor

    After the nightmare I had trying to migrate a certificate authority server behind a firewall, I have created a short YouTube video on the ports requirements for a certificate authority server. Hopefully I am allowed to post this link here: Certificate Authority Port Requirements - YouTube as I believe it will help people.