Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Firewall Rules for Active Directory Certificate Services
Published Jan 24 2020 01:49 PM 63.1K Views
Microsoft

First published on TECHNET on Jun 25, 2010

 

 

 

 

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

 

 

 

 

The information was developed by Microsoft Consultant Services during one of our customer engagements

 

 

 

 


Protocol

 

 


Port

 

 


From

 

 


To

 

 


Action

 

 


Comments

 

 


Kerberos

 

 


464

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination : DC

 

 


Service : Kerberos (network port tcp/464)

 

 


LDAP

 

 


389

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination: DC

 

 


Service: LDAP (network port tcp/389)

 

 


LDAP

 

 


636

 

 


Certificate Enrollment Web Services


 


 


Domain Controllers (DC)

 

 


Allow

 

 


Source Certificate Enrollment Web Services

 

 


Destination: DC

 

 


Service: LDAP (network port tcp/636)

 

 


DCOM/RPC

 

 


Random port above port 1023


· Certificate Enrollment Web Services

 

 


· All XP clients requesting certs

 

 


 


CA


Allow

 

 


Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us

 

 


HTTPS

 

 


443

 

 


All clients requesting certs

 

 


Certificate Enrollment Web Services


 


 


Allow

 

 


Source: Windows 7 client

 

 


Destination:


 


Service: https (network port tcp/443)

 

 


Certificate Enrollment Web Services

 

 

2 Comments
Version history
Last update:
‎Nov 09 2023 11:09 AM
Updated by: