List of Ports required for Active Directory and PKI

Active Directory (AD) is a critical component of many organizations’ IT infrastructure. It provides a central repository for a user, group, and computer accounts, as well as a variety of other objects, such as shared resources and security policies. In order for AD to function properly, certain ports must be opened on the firewall to allow communication between AD servers and clients.

Ports required for AD communication

The following ports are required for basic AD communication:

• TCP/UDP port 53: DNS
• TCP/UDP port 88: Kerberos authentication
• TCP/UDP port 135: RPC
• TCP/UDP port 137-138: NetBIOS
• TCP/UDP port 389: LDAP
• TCP/UDP port 445: SMB
• TCP/UDP port 464: Kerberos password change
• TCP/UDP port 636: LDAP SSL
• TCP/UDP port 3268-3269: Global catalog

In addition to these ports, other ports may be required depending on your AD environment’s specific components and features. For example, if you are using Group Policy, the following ports will also be required:

• TCP port 80: HTTP
• TCP port 443: HTTPS
• TCP port 445: SMB

If you are using ADFS (Active Directory Federation Services) for single sign-on, the following ports will also be required:

• TCP port 80: HTTP
• TCP port 443: HTTPS
• TCP port 49443: ADFS

Ports required for PKI communication

In order for a PKI to function properly, certain ports need to be opened on the firewall to allow communication between the various components of the PKI system. These ports include:

1. TCP port 80

   This port is used for HTTP communication, which is required for clients to access the certificate revocation list (CRL) and other information from the certificate authority (CA) server.

2. TCP port 389

   This port is used for LDAP communication, which is required for clients to access the certificate database on the CA server.

3. TCP port 636

   This port is used for LDAPS communication, a secure version of LDAP that uses SSL/TLS for encryption. This is required if you are using LDAP over a public network.

4. TCP port 9389

   This port is used for the Web Services for Management (WS-Management) protocol, which is required for clients to access the CA server using the Certificates snap-in in the Microsoft Management Console (MMC).

In addition to these ports, you may also need to open other ports depending on your PKI system’s specific components and configuration. For example, if you are using Online Certificate Status Protocol (OCSP) to check the status of certificates, you will need to open TCP port 2560.

Troubleshooting firewall issues with PKI

To troubleshoot common firewall issues with a PKI, you can follow these steps:

• Verify that the necessary ports are open on the firewall. You can do this by using the netstat command to list all of the open ports on the system and compare the results with the list of ports that are required for your PKI system.
• Check the firewall logs to see any entries related to the PKI system. This can help you to identify any specific rules or settings that may be blocking the necessary ports.
• Test the connectivity between the PKI components to ensure they can communicate properly. You can do this by using the ping, telnet, or tracert commands to test the connectivity between the client and the CA server and between other components of the PKI system.
• If you are still having issues with the firewall, try temporarily disabling the firewall to see if this resolves the problem. This will help you to determine whether the firewall is the cause of the issue or if there is a problem with another component of the PKI system.

Conclusion

Maintaining the proper firewall configuration is important in ensuring that your Active Directory and PKI system functions properly. By verifying that the necessary ports are open and troubleshooting any firewall issues that may arise, you can help to keep your Active Directory and PKI system secure and reliable.