List of Ports Required for Active Directory and PKI

While configuring the network security it is essential to set up the Active Directory (AD), and one of its critical parts involves the secure communication between the AD server and clients. For instance, if your organization is deploying AD to manage user authentication, group policies, and access to shared resources, one of the key steps is to configure your firewall to open certain ports. Without opening these ports, users may face issues logging in, accessing files, or receiving policy updates, causing disruptions across the networks.

Ports required for AD communication

Active Directory acts as a central repository for a user, group, and computer accounts, as well as a variety of other objects, such as shared resources and security policies, and for the proper communication the following ports are required:

• TCP/UDP port 53: Port 53 acts as the port used for Domain Name Services, or DNS. DNS Servers are used to communicate with a web client and translate domain names to IP addresses. Most organizations will utilize DNS to make it easier for the different users to reach devices without needing to memorize IP addresses.
• TCP/UDP port 88: Port 88 is used to give users access to the Kerberos authentication protocol. This allows access to privileged network resources using tickets given by the server.
• TCP/UDP port 135: Port 135 is used for Remote Procedure Call or RPC. RPC is a Windows service relied upon by many services like AD to allow for remote client-server communications.
• TCP/UDP port 137-139: Ports 137, 138, and 139 are all used for providing different features relating to SMB protocol over NetBIOS. SMB, or Server Message Block, protocol is mainly used for sharing printers and files within a Windows-based network. Port 137 provides name services across TCP or UDP for SMB, port 138 provides diagram services across UDP for SMB, and port 139 provides session services across TCP or UDP for SMB. As a note, port 138 specifically uses UDP alone, it is not used with TCP.
• TCP/UDP port 389: Ports 389 focuses around Lightweight Directory Access Protocol, or LDAP. LDAP allows clients to access protected network resources. Port 389 allows an unencrypted connection to LDAP.
• TCP port 445: Port 445, also referred to as Microsoft-ds, works very similarly to ports 137-139, except it allows access to SMB without the need for NetBIOS. This means that NetBIOS layer is not required, and port 445 is mainly used by system administrators to manage objects on the network.
• TCP/UDP port 464: Similar to port 88, port 464 is used to interact with Kerberos. Port 464, however, is specifically used for password changes within Microsoft Active Directory (AKA Entra), as Kerberos is the native authentication protocol of Entra.
• TCP/UDP port 636: Port 636 also allows users to interact with LDAP, however it uses an encrypted connection. This encryption is generated by SSL/TLS, so you will often see port 636 as connecting to LDAPS.
• TCP/UDP port 3268-3269: Ports 3268 and 3269 also connect to services via LDAP, however they are specific to the global catalog. Port 3268 is the unencrypted connection and port 3269 is for encrypted connections.

In addition to these ports, other ports may be required depending on your AD environment’s specific components and features. For example, if you are using Group Policy, the following ports will also be required:

• TCP port 80: Port 80 is specifically used for communication between web browsers and servers using HTTP. This port transports data to the web browser in plaintext, an unencrypted method of sending data.
• TCP/UDP port 443: Port 443 delivers messages between web servers and browsers via HTTPS, the encrypted connection version of HTTP.
• TCP port 445: Port 445 allows access to SMB without the need for NetBIOS.

If you are using ADFS (Active Directory Federation Services) for single sign-on, the following ports will also be required:

• TCP port 80
• TCP port 443
• TCP port 49443: Port 49443 is specifically used for Active Directory Federation Services, or ADFS. ADFS is a method of certificate authentication within Microsoft AD, so this is a critical port in PKIs.

Ports required for PKI communication

In order for a PKI to function properly, certain ports need to be opened on the firewall to allow communication between the various components of the PKI system. These ports include:

1. TCP port 80

   This port is used for HTTP communication, which is required for clients to access the certificate revocation list (CRL) and other information from the certificate authority (CA) server.

2. TCP port 389

   This port is used for LDAP communication, which is required for clients to access the certificate database on the CA server.

3. TCP port 636

   This port is used for LDAPS communication, a secure version of LDAP that uses SSL/TLS for encryption. This is required if you are using LDAP over a public network.

4. TCP port 9389

   This port is used for the Web Services for Management (WS-Management) protocol, which is required for clients to access the CA server using the Certificates snap-in in the Microsoft Management Console (MMC).

In addition to these ports, you may also need to open other ports depending on your PKI system’s specific components and configuration. For example, if you are using Online Certificate Status Protocol (OCSP) to check the status of certificates, you will need to open TCP port 2560.

Troubleshooting firewall issues with PKI

To troubleshoot common firewall issues with a PKI, you can follow these steps:

• Verify that the necessary ports are open on the firewall. You can do this by using the netstat command to list all of the open ports on the system and compare the results with the list of ports that are required for your PKI system.
• Check the firewall logs to see any entries related to the PKI system. This can help you to identify any specific rules or settings that may be blocking the necessary ports.
• Test the connectivity between the PKI components to ensure they can communicate properly. You can do this by using the ping, telnet, or tracert commands to test the connectivity between the client and the CA server and between other components of the PKI system.
• If you are still having issues with the firewall, try temporarily disabling the firewall to see if this resolves the problem. This will help you to determine whether the firewall is the cause of the issue or if there is a problem with another component of the PKI system.

Some Frequently asked questions

Here is a set of questions you might ask to identify the root cause of AD misconfiguration and connection issues. These are tailored specifically to help troubleshoot potential issues based on real-world scenarios:

Ques 1: Have you verified if the key ports, such as 389 (LDAP), 88 (Kerberos), and 445 (SMB) for AD communications, are properly configured and not being blocked by firewall?

Ques 2: Are all Domain Controllers resolved through DNS and is there any discrepancy between DNS entries and the actual AD server locations?

Ques 3: Is there any replication issue in AD that could cause inconsistencies between Domain Controllers and clients?

Ques 4: Is there any skew in the time settings between AD components that might cause Kerberos authentication failures?

Ques 5: Are there any specific error codes or warning messages in the event logs that could pinpoint a misconfiguration or service failure?

Ques 6: Is the account used by key AD such as Kerberos, DNS, LDAP still functioning properly, and does it have the necessary permissions?

How can Encryption Consulting help?

Encryption Consulting’s PKI Services and PKI-as-a-service can help you manage your PKI and secure the digital network of your organization. We can design, implement, manage, and migrate your PKI systems according to your specific needs. Managing PKI can seem daunting with the increase in the number of cyber threats. But you can rest assured because our experienced staff will help you build and monitor your PKI. We can assess your PKI based on our custom framework, providing you with best practices for PKI and HSM deployments.

Conclusion

Maintaining the firewall configuration is important in ensuring that your Active Directory and PKI systems function properly. By verifying that the necessary ports are open and troubleshooting any firewall issues that may arise, you can help to keep your Active Directory and PKI systems secure and reliable. For Active Directory, maintaining open communication channels for key ports such as, LDAP, DNS and Kerberos are critical. Similarly, for PKI, enabling ports for HTTP, LDAP and Secure Communication Protocol ensures that certificate service functions effectively, supporting certificate issuance, revocation and status checks.

.