Firewall Rules for Active Directory Certificate Services

First published on TECHNET on Jun 25, 2010

Below is a list of ports that need to be opened on Active Directory Services servers to enable HTTP and DCOM based enrollment

The information was developed by Microsoft Consultant Services during one of our customer engagements

ProtocolPortFromToActionComments
464 Enrollment Web ServicesDomain Controllers (DC)Allow Source Certificate Enrollment Web Services Destination : DC Service : ( port /464)
LDAP389Certificate Enrollment Web ServicesDomain Controllers (DC)Allow Source Certificate Enrollment Web Services Destination: DC Service: LDAP ( port /389)
LDAP636Certificate Enrollment Web ServicesDomain Controllers (DC)Allow Source Certificate Enrollment Web Services Destination: DC Service: LDAP ( port /636)
DCOM/RPCRandom port above port 1023Certificate Enrollment Web ServicesAll XP clients requesting certsCAAllowPlease see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us
HTTPS443All clients requesting certsCertificate Enrollment Web ServicesAllow Source: Windows 7 client Destination: Service: https (network port tcp/443)Certificate Enrollment Web Services

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.