Firewall Rules for Active Directory Certificate Services

 

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

The information was developed by Microsoft Consultant Services during one of our customer engagements

Protocol

Port

From

To

Action

Comments

Kerberos

464

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: Kerberos (network port tcp/464)

LDAP

389

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/389)

LDAP

636

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/636)

DCOM/RPC

Random port above port 1023

· Certificate Enrollment Web Services

· All XP clients requesting certs

 

CA

Allow

Please see for details on RPC/DCOM configuration: https://support.microsoft.com/kb/154596/en-us

HTTPS

443

All clients requesting certs

Certificate Enrollment Web Services

 

 

Allow

Source: Windows 7 client

Destination:

 

Service: https (network port tcp/443)

Certificate Enrollment Web Services