6

I just want to know, which port need to be open if i place firewall between Windows Client ( XP or 7 ) and Domain Controller ( Window Server 2008 R2 )

Please note it is between Client and DC and not between DC to DC

I have searched on google, but in google the answer which i got is between Client as well as from DC to DC.

As per my finding I need to open.

  1. TCP & UDP port 88 for Kerberos Authentication
  2. TCP & UDP 389 for LDAP
  3. TCP & UDP 445 for SMB/CIFS/SMB2
  4. TCP and UDP port 464 for Kerberos Password Change
  5. TCP Port 3268 & 3269 for Global Catalog
  6. TCP and UDP port 53 for DNS
  7. TCP and UDP Dynamic - 1025 to 5000 ( Windows Server 2003 ) & start from 49152 to 65535 ( Windows Server 2008 ) for DCOM, RPC, EPM

Let me know, if I'm missing something.

Note:- It's between Client and DC only.

Abhijeet Kasurde
  • 985
  • 9
  • 20
Param
  • 1,347
  • 13
  • 34
  • 51
  • 1
    You can do without it, but to avoid a ton of headaches I'd recommend TCP/UDP 123 for time services, also – Bandrami Jan 08 '14 at 07:12
  • 1
    http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx – user9517 Jan 08 '14 at 09:58
  • For help our friends here in collecting ports numbers, add rule for TCP Ports: "389,636,3268,3269,88,53,445,135,5722,464,9389,139,49152-65535" and add rule for UDP Ports "389,88,53,445,123,464,138,137,49152-65535" – Mhmd Nov 10 '14 at 23:59

2 Answers2

4

Here are a few links from Microsoft that show the data you are requesting. Note that the dynamic ranges for 2003 and 2008 have changed so if you have a mixed environment you might need to open both ranges or make them static.

  1. http://support.microsoft.com/kb/179442
  2. http://support.microsoft.com/kb/224196 will let you limit the dynamic range to help with firewall configurations.

To view your dynamic ranges for the client you can use the below commands, more info about this can be found at kb929851 (the site would not let me post a 3rd link so I had to shorten it)

  • netsh int ipv4 show dynamicport tcp
  • netsh int ipv4 show dynamicport udp
  • netsh int ipv6 show dynamicport tcp
  • netsh int ipv6 show dynamicport udp
SpiderIce
  • 551
  • 2
  • 9
0

Aside from the list you mentioned, you would also need:

  1. TCP port 135 for RPC Endpoint Mapper
  2. TCP/UDP port 88 for Kerberos
  3. UDP port 123 for Time

If you want to utilize LDAP over SSL you'll also need TCP port 636.

Reference: How to configure a firewall for Domains and Trusts

HostBits
  • 11,776
  • 1
  • 24
  • 39