This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.
First published on TECHNET on Jun 25, 2010
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment
The information was developed by Microsoft Consultant Services during one of our customer engagements
Protocol
|
Port
|
From
|
To
|
Action
|
Comments
|
Kerberos
|
464
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination : DC
Service : Kerberos (network port tcp/464)
|
LDAP
|
389
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination: DC
Service: LDAP (network port tcp/389)
|
LDAP
|
636
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination: DC
Service: LDAP (network port tcp/636)
|
DCOM/RPC
|
Random port above port 1023 |
· Certificate Enrollment Web Services
· All XP clients requesting certs
|
CA |
Allow
|
Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us
|
HTTPS
|
443
|
All clients requesting certs
|
Certificate Enrollment Web Services
|
Allow
|
Source: Windows 7 client
Destination:
Service: https (network port tcp/443)
Certificate Enrollment Web Services
|