This article describes how to configure a firewall for domains and trusts.
Collapse this imageExpand this image
Not all the ports that are listed in the tables here are required in all scenarios. For example, if the firewall separates members and DCs, you don't have to open the FRS or DFSR ports. Also, if you know that no clients use LDAP with SSL/TLS, you don't have to open ports 636 and 3269.
To establish a domain trust or a security channel across a firewall, the following ports must be opened. Be aware that there may be hosts functioning with both client and server roles on both sides of the firewall. Therefore, ports rules may have to be mirrored.
Windows NT
Click here to show/hide solution
In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust was created by using the NetBIOS names.
Collapse this tableExpand this table
| Client Port(s) | Server Port | Service |
|---|
| 137/UDP | 137/UDP | NetBIOS Name |
| 138/UDP | 138/UDP | NetBIOS Netlogon and
Browsing |
| 1024-65535/TCP | 139/TCP | NetBIOS Session |
| 1024-65535/TCP | 42/TCP | WINS Replication |
Windows Server 2003 and Windows 2000 Server
Click here to show/hide solution
For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may require that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.
Collapse this imageExpand this image
The two domain controllers are both in the same
forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are
Windows Server 2003 trusts or later version trusts.
Collapse this tableExpand this table
| Client Port(s) | Server Port | Service |
|---|
| 1024-65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 1024-65535/TCP | 1024-65535/TCP | RPC for LSA, SAM, Netlogon (*) |
| 1024-65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 1024-65535/TCP | 636/TCP | LDAP SSL |
| 1024-65535/TCP | 3268/TCP | LDAP GC |
| 1024-65535/TCP | 3269/TCP | LDAP GC SSL |
| 53,1024-65535/TCP/UDP | 53/TCP/UDP | DNS |
| 1024-65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 1024-65535/TCP | 445/TCP | SMB |
| 1024-65535/TCP | 1024-65535/TCP | FRS RPC (*) |
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.
(*) For information about how to define RPC server ports that are used by the LSA RPC services, see the following Microsoft Knowledge Base articles:
Windows Server 2008 and Windows Server 2008 R2
Click here to show/hide solution
Windows Server 2008 and Windows Server 2008 R2 have increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535. Therefore, you must increase the RPC port range in your firewalls. This change was made to comply with Internet Assigned Numbers Authority (IANA) recommendations. This differs from a mixed-mode domain that consists of Windows Server 2003 domain controllers, Windows 2000 Server-based domain controllers, or legacy clients, where the default dynamic port range is 1025 through 5000.
For more information about the dynamic port range change in Windows Server 2008 and Windows Server 2008 R2, see the following resources:
Collapse this tableExpand this table
| Client Port(s) | Server Port | Service |
|---|
| 49152 -65535/UDP | 123/UDP | W32Time |
| 49152 -65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 49152 -65535/TCP | 464/TCP/UDP | Kerberos password change |
| 49152 -65535/TCP | 49152-65535/TCP | RPC for LSA, SAM, Netlogon (*) |
| 49152 -65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 49152 -65535/TCP | 636/TCP | LDAP SSL |
| 49152 -65535/TCP | 3268/TCP | LDAP GC |
| 49152 -65535/TCP | 3269/TCP | LDAP GC SSL |
| 53, 49152 -65535/TCP/UDP | 53/TCP/UDP | DNS |
| 49152 -65535/TCP | 49152 -65535/TCP | FRS RPC (*) |
| 49152 -65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 49152 -65535/TCP/UDP | 445/TCP | SMB |
| 49152 -65535/TCP | 49152-65535/TCP | DFSR RPC (*) |
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.
(*) For information about how to define RPC server ports that are used by the LSA RPC services, see the following Microsoft Knowledge Base articles:
Collapse this imageExpand this image
External trust 123/UDP is only needed if you have manually configured the Windows Time Service to Sync with a server across the external trust.
Active Directory
Click here to show/hide solution
In Windows 2000 and Windows XP, the Internet Control Message Protocol (ICMP) must be allowed through the firewall from the clients to the domain controllers so that the Active Directory Group Policy client can function correctly through a firewall. ICMP is used to determine whether the link is a slow link or a fast link.
In Windows Server 2008 and later versions, the Network Location Awareness Service provides the bandwidth estimate based on traffic with other stations on the network. There is no traffic generated for the estimate.
The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made, and when a server is located by using DFS. This applies to SYSVOL access by domain members.
If you want to minimize ICMP traffic, you can use the following
sample firewall rule:
<any> ICMP -> DC IP addr = allow
Unlike the TCP protocol layer and the UDP
protocol layer, ICMP does not have a port number. This is because ICMP is
directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be changed by a specific registry setting. For more information, see Microsoft Knowledge Base article
260186: SendPort DNS registry key does not work as expected
(http://support.microsoft.com/kb/260186)
For more information about Active Directory and firewall configuration, see the
Active Directory in Networks Segmented by Firewalls
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en)
Microsoft white paper. Or, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel. This limits the number of ports that the firewall has to open. For PPTP, the following ports must be enabled.
Collapse this tableExpand this table
| Client Ports | Server Port | Protocol |
|---|
| 1024-65535/TCP | 1723/TCP | PPTP |
In addition, you would have to enable IP PROTOCOL 47
(GRE).
Collapse this imageExpand this image
When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannot display a list of the remote domain's users, consider the following behavior:
- Windows NT 4.0 tries to resolve manually-typed names by
contacting the PDC for the remote user's domain (UDP 138). If that
communication fails, a Windows NT 4.0-based computer contacts its own PDC, and
then asks for resolution of the name.
- Windows 2000 and Windows Server 2003 also try to contact the remote user's PDC for resolution over UDP 138. However, they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.
Article ID: 179442 - Last Review: August 10, 2012 - Revision: 20.0
Applies to
- Windows Server 2008 Datacenter
- Windows Server 2008 Enterprise
- Windows Server 2008 Standard
- Windows Server 2008 R2 Datacenter
- Windows Server 2008 R2 Enterprise
- Windows Server 2008 R2 Standard
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows NT Server 4.0 Standard Edition
- Windows Server 2008 Datacenter without Hyper-V
- Windows Server 2008 Enterprise without Hyper-V
- Windows Server 2008 for Itanium-Based Systems
- Windows Server 2008 Foundation
- Windows Web Server 2008 R2
| kbenv kbhowto kbnetwork KB179442 |
Back to the top
