You are currently offline, waiting for your internet to reconnect

Service overview and network port requirements for Windows

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Notice
Important This article contains several references to the default dynamic port range. In Windows Server 2008 and later versions, and in Windows Vista and later versions, the default dynamic port range changed to the following range:
  • Start port: 49152
  • End port: 65535
Windows 2000, Windows XP, and Windows Server 2003 use the following dynamic port range:

  • Start port: 1025
  • End port: 5000

What this means for you:
  • If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.
  • If your computer network environment uses Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:
    • High port range 49152 through 65535
    • Low port range 1025 through 5000
  • If your computer network environment uses only versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over the low port range of 1025 through 5000.
For more information about the default dynamic port range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista, click the followng article number to go to the article in the Microsoft Knowledge Base:
929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
Summary
This article discusses the required network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a roadmap to determine which ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network.

You should not use the port information in this article to configure Windows Firewall. For information about how to configure Windows Firewall, see the following Microsoft website:

The Windows Server system includes a comprehensive and integrated infrastructure to meet the requirements of developers and information technology (IT) professionals. This system runs programs and solutions that you can use to obtain, analyze, and share information quickly and easily. These Microsoft client, server, and server program products use different network ports and protocols to communicate with client systems and with other server systems over the network. Dedicated firewalls, host-based firewalls, and Internet Protocol security (IPsec) filters are other important components that you must have to help secure your network. However, if these technologies are configured to block ports and protocols that are used by a specific server, that server will no longer respond to client requests.

Overview

The following list provides an overview of the information that this article contains:
  • The "System services ports" section contains a brief description of each service, displays the logical name of that service, and indicates the ports and protocols that each service requires for correct operation. Use this section to help identify the ports and protocols that a particular service uses.
  • The "Ports and protocols" section includes a table that summarizes the information from the "System Services Ports" section. The table is sorted by the port number instead of by the service name. Use this section to quickly determine which services listen on a particular port.

This article uses certain terms in specific ways. To help avoid confusion, make sure that you understand how the article uses these terms:
  • System services: System services are programs that load automatically as part of an application's startup process or as part of the operating system startup process. System services support the different tasks that the operating system must perform. For example, some system services that are available on computers that run Windows Server 2003 Enterprise Edition include the Server service, the Print Spooler service, and the World Wide Web Publishing service. Each system service has a friendly service name and a service name. The friendly service name is the name that appears in graphical management tools such as the Services Microsoft Management Console (MMC) snap-in. The service name is the name that is used with command-line tools and with many scripting languages. Each system service may provide one or more network services.
  • Application protocol: In this article, application protocol refers to a high-level network protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include HTTP, server message blocks (SMBs), and Simple Mail Transfer Protocol (SMTP).
  • Protocol: TCP/IP protocols are standard formats for communicating between devices on a network. TCP/IP protocols operate at a lower level than the application protocols. The TCP/IP suite of protocols includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
  • Port: This is the network port that the system service listens on for incoming network traffic.
This article does not specify which services rely on other services for network communication. For example, many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign them dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services that use RPC or DCOM to communicate with client computers. Many other services rely on network basic input/output system (NetBIOS) or SMBs, protocols that are provided by the Server service. Other services rely on HTTP or on Hypertext Transfer Protocol Secure (HTTPS). These protocols are provided by Internet Information Services (IIS). A full discussion of the architecture of the Windows operating systems is beyond the scope of this article. However, detailed documentation on this subject is available on Microsoft TechNet and on the Microsoft Developer Network (MSDN) websites. Although many services may rely on a particular TCP or UDP port, only one service or process at a time can listen on that port.

When you use RPC with TCP/IP or with UDP/IP as the transport, incoming ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used. These are also informally known as random RPC ports. In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic port or ports were assigned to the server. For some RPC-based services, you can configure a specific port instead of letting RPC dynamically assign a port. You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For more information about this topic, see the "References" section.

This article includes information about the system services roles and the server roles for the Microsoft products that are listed in the "Applies to" section. Although this information may also apply to Windows XP and to Microsoft Windows 2000 Professional, this article is focused on server-class operating systems. Therefore, this describes the ports that a service listens on instead of the ports that client programs use to connect to a remote system.

System services ports

This section provides a description of each system service, includes the logical name that corresponds to the system service, and displays the ports and the protocols that each service requires.

Click the name of a system service in the following list to see the description:

Active Directory (Local Security Authority)

Active Directory runs under the Lsass.exe process and includes the authentication and replication engines for Windows domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports. Additionally, unless a tunneling protocol is used to encapsulate traffic to Active Directory, a range of ephemeral TCP ports between 1024 to 5000 and 49152 to 65535 are required.

Note
  • If your computer network environment uses only Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.
  • If your computer network environment uses Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both port ranges:
    • High port range of 49152 through 65535
    • Low port range of 1025 through 5000
  • If your computer network environment uses only versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over the low port range of 1025 through 5000.


An encapsulated solution might consist of a VPN gateway located behind a filtering router that uses Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow the following items through the router instead of opening all the ports and protocols listed in this topic:
  • IPsec Encapsulating Security Protocol (ESP) (IP protocol 50)
  • IPsec Network Address Translator Traversal NAT-T (UDP port 4500)
  • IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500)

Finally, you can hard-code the port that is used for Active Directory replication by following the steps in Microsoft Knowledge Base article 224196: Restricting Active Directory replication traffic and client RPC traffic to a specific port System service name: LSASS

Note Packet filters for L2TP traffic are not required, because L2TP is protected by IPsec ESP.
Application protocolProtocolPorts
Active Directory Web Services (ADWS) TCP9389
Active Directory Management Gateway ServiceTCP9389
Global CatalogTCP3269
Global CatalogTCP3268
LDAP ServerTCP389
LDAP ServerUDP389
LDAP SSLTCP636
IPsec ISAKMPUDP500
NAT-TUDP4500
RPCTCP135
RPC randomly allocated high TCP ports¹TCP1024 - 5000
49152 - 65535²
SMBTCP445

¹ For more information about how to customize this port, see "Domain controllers and Active Directory" in the "References" section. This also includes remote WMI and DCOM communications first used in Windows Server 2012 domain controller promotion during prerequisite validation and with the Server Manager tool.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Application Layer Gateway Service

This subcomponent of the Internet Connection Sharing/Internet Connection Firewall (ICF) service provides support for plug-ins that allow network protocols to pass through the firewall and work behind Internet Connection Sharing. Application Layer Gateway (ALG) plug-ins can open ports and change data (such as ports and IP addresses) that are embedded in packets. FTP is the only network protocol that has a plug-in that is included with Windows Server. The ALG FTP plug–in supports active FTP sessions through the network address translation (NAT) engine that these components use. The ALG FTP plug–in supports these sessions by redirecting all traffic that meets the following criteria to a private listening port in the range of 3000 to 5000 on the loopback adapter:
  • Passes through the NAT engine
  • Is directed toward port 21

The ALG FTP plug–in then monitors and updates FTP control channel traffic so that the FTP plug-in can forward port mappings through the NAT for the FTP data channels. The FTP plug–in also updates ports in the FTP control channel stream.

System service name: ALG
Application protocolProtocolPorts
FTP controlTCP21

ASP.NET State Service

ASP.NET State Service provides support for ASP.NET out-of-process session states. ASP.NET State Service stores session data out-of-process. The service uses sockets to communicate with ASP.NET that is running on a web server.

System service name: aspnet_state
Application protocolProtocolPorts
ASP.NET Session StateTCP42424

Certificate Services

Certificate Services is part of the core operating system. By using Certificate Services, a business can act as its own certification authority (CA). This lets the business issue and manage digital certificates for programs and protocols such as the following:

  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
  • Secure Sockets Layer (SSL)
  • Encrypting File System (EFS)
  • IPsec
  • Smart card logon

Certificate Services relies on RPC and DCOM to communicate with clients by using random TCP ports that are higher than port 1024.

System service name: CertSvc
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Cluster Service

The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that act as a single computer. Managers, programmers, and users see the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data to that node.

System service name: ClusSvc
Application ProtocolPorts
Cluster ServiceUDP3343
Cluster ServiceTCP3343 (This port is required during a node join operation.)
RPCTCP135
Cluster AdministratorUDP137
Randomly allocated high UDP ports¹UDPRandom port number between 1024 and 65535
Random port number between 49152 and 65535²
Note:
Additionally, for successful validation on Windows Failover Clusters on 2008 and above, allow inbound and outbound traffic for ICMP4, ICMP6, and port 445/TCP for SMB.

¹ For more information about how to customize these ports, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Computer Browser

The Computer Browser system service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers to view network domains and resources. Computers that are designated as browsers maintain browse lists that contain all shared resources that are used on the network. Earlier versions of Windows-based programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing capability. For example, when you open My Network Places on a computer that is running Microsoft Windows 95, a list of domains and computers appears. To display this list, the computer obtains a copy of the browse list from a computer that is designated as a browser.

If you are running only Windows Vista and later versions of Windows, the browser service is no longer required.

System service name: Browser
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
The Browser service uses RPC over Named Pipes to compile

DHCP Server

The DHCP Server service uses the Dynamic Host Configuration Protocol (DHCP) to automatically allocate IP addresses. You can use this service to adjust the advanced network settings of DHCP clients. For example, you can configure network settings such as Domain Name System (DNS) servers and Windows Internet Name Service (WINS) servers. You can establish one or more DHCP servers to maintain TCP/IP configuration information and to provide that information to client computers.

System service name: DHCPServer
Application protocolProtocolPorts
DHCP ServerUDP67
MADCAPUDP2535
DHCP FailoverTCP647

Distributed File System Namespaces

The Distributed File System Namespaces (DFSN) integrates different file shares that are located on a local area network (LAN) or wide area network (WAN) into a single logical namespace. The DFSN service is required for Active Directory domain controllers to advertise the SYSVOL shared folder.

System service name: Dfs
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138³
NetBIOS Session ServiceTCP139³
LDAP ServerTCP389
LDAP ServerUDP389
SMBTCP445
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.
³ The NETBIOS ports are optional and are not required when DFSN is using FQDN Server names.

Distributed File System Replication

The Distributed File System Replication (DFSR) service is a state-based, multi-master file replication engine that automatically copies updates to files and folders between computers that are participating in a common replication group. DFSR was added in Windows Server 2003 R2. You can configure DFSR by using the Dfsrdiag.exe command-line tool to replicate files on specific ports, regardless of whether they are participating in Distributed File System Namespaces (DFSN).

System service name: DFSR
Application protocolProtocolPorts
RPCTCP135
RPCTCP5722³
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Distributed File Replication Service" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.
³ Port 5722 is only used on a Windows Server 2008 domain controller or on a Windows Server 2008 R2 domain controller. It is not used on a Windows Server 2012 domain controller.

Distributed Link Tracking Server

The Distributed Link Tracking Server system service stores information so that files that are moved between volumes can be tracked to each volume in the domain. The Distributed Link Tracking Server service runs on each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track linked documents that are moved to a location in another NTFS file system volume in the same domain.

System service name: TrkSvr
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Distributed Transaction Coordinator

The Distributed Transaction Coordinator (DTC) system service coordinates transactions that are distributed across multiple computer systems and resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers. The DTC system service is required if transactional components are configured through COM+. It is also required for transactional queues in Message Queuing (also known as MSMQ) and SQL Server operations that span multiple systems.

System service name: MSDTC
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Distributed Transaction Coordinator" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

DNS Server

The DNS Server service enables DNS name resolution by answering queries and update requests for DNS names. DNS servers are required to locate devices and services that are identified by using DNS names and to locate domain controllers in Active Directory.

System service name: DNS
Application protocolProtocolPorts
DNSUDP53
DNSTCP53

Event Log

The Event Log system service logs event messages that are generated by programs and by the Windows operating system. Event log reports contain information that you can use to diagnose problems. You view reports in Event Viewer. The Event Log service writes events that are sent to log files by programs, by services, and by the operating system. The events contain diagnostic information in addition to errors that are specific to the source program, the service, or the component. The logs can be viewed programmatically through the event log APIs or through the Event Viewer in an MMC snap-in.

System service name: Eventlog
Application protocolProtocolPorts
RPC/named pipes (NP)TCP139
RPC/NPTCP445
RPC/NPUDP137
RPC/NPUDP138
Note The Event Log service uses RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.

Fax Service

Fax Service, a Telephony API (TAPI)–compliant system service, provides fax capabilities. Fax Service lets users use either a local fax device or a shared network fax device to send and receive faxes from their desktop programs.

System service name: Fax
Application protocolProtocolPorts
NetBIOS Session ServiceTCP139
SMBTCP445
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

File Replication

The File Replication service (FRS) is a file-based replication engine that automatically copies updates to files and folders between computers that are participating in a common FRS replica set. FRS is the default replication engine that is used to replicate the contents of the SYSVOL folder between Windows 2000-based domain controllers and Windows Server 2003-based domain controllers that are located in a common domain. You can use the DFS Administration tool to configure FRS to replicate files and folders between targets of a DFS root or link.

System service name: NtFrs
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "File Replication Service" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and in Windows Vista.

File Server for Macintosh

Macintosh computer users can use the File Server for Macintosh system service to store and access files on a computer that is running Windows Server 2003. If this service is turned off or blocked, Macintosh clients cannot access or store files on that computer. File Server for Macintosh is not included in Windows Server 2008, and later versions of Windows Server.

System service name: MacFile
Application protocolProtocolPorts
File Server for MacintoshTCP548

FTP Publishing Service

FTP Publishing Service provides FTP connectivity. By default, the FTP control port is 21. However, you can configure this system service through the Internet Information Services (IIS) Manager snap-in. The default data (that is used for active mode FTP) port is automatically set to one port less than the control port. Therefore, if you configure the control port to port 4131, the default data port is port 4130. Most FTP clients use passive mode FTP. This means that the client first connects to the FTP server by using the control port. Next, the FTP server assigns a high TCP port between ports 1025 and 5000. Then, the client opens a second connection to the FTP server for transferring data. You can configure the range of high ports by using the IIS metabase.

System service name: MSFTPSVC
Application protocolProtocolPorts
FTP controlTCP21
FTP default dataTCP20
Randomly allocated high TCP portsTCPrandom port number between 1024 - 65535
random port number between 49152 - 65535¹
¹ This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Group Policy

To successfully apply Group Policy, a client computer must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols. Windows XP and Windows Server 2003 additionally require the ICMP protocol.

If any one of these protocols are unavailable or blocked between the client and a relevant domain controller, Group Policy will not apply or update. For a cross-domain logon, where a computer is in one domain and the user account is in another domain, these protocols may be required for the client, the resource domain, and the account domain to communicate. ICMP is used for slow link detection. For more information about slow link detection, see the following Microsoft Knowledge Base articles: 227260: How a slow link is detected for processing user profiles and Group Policy2008977: Group Policy Slow Link Detection Using Windows Vista and Server 2008

System service name: Group Policy
Application protocolProtocolPorts
DCOM ¹TCP + UDPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
ICMP (ping) ³ICMP
LDAPTCP389
SMBTCP445
RPC ¹TCP135
random port number between 1024 - 65535
random port number between 49152 - 65535
²
¹ For more information about how to customize this port, see "Domain controllers and Active Directory" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.
³ This protocol is required only by Windows XP and Windows Server 2003 acting as clients.


Note When the Group Policy Microsoft Management Console (MMC) snap-in creates Group Policy Results reports and Group Policy Modeling reports, it uses DCOM and RPC to send and to receive information from the Resultant Set of Policy (RSoP) provider on the client or on the domain controller. The various binary files that make up the Group Policy Microsoft Management Console (MMC) snap-in features primarily use COM calls to send or to receive information. When you initiatin remote group policy results reporting from a Windows 8 and Windows Server 2012 computer, access to the destination computer’s event log is required. (See the "Event Log" section in this article for port requirements.)

Windows 8 and Windows Server 2012 support the initiation of remote group policy update against Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista computers. This requires RPC/WMI access through port 135 and ports 49152–65535 inbound to the computer on which the policy is being refreshed.

HTTP SSL

The HTTP SSL system service enables IIS to perform SSL functions. SSL is an open standard for establishing an encrypted communications channel to help prevent the interception of extremely important information, such as credit card numbers. Although this service works on other Internet services, it is primarily used to enable encrypted electronic financial transactions on the World Wide Web (WWW). You can configure the ports for this service through the Internet Information Services (IIS) Manager snap-in.

System service name: HTTPFilter
Application protocolProtocolPorts
HTTPSTCP443

Hyper-V service

Hyper-V replica
Application protocolProtocolPort
WMITCP135
Randomly allocated high TCP portsTCPRandom port number between 49152 and 65535
Kerberos authentication (HTTP)TCP80
Certificate-based authentication (HTTPS)TCP443


Hyper-V live migration
Application protocolProtocolPort
Live migrationTCP6600
SMBTCP445
Cluster Service trafficUDP3343

Internet Authentication Service

Internet Authentication Service (IAS) performs centralized authentication, authorization, auditing, and accounting of users who are connecting to a network. These users can be on a LAN connection or on a remote connection. IAS implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol.

System service name: IAS
Application protocolProtocolPorts
Legacy RADIUSUDP1645
Legacy RADIUSUDP1646
RADIUS AccountingUDP1813
RADIUS AuthenticationUDP1812

Internet Connection Firewall (ICF)/Internet Connection Sharing

This system service provides NAT, addressing, and name resolution services for all computers on your home network or your small-office network. When the Internet Connection Sharing feature is enabled, your computer becomes an "Internet gateway" on the network. Other client computers can then share one connection to the Internet, such as a dial-up connection or a broadband connection. This service provides basic DHCP and DNS services but will work with the full-featured Windows DHCP or DNS services. When ICF and Internet Connection Sharing act as a gateway for the rest of the computers on your network, they provide DHCP and DNS services to the private network on the internal network interface. They do not provide these services on the external network interface.

System service name: SharedAccess
Application protocolProtocolPorts
DHCP ServerUDP67
DNSUDP53
DNSTCP53

IPAM

The IP Address Management (IPAM) client UI communicates with the IPAM server to perform remote management. This is done by using the Windows Communications Framework (WCF), which uses TCP as the transport protocol. By default, the TCP binding is performed on port 48885 on the IPAM server.
BranchCache information
  • Port 3702 (UDP) is used to discover the availability of cached content on a client.
  • Port 80 (TCP) is used to serve content to requesting clients.
  • Port 443 (TCP) is the default port that is used by the hosted cache to accept incoming client offers for content.

ISA/TMG Server

Application protocolProtocolPorts
Configuration Storage (domain) TCP2171 (note 1)
Configuration Storage (replication)TCP2173 (note 1)
Configuration Storage (workgroup)TCP2172 (note 1)
Firewall Client ApplicationTCP/UDP1025-65535 (note 2)
Firewall Client Control ChannelTCP/UDP1745 (note 3)
Firewall Control ChannelTCP3847 (note 1)
RPCTCP135 (note 6)
Randomly allocated high TCP ports (note 6)TCPrandom port number between 1024 - 65535
random port number between 10000 - 65535 (note 7)
Web ManagementTCP2175 (note 1, 4)
Web Proxy ClientTCP8080 (note 5)
Notes
  1. This port is not used with ISA 2000.
  2. FWC application transport and protocols are negotiated within the FWC control channel.
  3. ISA 2000 FWC control uses UDP. ISA 2004 and 2006 use TCP.
  4. OEM uses Firewall Web Management to provide non-MMC management of ISA Server.
  5. This port is also used for intra-array traffic.
  6. This port is used only by the ISA management MMC during remote server and service status monitoring.
  7. This is the range in TMG. Please note that TMG extends the default dynamic port ranges in Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

Kerberos Key Distribution Center

When you use the Kerberos Key Distribution Center (KDC) system service, users can log on to the network by using the Kerberos version 5 authentication protocol. As in other implementations of the Kerberos protocol, the KDC is a single process that provides two services: the Authentication Service and the Ticket-Granting Service. The Authentication Service issues ticket granting tickets, and the Ticket-Granting Service issues tickets for connection to computers in its own domain.

System service name: kdc
Application protocolProtocolPorts
KerberosTCP88
KerberosUDP88
Kerberos Password V5UDP464
Kerberos Password V5TCP464
DC LocatorUDP389

License Logging

The License Logging system service is a tool that was originally designed to help customers manage licenses for Microsoft server products that are licensed in the server client access license (CAL) model. License Logging was introduced with Microsoft Windows NT Server 3.51. By default, the License Logging service is disabled in Windows Server 2003. Because of legacy design constraints and evolving license terms and conditions, License Logging may not provide an accurate view of the total number of CALs that are purchased compared to the total number of CALs that are used on a particular server or across the enterprise. The CALs that are reported by License Logging may conflict with the interpretation of the Microsoft Software License Terms and with Product Use Rights (PUR). License Logging is not included in Windows Server 2008 and later operating systems. We recommend that only users of the Microsoft Small Business Server family of operating systems enable this service on their servers.

System service name: LicenseService
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138
NetBIOS Session ServiceTCP139
SMBTCP445
Note The License Logging service uses RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.

Message Queuing

The Message Queuing system service is a messaging infrastructure and development tool for creating distributed messaging programs for Windows. These programs can communicate across heterogeneous networks and can send messages between computers that may be temporarily unable to connect to one another. Message Queuing helps provide security, efficient routing, support for sending messages within transactions, priority-based messaging, and guaranteed message delivery.

System service name: MSMQ
Application protocolProtocolPorts
MSMQTCP1801
MSMQUDP1801
MSMQ-DCsTCP2101
MSMQ-MgmtTCP2107
MSMQ-PingUDP3527
MSMQ-RPCTCP2105
MSMQ-RPCTCP2103
RPCTCP135

Messenger

The Messenger system service sends messages to or receives messages from users and computers, administrators, and the Alerter service. This service is not related to Windows Messenger. If you disable the Messenger service, notifications that are sent to computers or users who are currently logged on to the network are not received. Additionally, the net send command and the net name command no longer function.

In many customer environments this service is disabled. Therefore, you do not have to enable NETBIOS for this service.

System service name: Messenger
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138

Microsoft Exchange MTA Stacks

In Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003, the Message Transfer Agent (MTA) is frequently used to provide backward-compatible message transfer services between Exchange 2000 Server-based servers and Exchange Server 5.5-based servers in a mixed-mode environment.

System service name: MSExchangeMTA
Application protocolProtocolPorts
X.400TCP102

Microsoft POP3 Service

The Microsoft POP3 service provides email transfer and retrieval services. Administrators can use this service to store and manage email accounts on the mail server. When you install Microsoft POP3 Service on the mail server, users can connect to the mail server and can retrieve email messages by using an email client that supports the POP3 protocol, such as Microsoft Outlook.

System service name: POP3SVC
Application protocolProtocolPorts
POP3TCP110

Net Logon

The Net Logon system service maintains a security channel between your computer and the domain controller to authenticate users and services. It passes the user's credentials to a domain controller and returns the domain security identifiers and the user rights for the user. This is typically known as pass-through authentication. Net Logon is configured to start automatically only when a member computer or domain controller is joined to a domain. In the Windows 2000 Server and Windows Server 2003 families, Net Logon publishes service resource locator records in the DNS. When this service runs, it relies on the WORKSTATION service and on the Local Security Authority service to listen for incoming requests. On domain member computers, Net Logon uses RPC over named pipes. On domain controllers, it uses RPC over named pipes, RPC over TCP/IP, mail slots, and Lightweight Directory Access Protocol (LDAP).

System service name: Netlogon
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138 ³
NetBIOS Name ResolutionUDP137 ³
NetBIOS Session ServiceTCP139 ³
SMBTCP445
LDAPUDP389
RPC¹TCP135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Domain controllers and Active Directory" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.
³ The NETBIOS ports are optional. Netlogon uses these only for trusts that don't support DNS or when DNS fails during an attempted fallback. If there is no WINS infrastructure and broadcasts can't work, you should either disable NetBt or set the computers and servers to NodeType=2.

Note The Net Logon service uses RPC over named pipes for earlier versions of Windows clients. This service has the same firewall requirements as the "File and Printer Sharing" feature.

NetMeeting Remote Desktop Sharing

The NetMeeting Remote Desktop Sharing system service allows authorized users to use Windows NetMeeting to remotely access your Windows desktop from another personal computer over a corporate intranet. You must explicitly enable this service in NetMeeting. You can disable or shut down this feature by using an icon that is displayed in the Windows notification area.

System service name: mnmsrvc
Application protocolProtocolPorts
Terminal ServicesTCP3389

Network News Transfer Protocol (NNTP)

The Network News Transfer Protocol (NNTP) system service lets computers that are running Windows Server 2003 act as news servers. Clients can use a news client, such as Microsoft Outlook Express, to retrieve newsgroups from the server and to read the headers or the bodies of the articles in each newsgroup.

System service name: NNTPSVC
Application protocolProtocolPorts
NNTPTCP119
NNTP over SSLTCP563

Offline Files, User Profile Service, Folder Redirection, and Primary Computer

Offline Files and Roaming User Profiles cache user data to computers for offline use. These capabilities exist in all supported Microsoft operating systems. Windows XP implemented roaming user profile caching as part of the Winlogon process while Windows Vista, Windows Server 2008, and later operating systems use the User Profile Service. All of these systems use SMB.

Folder Redirection redirects user data from the local computer to a remote file share, using SMB.

The Primary Computer system for Windows is part of the Roaming User Profile and Offline Files services. Primary Computer provides a capability to prevent data caching to computers that are not authorized by administrators for specific users. Primary Computer uses LDAP to determine the configuration and does not perform any data transfer using SMB; it instead alters the default Offline Files and Roaming User Profile behaviors. This system was added in Windows 8 and Windows Server 2012.

System service names: ProfSvc, CscService

Application protocolProtocolPorts
SMBTCP445
Global CatalogTCP3269
Global CatalogTCP3268
LDAP ServerTCP389
LDAP ServerUDP389
LDAP SSLTCP636

Performance Logs and Alerts

The Performance Logs and Alerts system service collects performance data from local or remote computers based on preconfigured schedule parameters and then writes that data to a log or triggers a message. Based on the information that is contained in the named log collection setting, the Performance Logs and Alerts service starts and stops each named performance data collection. This service runs only if at least one performance data collection is scheduled.

System service name: SysmonLog
Application protocolProtocolPorts
NetBIOS Session ServiceTCP139

Print Spooler

The Print Spooler system service manages all local and network print queues and controls all print jobs. Print Spooler is the center of the Windows printing subsystem. It manages the print queues on the system and communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite.

System service name: Spooler
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
SMBTCP445
Note The Print Spooler service uses RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.

Remote Installation

You can use the Remote Installation system service to install Windows 2000, Windows XP, and Windows Server 2003 on Pre-Boot Execution Environment (PXE) remote boot-enabled client computers. The Boot Information Negotiation Layer (BINL) service, the primary component of Remote Installation Server (RIS), answers PXE client requests, checks Active Directory for client validation, and passes client information to and from the server. The BINL service is installed when you add the RIS component from Add/Remove Windows Components, or you can select it when you first install the operating system.

System service name: BINLSVC
Application protocolProtocolPorts
BINLUDP4011

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) system service is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality that is located in a different process. The different process can be on the same computer, on the LAN, or in a remote location, and it can be accessed over a WAN connection or over a VPN connection. The RPC service serves as the RPC Endpoint Mapper and Component Object Model (COM) Service Control Manager. Many services depend on the RPC service to start successfully.

System service name: RpcSs
Application protocolProtocolPorts
RPCTCP135
RPC over HTTPSTCP593
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
SMBTCP445
Notes

  • RPC does not use only the hard-coded ports that are listed in the table. Ephemeral range ports that are used by Active Directory and other components occur over RPC in the ephemeral port range. The ephemeral port range depends on the server operating system that the client operating system is connected to.
  • The RPC Endpoint Mapper also offers its services by using named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.


Remote Procedure Call (RPC) Locator

The Remote Procedure Call (RPC) Locator system service manages the RPC name service database. When this service is turned on, RPC clients can locate RPC servers. By default, this service is turned off.

System service name: RpcLocator
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
SMBTCP445
Note The RPC Locator service offers its services by using RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.

Remote Storage Notification

The Remote Storage Notification system service notifies users when they read from or write to files that are available only from a secondary storage media. Stopping this service prevents this notification.

System service name: Remote_Storage_User_Link
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and in Windows Vista.

Remote Storage

The Remote Storage system service stores infrequently used files on a secondary storage medium. If you stop this service, users cannot move or retrieve files from the secondary storage media.

System service name: Remote_Storage_Server
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and in Windows Vista.

Routing and Remote Access

The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. The Routing and Remote Access service also provides dial-up and VPN remote access services. Although the Routing and Remote Access service can use all the following protocols, the service typically uses only a few of them. For example, if you configure a VPN gateway that is behind a filtering router, you will probably use only one protocol. If you use L2TP with IPsec, you must allow IPsec ESP (IP protocol 50), NAT-T (UDP on port 4500), and IPsec ISAKMP (UDP on port 500) through the router.

Note Although NAT-T and IPsec ISAKMP are required for L2TP, these ports are monitored by the Local Security Authority. For more information about this, see the "References" section.

System service name: RemoteAccess
Application protocolProtocolPorts
GRE (IP protocol 47)GREn/a
IPsec AH (IP protocol 51)AHn/a
IPsec ESP (IP protocol 50)ESPn/a
L2TPUDP1701
PPTPTCP1723

Server

The Server system service provides RPC support and file sharing, print sharing, and named pipe sharing over the network. The Server service lets users share local resources, such as disks and printers, so that other users on the network can access them. It also enables named pipe communication between programs that are running on the local computer and on other computers. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-accepting process does not have to be local to the computer.

Note If a computer name resolves to multiple IP addresses by using WINS, or if WINS failed and the name is resolved by using DNS, NetBIOS over TCP/IP (NetBT) tries to ping the IP address or addresses of the file server. Port 139 communications depend on Internet Control Message Protocol (ICMP) echo messages. If IP version 6 (IPv6) is not installed, port 445 communications will also depend on ICMP for name resolution. Preloaded Lmhosts entries will bypass the DNS resolver. If IPv6 is installed on computers that are running Windows Server 2003 or Windows XP operating systems, port 445 communications do not trigger ICMP requests.

The NetBIOS ports that are listed here are optional. Windows 2000 and newer clients can work over port 445.

System service name: lanmanserver
Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
SMBTCP445

SharePoint Portal Server

The SharePoint Portal Server system service lets you develop an intelligent portal that seamlessly connects users, teams, and knowledge. This helps people take advantage of relevant information across business processes. Microsoft SharePoint Portal Server 2003 provides an enterprise business solution that integrates information from various systems into one solution through single sign-on and enterprise application integration capabilities.
Application protocolProtocolPorts
HTTPTCP80
HTTPSTCP443

Simple Mail Transfer Protocol (SMTP)

The Simple Mail Transfer Protocol (SMTP) system service is an email submission and relay agent. It accepts and queues email messages for remote destinations, and it retries at set intervals. Windows domain controllers use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for the Windows Server 2003 COM component can use the SMTP service to submit and to queue outgoing email messages.

System service name: SMTPSVC
Application protocolProtocolPorts
SMTPTCP25

Simple TCP/IP Services

Simple TCP/IP Services implements support for the following protocols:
  • Echo, port 7, RFC 862
  • Discard, port 9, RFC 863
  • Character Generator, port 19, RFC 864
  • Daytime, port 13, RFC 867
  • Quote of the Day, port 17, RFC 865
System service name: SimpTcp
Application protocolProtocolPorts
ChargenTCP19
ChargenUDP19
DaytimeTCP13
DaytimeUDP13
DiscardTCP9
DiscardUDP9
EchoTCP7
EchoUDP7
QuotdTCP17
QuotedUDP17

SNMP Service

SNMP Service lets the local computer service incoming Simple Network Management Protocol (SNMP) requests. SNMP Service includes agents that monitor activity in network devices and report to the network console workstation. SNMP Service provides a method of managing network hosts (such as workstation or server computers, routers, bridges, and hubs) from a centrally-located computer that is running network management software. SNMP performs management services by using a distributed architecture of management systems and agents.

System service name: SNMP
Application protocolProtocolPorts
SNMPUDP161

SNMP Trap Service

SNMP Trap Service receives trap messages that are generated by local or by remote SNMP agents. Then the SNMP Trap Service forwards those messages to SNMP management programs that are running on your computer. When SNMP Trap Service is configured for an agent, the service generates trap messages if any specific events occur. These messages are sent to a trap destination. For example, an agent can be configured to start an authentication trap if an unrecognized management system sends a request for information. Trap destinations include the computer name, the IP address, or the Internetwork Packet Exchange (IPX) address of the management system. The trap destination must be a network-enabled host that is running SNMP management software.

System service name: SNMPTRAP
Application protocolProtocolPorts
SNMP Traps OutgoingUDP162

SSDP Discovery Service

SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP Discovery Service manages receipt of device presence announcements, updates its cache, and sends these notifications to clients that have outstanding search requests. SSDP Discovery Service also accepts the registration of event callbacks from clients. The registered event callbacks are then turned into subscription requests. SSDP Discovery Service then monitors for event notifications and sends these requests to the registered callbacks. This system service also provides periodic announcements to hosted devices. Currently, the SSDP event notification service uses TCP port 5000.
Note Starting with Windows XP Service Pack 2 (SP2), the SSDP event notification service uses TCP port 2869.


System service name: SSDPRSR
Application protocolProtocolPorts
SSDPUDP1900
SSDP event notificationTCP2869
SSDP legacy event notificationTCP5000

TCP/IP Print Server

The TCP/IP Print Server system service enables TCP/IP–based printing by using the Line Printer Daemon (LPD) protocol. The LPD service on the server receives documents from Line Printer Remote (LPR) utilities that are running on UNIX computers.

System service name: LPDSVC
Application protocolProtocolPorts
LPDTCP515

Telnet

The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. A Telnet server supports two kinds of authentication and supports the following kinds of terminals:
American National Standards Institute (ANSI)
VT-100
VT-52
VTNT
System service name: TlntSvr
Application protocolProtocolPorts
TelnetTCP23

Terminal Services

Terminal Services provides a multi-session environment that enables client devices to access a virtual Windows desktop session and Windows-based programs that are running on the server. Terminal Services enables multiple users to be connected interactively to a computer.

System service name: TermService
Application protocolProtocolPorts
Terminal ServicesTCP3389

Terminal Services Licensing

The Terminal Services Licensing system service installs a license server and provides licenses to registered clients when the clients connect to a terminal server (a server that has Terminal Server enabled). Terminal Services Licensing is a low-impact service that stores the client licenses that are issued for a terminal server and tracks the licenses that are issued to client computers or terminals.

System service name: TermServLicensing
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
NetBIOS Datagram ServiceUDP138
NetBIOS Name ResolutionUDP137
NetBIOS Session ServiceTCP139
SMBTCP445
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and in Windows Vista.

Note Terminal Services Licensing offers its services by using RPC over named pipes. This service has the same firewall requirements as the File and Printer Sharing feature.

Terminal Services Session Directory

The Terminal Services Session Directory system service enables clusters of load-balanced terminal servers to correctly route a user's connection request to the server where the user already has a session running. Users are routed to the first-available terminal server regardless of whether they are running another session in the server cluster. The load-balancing functionality pools the processing resources of several servers by using the TCP/IP networking protocol. You can use this service together with a cluster of terminal servers to increase the performance of a single terminal server by distributing sessions across multiple servers. Terminal Services Session Directory keeps track of disconnected sessions on the cluster and makes sure that users are reconnected to those sessions.

System service name: Tssdis
Application protocolProtocolPorts
RPCTCP135
Randomly allocated high TCP ports¹TCPrandom port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and in Windows Vista.

Trivial FTP Daemon

The Trivial FTP Daemon system service does not require a user name or a password and is an important part of the Remote Installation Services (RIS). The Trivial FTP Daemon service implements support for the Trivial FTP Protocol (TFTP) that is defined by the following RFCs:
RFC 1350 - TFTP
RFC 2347 - Option extension
RFC 2348 - Block size option
RFC 2349 - Time-out interval, and transfer size options
Trivial File Transfer Protocol (TFTP) is an FTP that supports diskless startup environments. The TFTP service listens on UDP port 69, but it responds from a randomly allocated high port. Therefore, when you enable this port, the TFTP service receives incoming TFTP requests, but it does not let the selected server respond to those requests. The service is free to respond to any such request from any source port, and the remote client then uses that port during the transfer. Communication is bidirectional. If you have to enable this protocol through a firewall, you may want to open UDP port 69 incoming. You can then rely on other firewall features that dynamically let the service respond through temporary holes on any other port.

System service name: tftpd
Application protocolProtocolPorts
TFTPUDP69

UPnP Device Host

The UPnP Device Host discovery system service implements all the components that are required for device registration, control, and the response to events for hosted devices. The information that is registered that relates to a device, such as the description, the lifetimes, and the containers, are optionally stored to disk and are announced on the network after registration or when the operating system restarts. The service also includes the web server that serves the device in addition to service descriptions and a presentation page.

System service name: UPNPHost
Application protocolProtocolPorts
UPNPTCP2869

Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) enables NetBIOS name resolution. This service helps you locate network resources by using NetBIOS names. WINS servers are required unless all domains have been upgraded to the Active Directory directory service and unless all computers on the network are running Windows 2000 or later versions. WINS servers communicate with network clients by using NetBIOS name resolution. WINS replication is only required between WINS servers.

System service name: WINS
Application protocolProtocolPorts
NetBIOS Name ResolutionUDP137
WINS ReplicationTCP42
WINS ReplicationUDP42

Windows Media Services

Windows Media Services in Windows Server 2003 and later versions replaces the following services that are included in Windows Media Services versions 4.0 and 4.1:
Windows Media Monitor Service
Windows Media Program Service
Windows Media Station Service
Windows Media Unicast Service
Windows Media Services is now a single service that runs on Windows Server. Its core components were developed by using COM, and it has a flexible architecture that you can customize for specific programs. Windows Media Services supports a larger variety of control protocols. These include Real Time Streaming Protocol (RTSP), Microsoft Media Server (MMS) protocol, and HTTP.

System service name: WMServer
Application protocolProtocolPorts
HTTPTCP80
MMSTCP1755
MMSUDP1755
MS TheaterUDP2460
RTCPUDP5005
RTPUDP5004
RTSPTCP554

Windows Remote Management (WinRM)

System service name: WinRM
Application protocolProtocolPorts
WinRM 1.1 and earlier TPThe default HTTP port is TCP 80, and the default HTTPS port is TCP 443.
WinRM 2.0TPThe default HTTP port is TCP 5985, and the default HTTPS port is TCP 5986.
For more information, go to the following MSDN website:

Windows Time

The Windows Time system service maintains date and time synchronization on all the computers on a network that are running Windows XP or later versions and Windows Server 2003 or later versions. This service uses Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or time stamp, is assigned for network validation and for resource access requests. The implementation of NTP and the integration of time providers help make Windows Time a reliable and scalable time service for your business. For computers that are not joined to a domain, you can configure Windows Time to synchronize time with an external time source. If this service is turned off, the time setting for local computers is not synchronized with a time service in the Windows domain or with an externally configured time service. Windows Server 2003 uses NTP. NTP runs on UDP port 123. The Windows 2000 version of this service uses Simple Network Time Protocol (SNTP). SNTP also runs on UDP port 123.

When the Windows Time service uses a Windows domain configuration, the service requires domain controller location and authentication services. Therefore, the ports for Kerberos and DNS are required.

System service name: W32Time
Application protocolProtocolPorts
NTPUDP123
SNTPUDP123

World Wide Web Publishing Service

World Wide Web Publishing Service provides the infrastructure that you must have to register, manage, monitor, and serve websites and programs that are registered with IIS. This system service contains a process manager and a configuration manager. The process manager controls the processes where custom applications and websites reside. The configuration manager reads the stored system configuration for World Wide Web Publishing Service and makes sure that Http.sys is configured to route HTTP requests to the appropriate application pools or operating system processes. You can use the Internet Information Services (IIS) Manager snap-in to configure the ports that are used by this service. If the administrative website is enabled, a virtual website is created that uses HTTP traffic on TCP port 8098.

System service name: W3SVC
Application protocolProtocolPorts
HTTPTCP80
HTTPSTCP443

Ports and protocols

The following table summarizes the information from the "System services ports" section. This table is sorted by port number instead of by service name. Click here to see the table
PortProtocolApplication protocolSystem service name
n/aGREGRE (IP protocol 47)Routing and Remote Access
n/aESPIPsec ESP (IP protocol 50)Routing and Remote Access
n/aAHIPsec AH (IP protocol 51)Routing and Remote Access
7TCPEchoSimple TCP/IP Services
7UDPEchoSimple TCP/IP Services
9TCPDiscardSimple TCP/IP Services
9UDPDiscardSimple TCP/IP Services
13TCPDaytimeSimple TCP/IP Services
13UDPDaytimeSimple TCP/IP Services
17TCPQuotdSimple TCP/IP Services
17UDPQuotdSimple TCP/IP Services
19TCPChargenSimple TCP/IP Services
19UDPChargenSimple TCP/IP Services
20TCPFTP default dataFTP Publishing Service
21TCPFTP controlFTP Publishing Service
21TCPFTP controlApplication Layer Gateway Service
23TCPTelnetTelnet
25TCPSMTPSimple Mail Transfer Protocol
25TCPSMTPExchange Server
42TCPWINS ReplicationWindows Internet Name Service
42UDPWINS ReplicationWindows Internet Name Service
53TCPDNSDNS Server
53UDPDNSDNS Server
53TCPDNSInternet Connection Firewall/Internet Connection Sharing
53UDPDNSInternet Connection Firewall/Internet Connection Sharing
67UDPDHCP ServerDHCP Server
67UDPDHCP ServerInternet Connection Firewall/Internet Connection Sharing
69UDPTFTPTrivial FTP Daemon Service
80TCPHTTPWindows Media Services
80TCPHTTPWinRM 1.1 and earlier
80TCPHTTPWorld Wide Web Publishing Service
80TCPHTTPSharePoint Portal Server
88TCPKerberosKerberos Key Distribution Center
88UDPKerberosKerberos Key Distribution Center
102TCPX.400Microsoft Exchange MTA Stacks
110TCPPOP3Microsoft POP3 Service
110TCPPOP3Exchange Server
119TCPNNTPNetwork News Transfer Protocol
123UDPNTPWindows Time
123UDPSNTPWindows Time
135TCPRPCMessage Queuing
135TCPRPCRemote Procedure Call
135TCPRPCExchange Server
135TCPRPCCertificate Services
135TCPRPCCluster Service
135TCPRPCDistributed File System Namespaces
135TCPRPCDistributed Link Tracking
135TCPRPCDistributed Transaction Coordinator
135TCPRPCDistributed File Replication Service
135TCPRPCFax Service
135TCPRPCMicrosoft Exchange Server
135TCPRPCFile Replication Service
135TCPRPCGroup Policy
135TCPRPCLocal Security Authority
135TCPRPCRemote Storage Notification
135TCPRPCRemote Storage
135TCPRPCSystems Management Server 2.0
135TCPRPCTerminal Services Licensing
135TCPRPCTerminal Services Session Directory
137UDPNetBIOS Name ResolutionComputer Browser
137UDPNetBIOS Name ResolutionServer
137UDPNetBIOS Name ResolutionWindows Internet Name Service
137UDPNetBIOS Name ResolutionNet Logon
137UDPNetBIOS Name ResolutionSystems Management Server 2.0
138UDPNetBIOS Datagram ServiceComputer Browser
138UDPNetBIOS Datagram ServiceMessenger
138UDPNetBIOS Datagram ServiceServer
138UDPNetBIOS Datagram ServiceNet Logon
138UDPNetBIOS Datagram ServiceDistributed File System
138UDPNetBIOS Datagram ServiceSystems Management Server 2.0
138UDPNetBIOS Datagram ServiceLicense Logging Service
139TCPNetBIOS Session ServiceComputer Browser
139TCPNetBIOS Session ServiceFax Service
139TCPNetBIOS Session ServicePerformance Logs and Alerts
139TCPNetBIOS Session ServicePrint Spooler
139TCPNetBIOS Session ServiceServer
139TCPNetBIOS Session ServiceNet Logon
139TCPNetBIOS Session ServiceRemote Procedure Call Locator
139TCPNetBIOS Session ServiceDistributed File System Namespaces
139TCPNetBIOS Session ServiceSystems Management Server 2.0
139TCPNetBIOS Session ServiceLicense Logging Service
143TCPIMAPExchange Server
161UDPSNMPSNMP Service
162UDPSNMP Traps OutgoingSNMP Trap Service
389TCPLDAP ServerLocal Security Authority
389UDPDC LocatorLocal Security Authority
389TCPLDAP ServerDistributed File System Namespaces
389UDPDC LocatorDistributed File System Namespaces
389UDPDC LocatorNetlogon
389UDPDC LocatorKerberos Key Distribution Center
389TCPLDAP ServerDistributed File System Replication
389UDPDC LocatorDistributed File System Replication
443TCPHTTPSHTTP SSL
443TCPHTTPSWorld Wide Web Publishing Service
443TCPHTTPSSharePoint Portal Server
443TCPRPC over HTTPSExchange Server 2003
443TCPHTTPSWinRM 1.1 and earlier
445TCPSMBFax Service
445TCPSMBPrint Spooler
445TCPSMBServer
445TCPSMBRemote Procedure Call Locator
445TCPSMBDistributed File System Namespaces
445TCPSMBDistributed File System Replication
445TCPSMBLicense Logging Service
445TCPSMBNet Logon
464UDPKerberos Password V5Kerberos Key Distribution Center
464TCPKerberos Password V5Kerberos Key Distribution Center
500UDPIPsec ISAKMPLocal Security Authority
515TCPLPDTCP/IP Print Server
548TCPFile Server for MacintoshFile Server for Macintosh
554TCPRTSPWindows Media Services
563TCPNNTP over SSLNetwork News Transfer Protocol
593TCPRPC over HTTPS endpoint mapperRemote Procedure Call
593TCPRPC over HTTPSExchange Server
636TCPLDAP SSLLocal Security Authority
636UDPLDAP SSLLocal Security Authority
647TCPDHCP FailoverDHCP Failover
9389TCPActive Directory Web Services (ADWS)Active Directory Web Services (ADWS)
9389TCPActive Directory Web Services (ADWS)Active Directory Management Gateway Service
993TCPIMAP over SSLExchange Server
995TCPPOP3 over SSLExchange Server
1067TCPInstallation Bootstrap ServiceInstallation Bootstrap protocol server
1068TCPInstallation Bootstrap ServiceInstallation Bootstrap protocol client
1270TCPMOM-EncryptedMicrosoft Operations Manager 2000
1433TCPSQL over TCPMicrosoft SQL Server
1433TCPSQL over TCPMSSQL$UDDI
1434UDPSQL ProbeMicrosoft SQL Server
1434UDPSQL ProbeMSSQL$UDDI
1645UDPLegacy RADIUSInternet Authentication Service
1646UDPLegacy RADIUSInternet Authentication Service
1701UDPL2TPRouting and Remote Access
1723TCPPPTPRouting and Remote Access
1755TCPMMSWindows Media Services
1755UDPMMSWindows Media Services
1801TCPMSMQMessage Queuing
1801UDPMSMQMessage Queuing
1812UDPRADIUS AuthenticationInternet Authentication Service
1813UDPRADIUS AccountingInternet Authentication Service
1900UDPSSDPSSDP Discovery Service
2101TCPMSMQ-DCsMessage Queuing
2103TCPMSMQ-RPCMessage Queuing
2105TCPMSMQ-RPCMessage Queuing
2107TCPMSMQ-MgmtMessage Queuing
2393TCPOLAP Services 7.0SQL Server: Downlevel OLAP Client Support
2394TCPOLAP Services 7.0SQL Server: Downlevel OLAP Client Support
2460UDPMS TheaterWindows Media Services
2535UDPMADCAPDHCP Server
2701TCPSMS Remote Control (control)SMS Remote Control Agent
2701UDPSMS Remote Control (control)SMS Remote Control Agent
2702TCPSMS Remote Control (data)SMS Remote Control Agent
2702UDPSMS Remote Control (data)SMS Remote Control Agent
2703TCPSMS Remote ChatSMS Remote Control Agent
2703UPDSMS Remote ChatSMS Remote Control Agent
2704TCPSMS Remote File TransferSMS Remote Control Agent
2704UDPSMS Remote File TransferSMS Remote Control Agent
2725TCPSQL Analysis ServicesSQL Server Analysis Services
2869TCPUPNPUPnP Device Host
2869TCPSSDP event notificationSSDP Discovery Service
3268TCPGlobal Catalog Local Security Authority
3269TCPGlobal Catalog Local Security Authority
3343UDPCluster ServicesCluster Service
3389TCPTerminal ServicesNetMeeting Remote Desktop Sharing
3389TCPTerminal ServicesTerminal Services
3527UDPMSMQ-PingMessage Queuing
4011UDPBINLRemote Installation
4500UDPNAT-TLocal Security Authority
5000TCPSSDP legacy event notificationSSDP Discovery Service
5004UDPRTPWindows Media Services
5005UDPRTCPWindows Media Services
5722TCPRPCDistributed File System Replication
6001TCPInformation StoreExchange Server 2003
6002TCPDirectory ReferralExchange Server 2003
6004TCPDSProxy/NSPIExchange Server 2003
42424TCPASP.Net Session StateASP.NET State Service
51515TCPMOM-ClearMicrosoft Operations Manager 2000
5985TCPHTTPWinRM 2.0
5986TCPHTTPSWinRM 2.0
1024-65535TCPRPCRandomly allocated high TCP ports
135TCPWMIHyper-V service
random port number between 49152 - 65535TCPRandomly allocated high TCP portsHyper-V service
80TCPKerberos Authentication (HTTP)Hyper-V service
443TCPCertificate-based Authentication (HTTPS)Hyper-V service
6600TCPLive MigrationHyper-V Live Migration
445TCPSMBHyper-V Live Migration
3343UDPCluster Service TrafficHyper-V Live Migration

Note Port 5722 is only used on a Windows Server 2008 domain controller or a Windows Server 2008R2 domain controller; it is not used on a Windows Server 2012 domain controller. Port 445 is used by DFSR only when creating a new empty replicated folder.Microsoft provides part of the information that is in this table in a Microsoft Excel worksheet. This worksheet is available for download from the Microsoft Download Center.

Active Directory port and protocol requirements

Application servers, client computers and domain controllers that are located in common or external forests have service dependencies so that user-initiated and computer-initiated operations such as domain join, logon authentication, remote administration, and Active Directory replication work correctly. Such services and operations require network connectivity over specific port and networking protocols.

A summarized list of services, ports and protocols required for member computers and domain controllers to inter-operate with one another or for application servers to access Active Directory include but are not limited to the following.
Click here to see a list of services on which Active Directory depends
  • Active Directory / LSA
  • Computer Browser
  • Distributed File System Namespaces
  • Distributed File System Replication (if not using FRS for SYSVOL replication)
  • File Replication Service (if not using DFSR for SYSVOL replication)
  • Kerberos Key Distribution Center
  • Net Logon
  • Remote Procedure Call (RPC)
  • Server
  • Simple Mail Transfer Protocol (SMTP)
  • WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication operations, if DNS is not working)
  • Windows Time
  • World Wide Web Publishing Service
Click here to see a list of services that require Active Directory services
  • Certificate Services (required for specific configurations)
  • DHCP Server
  • Distributed File System Namespaces (if using domain-based namespaces)
  • Distributed File System Replication
  • Distributed Link Tracking Server
  • Distributed Transaction Coordinator
  • DNS Server
  • Fax Service
  • File Replication Service
  • File Server for Macintosh
  • Internet Authentication Service
  • License Logging
  • Net Logon
  • Print Spooler
  • Remote Installation
  • Remote Procedure Call (RPC) Locator
  • Remote Storage Notification
  • Remote Storage
  • Routing and Remote Access
  • Server
  • Simple Mail Transfer Protocol (SMTP)
  • Terminal Services
  • Terminal Services Licensing
  • Terminal Services Session Directory
References
Click here to see a list of reference resources
The Help files for each Microsoft product that is described in this article contain more information that you may find useful to help configure your programs.

For information about Active Directory Domain Services firewalls and ports, see Microsoft Knowledge Base article 179442: How to configure a firewall for domains and trusts

General information

For more information about how to help secure Windows Server and for sample IPsec filters for specific server roles, see the Security Compliance Manager tool. This tool aggregates all previous security recommendations and security documentation into a single utility for all support Microsoft operating systems: For more information about operating system services, security settings, and IPsec filtering, see one of the following Threats and Countermeasures Guides:For more information about port assignments for well-known ports, see Microsoft Knowledge Base article
174904: Information about TCP/IP port
Additionally, see Network Ports Used by Key Microsoft Server Products and "Appendix B - Port Reference for MS TCP/IP" on the Microsoft TechNet website.

Additionally, see Active Directory and Active Directory Domain Services Port Requirements on the Microsoft TechNet website.

The Internet Assigned Numbers Authority coordinates the use of well-known ports. To view this organization's list of TCP/IP port assignments, see Service Name and Transport Protocol Port Number Registry.



Remote Procedure Calls and DCOM

For a detailed discussion of DCOM, see the "Using Distributed COM with Firewalls" white paper.


For a detailed description of RPC, see the Remote Procedure Call (RPC) website.

For more information about how to configure RPC to work with a firewall, see Microsoft Knowledge Base article 154596: How to configure RPC dynamic port allocation to work with firewalls
For more information about the RPC protocol and about how computers that are running Windows 2000 initialize, see the"Windows 2000 Startup and Logon Traffic Analysis" white paper.

Domain controllers and Active Directory

For more information about how to restrict Active Directory replication and client logon traffic, see Microsoft Knowledge Base article 224196: Restricting Active Directory replication traffic and client RPC traffic to a specific port For an explanation of how the Directory System Agent, LDAP, and the local system authority are related, see the Directory System Agent webpage.

For more information about how LDAP and the global catalog work, see How the Global Catalog works.

Exchange Server

For information about ports, authentication, and encryption for all data paths that are used by Microsoft Exchange Server 2010, see Exchange Network Port Reference.

For more information about how to restrict Exchange 2000 Server and Exchange Server 2003 MAPI traffic, see Microsoft Knowledge Base article 270836: Exchange 2000 and Exchange 2003 static port mappings

For more information about the network ports and protocols that are supported by Exchange 2000 Server, see Microsoft Knowledge Base article 278339: TCP/UDP ports used by Exchange 2000 Server


For more information about the ports that are used by Exchange Server 5.5 and earlier versions of Exchange Server, see Microsoft Knowledge Base article 176466: TCP Ports and Microsoft Exchange: In-depth discussion

There may be additional things to consider for your particular environment. You can receive more information and help planning an Exchange implementation from the following Microsoft websites:

For more information, see the following Microsoft Knowledge Base articles: Additionally, see the Microsoft TechNet topic Configure Outlook Anywhere in Outlook 2010.

File Replication Service

For more information about how to configure FRS to work with a firewall, see Microsoft Knowledge Base article 319553: How to restrict FRS replication traffic to a specific static port

Distributed File Replication Service

The Distributed File Replication Service includes the Dfsrdiag.exe command-line tool. Dfsrdiag.exe can set the server RPC port that is used for administration and replication. To use Dfsrdiag.exe to set the server RPC port, follow this example:
dfsrdiag StaticRPC /port:nnnnn /Member:Branch01.sales.contoso.com
In this example, nnnnn represents a single, static RPC port that DFSR will use for replication. Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no member is specified, Dfsrdiag.exe uses the local computer.

Internet Information Services

For more information about the ports that are used by IIS 4.0, by IIS 5.0, and by IIS 5.1, see Microsoft Knowledge Base article 327859: Inetinfo services use additional ports beyond well-known ports. For information about ports in IIS 6.0, see TCP/IP Port Filtering.

For information about FTP, see the following resources:

IPsec and VPNs

For more information about how to configure IPsec default exemptions in Windows, see Microsoft Knowledge Base article 811832: IPsec default exemptions can be used to bypass IPsec protection in some scenarios
For more information about the ports and protocols that are used by IPsec, see Microsoft Knowledge Base article 233256: How to enable IPsec traffic through a firewall
For more information about new and updated features in L2TP and IPsec, see Microsoft Knowledge Base article 818043: L2TP/IPsec NAT-T update for Windows XP and Windows 2000

Multicast Address Dynamic Client Allocation Protocol (MADCAP)

For more information about how to plan MADCAP servers, see Checklist: Installing a MADCAP server.

Message Queuing

For more information about the ports that are used by Microsoft Message Queuing, see Microsoft Knowledge Base article 178517: TCP ports, UDP ports, and RPC ports that are used by Message Queuing.

Mobile Information Server

For more information about the ports that are used by Microsoft Mobile Information Server 2001, see Microsoft Knowledge Base article 294297: TCP/IP ports used by Microsoft Mobile Information Server

Microsoft Operations Manager

For information about how to plan for and to deploy MOM, go to the System Center Technical Resources website.

Systems Management Server

For more information about the ports that are used by SMS 2003, see Microsoft Knowledge Base article 826852: Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server

For more information about the ports that are used by SMS 2.0, see Microsoft Knowledge Base article 167128: Network ports used by Remote Helpdesk functions
For more information about how to configure SMS through a firewall, see Microsoft Knowledge Base article 200898: How to use Systems Management Server 2.0 through a firewall
For more information about the ports that are used by SMS 2.0 Remote Tools, see Microsoft Knowledge Base article 256884: TCP and UDP ports that are used by Remote Control have changed in SMS 2.0 Service Pack 2

SQL Server

For more information about how SQL Server 2000 dynamically determines ports for secondary instances, see Microsoft Knowledge Base article 286303: Behavior of SQL Server 2000 Network Library during dynamic port detection. For more information about the ports that are used by SQL Server 7.0 and SQL Server 2000 for OLAP, see Microsoft Knowledge Base article 301901: TCP ports used by OLAP services when connecting through a firewall.

Terminal Services

For more information about how to configure the port that is used by Terminal Services, see Microsoft Knowledge Base article 187623: How to change Terminal Server's listening port

Controlling communications over the Internet in Windows

For more information about how Windows XP Service Pack 1 (SP1) communicates over the Internet, see the "Using Windows XP Professional with Service Pack 1 in a Managed Environment"white paper.

For more information about how Windows 2000 Service Pack 4 (SP4) communicates over the Internet, see the "Using Windows 2000 with Service Pack 4 in a Managed Environment" white paper.


For more information about how Windows Server 2003 communicates over the Internet, see the "Using Windows Server 2003 in a Managed Environment" white paper.

For more information about how Windows Server 2008 communicates over the Internet, see the“Using Windows Server 2008: Controlling Communication with the Internet” white paper.

Windows Media Services

For information about the ports that are used by Windows Media Services, see Allocating Ports for Windows Media Services.



Properties

Article ID: 832017 - Last Review: 10/18/2013 01:47:00 - Revision: 61.0

Windows Web Server 2008 R2, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Server 2008 for Itanium-Based Systems, Microsoft Windows Server 2003 Service Pack 2, Microsoft Systems Management Server 2003, Microsoft SharePoint Portal Server 2001, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft SQL Server 2000 Standard Edition, Microsoft SQL Server 2000 Enterprise Edition, Microsoft Exchange 2000 Server Standard Edition, Microsoft Exchange 2000 Enterprise Server, Microsoft Operations Manager 2000 Enterprise Edition, Microsoft Internet Security and Acceleration Server 2000 Standard Edition, Microsoft Application Center 2000 Standard Edition, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Starter, Windows 7 Ultimate, Windows Vista Service Pack 2, Microsoft Windows XP Service Pack 3, Windows 8, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Standard

  • kbfirewall kbhowtomaster KB832017
Feedback
f?DI=4050&did=1&t=">tml>