Service overview and network port requirements for Windows

Asset not found Important This article contains several references to the default dynamic port range. In Windows Server 2008 and later versions, and in Windows Vista and later versions, the default dynamic port range changed to the following range:
  • Start port: 49152
  • End port: 65535
Windows 2000, Windows XP, and Windows Server 2003 use the following dynamic port range:

  • Start port: 1025
  • End port: 5000

What this means for you:
  • If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.
  • If your computer network environment uses Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:
    • High port range 49152 through 65535
    • Low port range 1025 through 5000
  • If your computer network environment uses only versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over the low port range of 1025 through 5000.
For more information about the default dynamic port range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista, click the followng article number to go to the article in the Microsoft Knowledge Base:
929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

Summary

This article discusses the required network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a roadmap to determine which ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network.

You should not use the port information in this article to configure Windows Firewall. For information about how to configure Windows Firewall, see the following Microsoft website:

The Windows Server system includes a comprehensive and integrated infrastructure to meet the requirements of developers and information technology (IT) professionals. This system runs programs and solutions that you can use to obtain, analyze, and share information quickly and easily. These Microsoft client, server, and server program products use different network ports and protocols to communicate with client systems and with other server systems over the network. Dedicated firewalls, host-based firewalls, and Internet Protocol security (IPsec) filters are other important components that you must have to help secure your network. However, if these technologies are configured to block ports and protocols that are used by a specific server, that server will no longer respond to client requests.

Overview

The following list provides an overview of the information that this article contains:

  • The "System services ports" section contains a brief description of each service, displays the logical name of that service, and indicates the ports and protocols that each service requires for correct operation. Use this section to help identify the ports and protocols that a particular service uses.
  • The "Ports and protocols" section includes a table that summarizes the information from the "System Services Ports" section. The table is sorted by the port number instead of by the service name. Use this section to quickly determine which services listen on a particular port.

This article uses certain terms in specific ways. To help avoid confusion, make sure that you understand how the article uses these terms:
  • System services: System services are programs that load automatically as part of an application's startup process or as part of the operating system startup process. System services support the different tasks that the operating system must perform. For example, some system services that are available on computers that run Windows Server 2003 Enterprise Edition include the Server service, the Print Spooler service, and the World Wide Web Publishing service. Each system service has a friendly service name and a service name. The friendly service name is the name that appears in graphical management tools such as the Services Microsoft Management Console (MMC) snap-in. The service name is the name that is used with command-line tools and with many scripting languages. Each system service may provide one or more network services.
  • Application protocol: In this article, application protocol refers to a high-level network protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include HTTP, server message blocks (SMBs), and Simple Mail Transfer Protocol (SMTP).
  • Protocol: TCP/IP protocols are standard formats for communicating between devices on a network. TCP/IP protocols operate at a lower level than the application protocols. The TCP/IP suite of protocols includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
  • Port: This is the network port that the system service listens on for incoming network traffic.
This article does not specify which services rely on other services for network communication. For example, many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign them dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services that use RPC or DCOM to communicate with client computers. Many other services rely on network basic input/output system (NetBIOS) or SMBs, protocols that are provided by the Server service. Other services rely on HTTP or on Hypertext Transfer Protocol Secure (HTTPS). These protocols are provided by Internet Information Services (IIS). A full discussion of the architecture of the Windows operating systems is beyond the scope of this article. However, detailed documentation on this subject is available on Microsoft TechNet and on the Microsoft Developer Network (MSDN) websites. Although many services may rely on a particular TCP or UDP port, only one service or process at a time can listen on that port.

When you use RPC with TCP/IP or with UDP/IP as the transport, incoming ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used. These are also informally known as random RPC ports. In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic port or ports were assigned to the server. For some RPC-based services, you can configure a specific port instead of letting RPC dynamically assign a port. You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For more information about this topic, see the "References" section.

This article includes information about the system services roles and the server roles for the Microsoft products that are listed in the "Applies to" section. Although this information may also apply to Windows XP and to Microsoft Windows 2000 Professional, this article is focused on server-class operating systems. Therefore, this describes the ports that a service listens on instead of the ports that client programs use to connect to a remote system.

System services ports

This section provides a description of each system service, includes the logical name that corresponds to the system service, and displays the ports and the protocols that each service requires.

Click the name of a system service in the following list to see the description:

Active Directory (Local Security Authority)

Active Directory port and protocol requirements

Application servers, client computers and domain controllers that are located in common or external forests have service dependencies so that user-initiated and computer-initiated operations such as domain join, logon authentication, remote administration, and Active Directory replication work correctly. Such services and operations require network connectivity over specific port and networking protocols.

A summarized list of services, ports and protocols required for member computers and domain controllers to inter-operate with one another or for application servers to access Active Directory include but are not limited to the following.
Click here to see a list of services on which Active Directory depends
  • Active Directory / LSA
  • Computer Browser
  • Distributed File System Namespaces
  • Distributed File System Replication (if not using FRS for SYSVOL replication)
  • File Replication Service (if not using DFSR for SYSVOL replication)
  • Kerberos Key Distribution Center
  • Net Logon
  • Remote Procedure Call (RPC)
  • Server
  • Simple Mail Transfer Protocol (SMTP)
  • WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication operations, if DNS is not working)
  • Windows Time
  • World Wide Web Publishing Service
Click here to see a list of services that require Active Directory services
  • Certificate Services (required for specific configurations)
  • DHCP Server
  • Distributed File System Namespaces (if using domain-based namespaces)
  • Distributed File System Replication
  • Distributed Link Tracking Server
  • Distributed Transaction Coordinator
  • DNS Server
  • Fax Service
  • File Replication Service
  • File Server for Macintosh
  • Internet Authentication Service
  • License Logging
  • Net Logon
  • Print Spooler
  • Remote Installation
  • Remote Procedure Call (RPC) Locator
  • Remote Storage Notification
  • Remote Storage
  • Routing and Remote Access
  • Server
  • Simple Mail Transfer Protocol (SMTP)
  • Terminal Services
  • Terminal Services Licensing
  • Terminal Services Session Directory

References

Click here to see a list of reference resources

The Help files for each Microsoft product that is described in this article contain more information that you may find useful to help configure your programs.

For information about Active Directory Domain Services firewalls and ports, see Microsoft Knowledge Base article 179442: How to configure a firewall for domains and trusts

General information

For more information about how to help secure Windows Server and for sample IPsec filters for specific server roles, see the Security Compliance Manager tool. This tool aggregates all previous security recommendations and security documentation into a single utility for all support Microsoft operating systems: For more information about operating system services, security settings, and IPsec filtering, see one of the following Threats and Countermeasures Guides:For more information about port assignments for well-known ports, see Microsoft Knowledge Base article
174904: Information about TCP/IP port
Additionally, see Network Ports Used by Key Microsoft Server Products and "Appendix B - Port Reference for MS TCP/IP" on the Microsoft TechNet website.

Additionally, see Active Directory and Active Directory Domain Services Port Requirements on the Microsoft TechNet website.

The Internet Assigned Numbers Authority coordinates the use of well-known ports. To view this organization's list of TCP/IP port assignments, see Service Name and Transport Protocol Port Number Registry.



Remote Procedure Calls and DCOM

For a detailed discussion of DCOM, see the "Using Distributed COM with Firewalls" white paper.


For a detailed description of RPC, see the Remote Procedure Call (RPC) website.

For more information about how to configure RPC to work with a firewall, see Microsoft Knowledge Base article 154596: How to configure RPC dynamic port allocation to work with firewalls
For more information about the RPC protocol and about how computers that are running Windows 2000 initialize, see the "Windows 2000 Startup and Logon Traffic Analysis" white paper.

Domain controllers and Active Directory

For more information about how to restrict Active Directory replication and client logon traffic, see Microsoft Knowledge Base article 224196: Restricting Active Directory replication traffic and client RPC traffic to a specific port For an explanation of how the Directory System Agent, LDAP, and the local system authority are related, see the Directory System Agent webpage.

For more information about how LDAP and the global catalog work, see How the Global Catalog works.

Exchange Server

For information about ports, authentication, and encryption for all data paths that are used by Microsoft Exchange Server 2010, see Exchange Network Port Reference.

For more information about how to restrict Exchange 2000 Server and Exchange Server 2003 MAPI traffic, see Microsoft Knowledge Base article 270836: Exchange 2000 and Exchange 2003 static port mappings

For more information about the network ports and protocols that are supported by Exchange 2000 Server, see Microsoft Knowledge Base article 278339: TCP/UDP ports used by Exchange 2000 Server


For more information about the ports that are used by Exchange Server 5.5 and earlier versions of Exchange Server, see Microsoft Knowledge Base article 176466: TCP Ports and Microsoft Exchange: In-depth discussion

There may be additional things to consider for your particular environment. You can receive more information and help planning an Exchange implementation from the following Microsoft websites:

For more information, see the following Microsoft Knowledge Base articles: Additionally, see the Microsoft TechNet topic Configure Outlook Anywhere in Outlook 2010.

File Replication Service

For more information about how to configure FRS to work with a firewall, see Microsoft Knowledge Base article 319553: How to restrict FRS replication traffic to a specific static port

Distributed File Replication Service

The Distributed File Replication Service includes the Dfsrdiag.exe command-line tool. Dfsrdiag.exe can set the server RPC port that is used for administration and replication. To use Dfsrdiag.exe to set the server RPC port, follow this example:
dfsrdiag StaticRPC /port:nnnnn /Member:Branch01.sales.contoso.com
In this example, nnnnn represents a single, static RPC port that DFSR will use for replication. Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no member is specified, Dfsrdiag.exe uses the local computer.

Internet Information Services

For more information about the ports that are used by IIS 4.0, by IIS 5.0, and by IIS 5.1, see Microsoft Knowledge Base article 327859: Inetinfo services use additional ports beyond well-known ports. For information about ports in IIS 6.0, see TCP/IP Port Filtering.

For information about FTP, see the following resources:

IPsec and VPNs

For more information about how to configure IPsec default exemptions in Windows, see Microsoft Knowledge Base article 811832: IPsec default exemptions can be used to bypass IPsec protection in some scenarios
For more information about the ports and protocols that are used by IPsec, see Microsoft Knowledge Base article 233256: How to enable IPsec traffic through a firewall
For more information about new and updated features in L2TP and IPsec, see Microsoft Knowledge Base article 818043: L2TP/IPsec NAT-T update for Windows XP and Windows 2000

Multicast Address Dynamic Client Allocation Protocol (MADCAP)

For more information about how to plan MADCAP servers, see Checklist: Installing a MADCAP server.

Message Queuing

For more information about the ports that are used by Microsoft Message Queuing, see Microsoft Knowledge Base article 178517: TCP ports, UDP ports, and RPC ports that are used by Message Queuing.

Mobile Information Server

For more information about the ports that are used by Microsoft Mobile Information Server 2001, see Microsoft Knowledge Base article 294297: TCP/IP ports used by Microsoft Mobile Information Server

Microsoft Operations Manager

For information about how to plan for and to deploy MOM, go to the System Center Technical Resources website.

Systems Management Server

For more information about the ports that are used by SMS 2003, see Microsoft Knowledge Base article 826852: Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server

For more information about the ports that are used by SMS 2.0, see Microsoft Knowledge Base article 167128: Network ports used by Remote Helpdesk functions
For more information about how to configure SMS through a firewall, see Microsoft Knowledge Base article 200898: How to use Systems Management Server 2.0 through a firewall
For more information about the ports that are used by SMS 2.0 Remote Tools, see Microsoft Knowledge Base article 256884: TCP and UDP ports that are used by Remote Control have changed in SMS 2.0 Service Pack 2

SQL Server

For more information about how SQL Server 2000 dynamically determines ports for secondary instances, see Microsoft Knowledge Base article 286303: Behavior of SQL Server 2000 Network Library during dynamic port detection. For more information about the ports that are used by SQL Server 7.0 and SQL Server 2000 for OLAP, see Microsoft Knowledge Base article 301901: TCP ports used by OLAP services when connecting through a firewall.

Terminal Services

For more information about how to configure the port that is used by Terminal Services, see Microsoft Knowledge Base article 187623: How to change Terminal Server's listening port

Controlling communications over the Internet in Windows

For more information about how Windows XP Service Pack 1 (SP1) communicates over the Internet, see the "Using Windows XP Professional with Service Pack 1 in a Managed Environment" white paper.

For more information about how Windows 2000 Service Pack 4 (SP4) communicates over the Internet, see the "Using Windows 2000 with Service Pack 4 in a Managed Environment" white paper.


For more information about how Windows Server 2003 communicates over the Internet, see the "Using Windows Server 2003 in a Managed Environment" white paper.

For more information about how Windows Server 2008 communicates over the Internet, see “Using Windows Server 2008: Controlling Communication with the Internet” white paper.

Windows Media Services

For information about the ports that are used by Windows Media Services, see Allocating Ports for Windows Media Services.



Properties

Article ID: 832017 - Last Review: 17.2.2017 - Revision: 2

Windows Web Server 2008 R2, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Server 2008 for Itanium-Based Systems, Microsoft Windows Server 2003 Service Pack 2, Microsoft Systems Management Server 2003, Microsoft SharePoint Portal Server 2001, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft SQL Server 2000 Standard Edition, Microsoft SQL Server 2000 Enterprise Edition, Microsoft Exchange 2000 Server Standard Edition, Microsoft Exchange 2000 Enterprise Server, Microsoft Operations Manager 2000 Enterprise Edition, Microsoft Internet Security and Acceleration Server 2000 Standard Edition, Microsoft Application Center 2000 Standard Edition, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Starter, Windows 7 Ultimate, Windows Vista Service Pack 2, Microsoft Windows XP Service Pack 3, Windows 8, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2016, Windows Server 2016 Datacenter, Windows Server 2016 Datacenter edition, Nano Server installation option, Windows Server 2016 Essentials, Windows Server 2016 MultiPoint Premium Server, Windows Server 2016 Standard, Windows Server 2016 Standard edition, Nano Server installation option

Повратни информации