Firewall Rules for Active Directory Certificate Services - Windows PKI blog - Site Home

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

The information was developed by Microsoft Consultant Services during one of our customer engagements

Protocol	Port	From	To	Action	Comments
Kerberos	464	Certificate Enrollment Web Services	Domain Controllers (DC)	Allow	Source Certificate Enrollment Web Services Destination: DC Service: Kerberos (network port tcp/464)
LDAP	389	Certificate Enrollment Web Services	Domain Controllers (DC)	Allow	Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/389)
LDAP	636	Certificate Enrollment Web Services	Domain Controllers (DC)	Allow	Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/636)
DCOM/RPC	Random port above port 1023	· Certificate Enrollment Web Services · All XP clients requesting certs	CA	Allow	Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us
HTTPS	443	All clients requesting certs	Certificate Enrollment Web Services	Allow	Source: Windows 7 client Destination: Service: https (network port tcp/443) Certificate Enrollment Web Services