Firewall Rules for Active Directory Certificate Services
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment
The information was developed by Microsoft Consultant Services during one of our customer engagements
Protocol |
Port |
From |
To |
Action |
Comments |
Kerberos |
464 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: Kerberos (network port tcp/464) |
LDAP |
389 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/389) |
LDAP |
636 |
Certificate Enrollment Web Services
|
Domain Controllers (DC) |
Allow |
Source Certificate Enrollment Web Services Destination: DC Service: LDAP (network port tcp/636) |
DCOM/RPC |
Random port above port 1023 |
· Certificate Enrollment Web Services · All XP clients requesting certs
|
CA |
Allow |
Please see for details on RPC/DCOM configuration: https://support.microsoft.com/kb/154596/en-us |
HTTPS |
443 |
All clients requesting certs |
Certificate Enrollment Web Services
|
Allow |
Source: Windows 7 client Destination:
Service: https (network port tcp/443) Certificate Enrollment Web Services |