Firewall Rules for Active Directory Certificate Services

re: Firewall Rules for Active Directory Certificate Services

Marc Puverel — Fri, 26 Oct 2012 14:14:42 GMT

Following the article at the following URL: blogs.technet.com/.../how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

It appears that port 135 - TCP has to be open for RPC EPM. Basically for mmc and auto-enrollment scenarios.

re: Firewall Rules for Active Directory Certificate Services

cadlau — Fri, 09 Mar 2012 16:10:13 GMT

I still get these errors on the Domain Controllers running 2008 R2 to a 2003 Enterprise CA. I have TCP 135 (RPC) open already, but I highly suspect it maybe the "Random port above port 1023" requirement as noted in the table. I hate to have to open up all ports above this. Any other way to make this a specific port? I can map the cahost computer from domain controller as \\cahost\ and I will see CertEnroll Share.

Event ID: 13

User: SYSTEM

Source: CertificateServicesClient-CertEnroll

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from cahostname.my-domain.com\cahostname (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

Event ID: 6

User: N/A

Source: CertificateServicesClient-AutoEnrollment

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

re: Firewall Rules for Active Directory Certificate Services

Sycane — Mon, 30 Jan 2012 14:51:25 GMT

Has anyone got any relevant information regarding port usage when certificates are requested via MMC and the Certificates snap-in?

re: Firewall Rules for Active Directory Certificate Services

Walter Chomak — Fri, 13 Jan 2012 15:48:18 GMT

I can submit and retrieve certs just fine with https. I have also successfully automated the process with certutil. It works perfect on a regular workgroup server - but on the same network. What must be done to do so from a workgroup machine that is outisde the network? 443 access only. THANKS!

re: Firewall Rules for Active Directory Certificate Services

Sycane — Mon, 19 Dec 2011 15:10:00 GMT

The table data seems to only provide information for Web Enrollment, what ports are required between a requesting host and an Enterprise CA?

Not wanting to presume anything (but without having tested) I suspect this would be TCP/135 + high ports.

Some clarity from a point of authority would be appreciated.

re: Firewall Rules for Active Directory Certificate Services

Kurt L Hudson MSFT — Mon, 01 Aug 2011 23:50:59 GMT

I just removed port 440 based on the result of an internal conversation about that port not being needed.

re: Firewall Rules for Active Directory Certificate Services

Markus — Thu, 09 Jun 2011 23:45:26 GMT

When did kerberos start using tcp/440?

My understandin was it used tcp/88, upd/88 and tcp/464.

re: Firewall Rules for Active Directory Certificate Services

Lylian L — Thu, 16 Dec 2010 09:31:09 GMT

Thanks a lot for your article. Not found out There !!!

re: Firewall Rules for Active Directory Certificate Services

Tom Aafloen — Mon, 20 Sep 2010 10:17:15 GMT

Hello!

Doesn't RPC TCP 135 (RPC Endpoint Mapper) also have to be open? How else can clients find out what random port above 1023 is being used at any given time?

It is possible to set the random port being used by the CA server to a fixed value (with DCOM, Static Endpoint), is this supported by Microsoft?

I love this blog, keep it updated!

Sincerly Yours

Tom Aafloen, Sweden

re: Firewall Roles for Active Directory Certificate Services

Siki — Mon, 28 Jun 2010 01:33:21 GMT

Just a minor correction. Should DCOM/RPC state: "Random port above port 1023" rather than "1024". I believe RPC uses >=1024 (includes 1024).

Otherwise, good summary.

Siki