The information provided in this article is available at Plan security hardening for SharePoint 2013 (TechNet) and SharePoint 2013 Ports, Proxies and Protocols - An Overview of Farm Communications

See this table for commonly used ports and protocols in farm communication.

Service Application Communication

By default, communication between Web servers and service applications within a farm takes place by using HTTP with a binding to TCP 32843. When you publish a service application, you can select either HTTP or HTTPS with the following bindings:

HTTP binding: TCP 32843
HTTPS binding: TCP 32844

Additionally, third parties that develop service applications can implement a third choice:

net.tcp binding: TCP 32845

You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then click Publish.

The HTTP/HTTPS/net.tcp bindings can also be viewed and changed using the Get-SPServiceHostConfig and Set-SPServiceHostConfig PowerShell cmdlets. Communication between service applications and SQL Server takes place over the standard SQL Server ports or the ports that you configure for SQL Server communication. See Service Application Communication for more information.

Output of Get-SPServiceHostConfig

HttpPort : 32843
HttpsPort : 32844
NetTcpPort : 32845
SslCertificateStoreName : SharePoint
SslCertificateFindType : FindBySubjectDistinguishedName
SslCertificateFindValue : CN=SharePoint Services, OU=SharePoint, O=Contoso, C=IC

User Profile Service Hardening Requirements

The User Profile service application uses the Forefront Identity Management agent to synchronize profiles between SharePoint 2013 and Active Directory or a Lightweight Directory Access Protocol (LDAP) directory service. The Forefront Identity Management agent is installed on all servers in a SharePoint farm, but is only required on the server that is set up to synchronize with the directory store.

The Forefront Identity Management agent includes the following two services that must remain enabled on the server that is set up to crawl Active Directory or another directory store:

• Forefront Identity Manager service
• Forefront Identity Manager Synchronization service

Additionally, TCP 5725 must be open on the server that runs the Forefront Identity Management agent and is set up to crawl a directory store. In Active Directory environments, the following ports must remain open for communication between the SharePoint 2013 server that synchronizes with the directory store and the server that is running Active Directory:

• TCP & UDP 389 (LDAP service)

• TCP & UDP 88 (Kerberos)

• TCP & UDP 53 (DNS)

• UDP 464 (Kerberos Change Password)

For more information about hardening requirements for the Forefront Identity Management agent, including port requirements for other directory types, see Management Agent Communication Ports, Rights, and Permissions (http://go.microsoft.com/fwlink/p/?LinkId=186832).

References

• Plan security hardening for SharePoint 2013     http://technet.microsoft.com/en-us/library/cc262849.aspx

Learn about security hardening for SharePoint web server, application server, and database server roles (blocking the standard SQL Server ports), including specific hardening requirements for ports, protocols, and services.

• Security planning for SharePoint 2013 farms              http://technet.microsoft.com/en-us/library/hh377941.aspx

The articles and resources on this page provide information about how to plan SharePoint 2013 security for server farms.

• Configure SQL Server security for SharePoint 2013 environments          http://technet.microsoft.com/en-us/library/ff607733.aspx

When you install SQL Server, the default settings help to provide a safe database. In addition, you can use SQL Server tools and Windows Firewall to add additional security to SQL Server for SharePoint 2013 environments. Learn how to improve the security of SQL Server for SharePoint 2013 environments.

• TCP/IP Communications (Windows Server AppFabric Caching)            http://msdn.microsoft.com/en-us/library/ee790914(v=azure.10).aspx

When installing SharePoint 2013 prerequisites on Windows Server 2008 R2, the prerequisite installer fails with the following error

Appfabric installation failed because installer MSI returned with error code:1603

This is a generic MSI error message and does not give any indication about how to get the issue fixed. Uninstall or reinstalling only makes it worse.

The issue can be caused due to the following:

1. The path to the PowerShell executable that is needed for the AppFabric installation is incorrect.
2. In some scenarios, repeated uninstallation and re-installation does not fix the issue. This is because the installer does not remove the PSModulePath entry in Environment Variables during un-installation and the installation fails because the entry already exists.
3. If you are trying to install all the prerequisites manually as the server does not have a connection to internet.
   
   Note: Appfabric installation and configuration has to be done by the prerequisite installer ONLY and not in a stand-alone manner.

You can implement any one of the two solutions listed below

1. Solution 1
   
   Append the following path to PSModulePath entry in the environment variables - %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
   
   
   • Go to My Computer, right-click Properties
   • On the System' page, click Advanced System Settings on the left-side pane.
   • If you receive a UAC prompt, click on Yes to launch the System Properties dialog box
   • From the Advanced tab, click Environment Variables
   • Within the System Variables section in the lower half, select PSModulePath and click on Edit (or double-click PSModulePath')
   • Append the following path to PSModulePath entry in the environment variables

   %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\

   • Ensure that the PSModulePath entry looks like this:
     
     C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;c:\Program Files\AppFabric 1.1 for Windows Server\PowershellModules
     
     
     
2. Solution 2
   
   
• There are chances that other applications might be referencing the same variable and may fail if it is deleted. This is what we can do if solution 1 does not help.
• Remove the PSModulePath entry from the 'Environment Variables' and re-run the installer. Once it completes successfully, ensure that the PSModulePath entry looks the same as mentioned in solution 1.
  
3. Solution 3

You can download the list of prerequisites from Links to applicable software

Links to the individual prerequisites:

• Microsoft .NET Framework version 4.5
• Windows Management Framework 3.0
• Application Server Role, Web Server (IIS) Role - Enable the Web Server (IIS) role and the Application Server role in Server Manager
• Microsoft SQL Server 2008 R2 SP1 Native Client
• Windows Identity Foundation (KB974405)
• Microsoft Sync Framework Runtime v1.0 SP1 (x64)
• Microsoft AppFabric 1.1 for Windows Server
• Windows Identity Extensions
• Microsoft Information Protection and Control Client (MSIPC) 
  
  MSIPC.dll - Microsoft Active Directory Rights Management Services Client. See AD RMS Client 2.0 Deployment Notes -  http://technet.microsoft.com/en-us/library/jj159267(v=ws.10).aspx for more information
  
• Microsoft WCF Data Services 5.0 for OData V3
  
  WCF Data Services 5.0 enables creation and consumption of data services for the Web according to version 3 of the Open Data Protocol (OData), which facilitates data access and change via standard HTTP verbs.
  
• Cumulative Update Package 1 for Microsoft AppFabric 1.1 for Windows Server (KB 2671763)

The steps listed below are for AppFabric for Windows Server only

Follow these steps for installing AppFabric for Windows Server correctly

• Uninstall the Appfabric for Windows Server from Control Panel -> Programs and Features page
• Download the individual requirements to a network location or a local folder
• Install prerequisites for SharePoint 2013 manually
• From the Start menu, open the Command Prompt window using the Run as administrator option.
  
  - Navigate to the root of the SharePoint 2013 installation media or folder location
  - Type the prerequisite program switch and corresponding argument for the program that you want to install, and then press ENTER.
  For example:
  
  If we have to install AppFabric for Windows Server from a local source, we can run the following command:

  PrerequisiteInstaller.exe /AppFabric:<location Of the Appfabric installation file>

  This will kick off the prerequisite installer wizard which will then use the installation file stored locally on the machine as specified in the command-line to install Windows Server AppFabric. We can also install more than one prerequisite by using different switches with the PrerequisiteInstaller.exe command to install multiple components and specifying the installation path in the command line window. For example:

  PrerequisiteInstaller.exe /AppFabric:<location Of the Appfabric installation file> /IDFX11:<Install Windows Identity Foundation v1.1 from file>

  This command will install Appfabric and Windows Identity Foundation
  
  For a complete list of prerequisite installer operations and command-line options, see Prerequisite installer operations and command-line options
  

• The SharePoint 2013 prerequisite installer (prerequisiteinstaller.exe) installs the following software, if it has not already been installed on the server, in this order (provided you have downloaded the prerequisites locally):
  
  PrerequisiteInstaller.exe
  
  /SQLNCli:file - Install Microsoft SQL Server 2008 R2 SP1 Native Client from file
  /PowerShell:file - Install Windows Management Framework 3.0 from file
  /NETFX:file - Install Microsoft .NET Framework 4.5 from file
  /IDFX:file - Install Windows Identity Foundation (KB974405) from file
  /Sync:file - Install Microsoft Sync Framework Runtime v1.0 SP1 (x64) from file
  /AppFabric:<location Of the Appfabric installation file>
  /IDFX11:"<path>\Microsoft Identity Extensions.msi"
  /MSIPCClient:"<path>\msipc.msi"
  /WCFDataServices:"<path>\WcfDataServices.exe"
  /KB2671763:"<path>\AppFabric1.1-RTM-KB2671763-x64-ENU.exe

where "<file>" signifies the file location from where you want to install. If you do not specify the <file> option, the installer downloads the file from the Internet and installs it.

The prerequisite installer creates log files at %TEMP%\prerequisiteinstaller.<date>.<time>.log. You can check these log files for specific details about all changes the installer makes to the server.

See Install prerequisites for SharePoint 2013 from a network share for information about how to install the SharePoint 2013 prerequisites at the command prompt from a network share or local system. This approach is typically used when the server does not have a connection to internet.

• Download AppFabric 1.1 from Official Microsoft Download Center
• For more information about AppFabric for Windows Server, see AppFabric for Windows Server
  

The search architecture in SharePoint 2013 has changed quite a bit when compared to SharePoint 2010. In fact the Search Service in SharePoint 2013 is completely overhauled. It is a combination of FAST Search and SharePoint Search components.

As you can see the query and crawl topologies are merged into a single topology, simply called "Search topology". Provisioning of the search service application creates 4 databases:

• SP2013_Enterprise_Search - This is a search administration database. It contains configuration and topology information

• SP2013_Enterprise_Search_AnalyticsReportingStore - This database stores the result of usage analysis

• SP2013_Enterprise_Search_CrawlStore - The crawl database contains detailed tracking and historical information about crawled items

• SP2013_Enterprise_Search_LinksStore - Stores the information extracted by the content processing component and also stores click-through information

# Create a new Search Service Application in SharePoint 2013

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

# Settings
$IndexLocation = "C:\Data\Search15Index” #Location must be empty, will be deleted during the process!
$SearchAppPoolName = "Search App Pool"
$SearchAppPoolAccountName = "Contoso\administrator"
$SearchServerName = (Get-ChildItem env:computername).value
$SearchServiceName = "Search15"
$SearchServiceProxyName = "Search15 Proxy"
$DatabaseName = "Search15_ADminDB"
Write-Host -ForegroundColor Yellow "Checking if Search Application Pool exists"
$SPAppPool = Get-SPServiceApplicationPool -Identity $SearchAppPoolName -ErrorAction SilentlyContinue

if (!$SPAppPool)
{
    Write-Host -ForegroundColor Green "Creating Search Application Pool"
    $spAppPool = New-SPServiceApplicationPool -Name $SearchAppPoolName -Account $SearchAppPoolAccountName -Verbose
}

# Start Services search service instance
Write-host "Start Search Service instances...."
Start-SPEnterpriseSearchServiceInstance $SearchServerName -ErrorAction SilentlyContinue
Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $SearchServerName -ErrorAction SilentlyContinue

Write-Host -ForegroundColor Yellow "Checking if Search Service Application exists"
$ServiceApplication = Get-SPEnterpriseSearchServiceApplication -Identity $SearchServiceName -ErrorAction SilentlyContinue

if (!$ServiceApplication)
{
    Write-Host -ForegroundColor Green "Creating Search Service Application"
    $ServiceApplication = New-SPEnterpriseSearchServiceApplication -Partitioned -Name $SearchServiceName -ApplicationPool $spAppPool.Name 
-DatabaseName $DatabaseName
}

Write-Host -ForegroundColor Yellow "Checking if Search Service Application Proxy exists"
$Proxy = Get-SPEnterpriseSearchServiceApplicationProxy -Identity $SearchServiceProxyName -ErrorAction SilentlyContinue

if (!$Proxy)
{
    Write-Host -ForegroundColor Green "Creating Search Service Application Proxy"
    New-SPEnterpriseSearchServiceApplicationProxy -Partitioned -Name $SearchServiceProxyName -SearchApplication $ServiceApplication
}

$ServiceApplication.ActiveTopology
Write-Host $ServiceApplication.ActiveTopology

# Clone the default Topology (which is empty) and create a new one and then activate it
Write-Host "Configuring Search Component Topology...."
$clone = $ServiceApplication.ActiveTopology.Clone()
$SSI = Get-SPEnterpriseSearchServiceInstance -local
New-SPEnterpriseSearchAdminComponent –SearchTopology $clone -SearchServiceInstance $SSI
New-SPEnterpriseSearchContentProcessingComponent –SearchTopology $clone -SearchServiceInstance $SSI
New-SPEnterpriseSearchAnalyticsProcessingComponent –SearchTopology $clone -SearchServiceInstance $SSI
New-SPEnterpriseSearchCrawlComponent –SearchTopology $clone -SearchServiceInstance $SSI

Remove-Item -Recurse -Force -LiteralPath $IndexLocation -ErrorAction SilentlyContinue
mkdir -Path $IndexLocation -Force

New-SPEnterpriseSearchIndexComponent –SearchTopology $clone -SearchServiceInstance $SSI -RootDirectory $IndexLocation
New-SPEnterpriseSearchQueryProcessingComponent –SearchTopology $clone -SearchServiceInstance $SSI
$clone.Activate()

Write-host "Your search service application $SearchServiceName is now ready"

Update

To configure failover server(s) for Search DBs, use the following PowerShell:

Thanks to Marcel Jeanneau for sharing this!

#Admin Database
$ssa = Get-SPEnterpriseSearchServiceApplication “Search Service Application”
Set-SPEnterpriseSearchServiceApplication –Identity $ssa –FailoverDatabaseServer <failoverServerAlias\instance>

#Crawl Database
$CrawlDatabase0 = ([array]($ssa | Get-SPEnterpriseSearchCrawlDatabase))[0]
Set-SPEnterpriseSearchCrawlDatabase -Identity $CrawlDatabase0 -SearchApplication $ssa -FailoverDatabaseServer <failoverServerAlias\instance>

#Links Database
$LinksDatabase0 = ([array]($ssa | Get-SPEnterpriseSearchLinksDatabase))[0]
Set-SPEnterpriseSearchLinksDatabase -Identity $LinksDatabase0 -SearchApplication $ssa -FailoverDatabaseServer <failoverServerAlias\instance>

#Analytics database
$AnalyticsDB = Get-SPDatabase –Identity <id of database>
$AnalyticsDB.AddFailOverInstance(“failover alias\instance”)
$AnalyticsDB.Update()

See the following articles for information about Search Service Application in SharePoint 2013

• Create and configure a Search service application in SharePoint Server 2013 for information on how to create and configure a Search Service Application
• SharePoint 2013: How to configure Search Services Application (TechNet Wiki)