-
Title
Which network ports do the clients use? -
Description
Which network ports do the Authentication Services Client use?
Which network ports do the Authentication Services Unix/Linux/MacOSX clients use?
What ports need to be opened in a DMZ or when using a firewall?
-
Resolution
As Authentication Services uses Active Directory for authentication and identity lookups, the networking infrastructure must allow the client to communicate with Active Directory. When designing firewalls and other network infrastructure, ensure that the following ports between client and Active Directory Domain Controllers are open:
vasd
REQUIRED- 88 - TCP (Kerberos traffic)
- 389 - TCP (Kerberized LDAP - queries)
- 389 - UDP (Kerberized LDAP - ping)
- 464 - TCP (Kerberos - password changes)
- 3268 - TCP (Global Catalog LDAP)
OPTIONAL- 53 - TCP/UDP (DNS - used to receive DNS SRV records not required if joining to specific Domain Controllers)
- 123 - UDP (NTP - used to synchronise time between Active Directory and Authentication Services clients)
Unless specific Domain Controllers are specified during the join, Authentication Services will also need to communicate to the Forest root servers using the following ports:-- 88 / 389 / 3268
LDAP traffic generated via vas_attrs_find (over 389) is encrypted by Kerberos
vgptool
- 445 - TCP (CIFS)
NOTE: All these ports are OUTGOING from Authentication Services Clients -> Active Directory. Authentication services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.
-
Additional Information
More information on the ports used53: If Unix hosts should use DNS to automatically detect the available Domain Controllers, then the ports for using DNS must be open as well. The port used for DNS traffic is usually port 53. The DNS servers used by the Unix hosts must also have the Active Directory DNS SRV records available as well. Both UDP and TCP are used.
88: This is the port used for doing Kerberos authentication and requesting Kerberos service tickets against Active Directory Domain Controllers. TCP is now used by default.
123: Used for NTP for time-synchronization with Active Directory.
389: This the port used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
445: Used to receive Group Policy over CIFS uses TCP.
464: This is the port used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Authentication Services always uses TCP for password operations.
3268: This is the port used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.
Leave a Comment
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center