Which network ports do the QAS Unix/Linux/MacOSX clients use?
What ports need to be opened in a DMZ or when using a firewall?
Since QAS uses Active Directory for authentication and identity lookups, the networking infrastructure must allow the UNIX host to communicate with Active Directory. When designing firewalls and other network infrastructure, ensure that the following ports between UNIX hosts and Active Directory Domain Controllers are open:
Unless specfic Domain Controllers are specified during the join, QAS will also need to communicate to the Forest root servers using the following ports:-
NOTE: All these ports are OUTGOING from QAS Clients -> Active Directory. The ports used for communication are allocated by the OS using from the ephemeral port range. No ports incoming ports are opened on the client side.
53: If Unix hosts should use DNS to automatically detect the available Domain Controllers, then the ports for using DNS must be open as well. The port used for DNS traffic is usually port 53. The DNS servers used by the Unix hosts must also have the Active Directory DNS SRV records available as well. Both UDP and TCP are used.
88: This is the port used for doing Kerberos authentication and requesting Kerberos service tickets against Active Directory Domain Controllers. TCP is now used by default.
123: Used for NTP for time-synchronization with Active Directory.
389: This the port used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
445: Used to receive Group Policy over CIFS uses TCP.
464: This is the port used for changing and setting passwords against Active Directory using the Kerberos change password protocol. QAS always uses TCP for password operations.
3268: This is the port used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.