Communication Ports for Active Roles (4227036)

This article outlines the ports used by Active Roles and Synchronization Service.

Active Roles Administration Service:

• 15172 (HTTPS) TCP Inbound
• All high ports (1024-65535) on port 15172
  • Client machines randomly select high ports to use for outgoing traffic on port 15172 to access the Active Roles Administration Service.

Starling Connect Notifications Pane:

The appropriate port must be open from the client browser inbound to the Active Roles Administration Service hosts.

• 7465 (HTTP) TCP Inbound
• 7466 (HTTPS) TCP Inbound

Synchronization Service:

• 15173 (HTTPS) TCP Inbound

NOTE: If the Synchronization Service is installed on a server without Active Roles, it will also require outbound ports to any source or target connections you configure, such as Active Directory, Active Roles, SQL, Azure, and so on.
 

Synchronization Service Capture Agent (Installed on Domain Controllers):  

• 7148 (HTTPS) TCP Inbound

Communicating with Azure:

Active Roles Administration Service host must be able to resolve and access the following URLs:

• https://login.microsoftonline.com/
• https://developer.microsoft.com/graph
• https://graph.windows.net/

DNS:

• 53 TCP/UDP (Outbound on Active Roles)

Web Interface:

• 80 (HTTP) TCP Inbound
• 443 (HTTPS) TCP Inbound

SQL Server:

• 1433 (default SQL instance) TCP (Outbound on Active Roles)
• 1434 (SQL Server Browser service) UDP (Outbound on Active Roles)

Domain Controllers:
Outbound on Active Roles host:

• 88 (Kerberos) TCP/UDP
• 135 (RPC endpoint mapper) TCP
• 139 (SMB/CIFS) TCP
• 445 (SMB/CIFS) TCP
• 389 (LDAP) TCP/UDP
• 3268 (Global Catalog LDAP) TCP
• 636 (LDAP SSL) TCP

Ports required if Active Roles is configured to access the domain by using SSL:

• 3269 (Global Catalog LDAP SSL) TCP (Outbound on Active Roles)
• The TCP port allocated by RPC endpoint mapper for communication with the domain controller
  • You can configure Active Directory domain controllers to use specific port numbers for RPC communication. For instructions, see this Microsoft Article.

Managed AD LDS instances:

• The TCP port used for LDAP communication with the AD LDS server is configurable in the Add Managed AD LDS Instance Wizard. (Outbound on Active Roles)

Exchange Servers:

• 135 (RPC endpoint mapper) TCP (Outbound on Active Roles)
• The TCP port allocated by RPC endpoint mapper for communication with the Exchange server.
  • You can configure Exchange servers to use specific port numbers for RPC communication. For more information, contact Microsoft Support.

​The following ports must be open for operations related to the WinRM service to work:

• 80 (HTTP) TCP (Outbound on Active Roles)
• 5985 (HTTP) TCP (Outbound on Active Roles)
• 5986 (HTTPS) TCP (Outbound on Active Roles)

Access to SMTP sever for e-mail integration:

• 25 TCP (Outbound on Active Roles)
  • Active Roles uses SMTP port 25 by default. The default port number can be changed in the properties of the Mail Configuration object in the Active Roles console. If Mail Configuration specifies a different port, open that port rather than port 25.

Computer Resource Management & Home Folder Provisioning/Deprovisioning:

• 139 (SMB/CIFS) TCP (Outbound on Active Roles)
• 445 (SMB/CIFS) TCP (Outbound on Active Roles)

Computer restart:

• 139 (SMB/CIFS) TCP (Outbound on Active Roles)
• 137 (WINS) UDP (Outbound on Active Roles)
• 138 (NetBIOS) UDP (Outbound on Active Roles)