Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Communication ports and URLs used by Active Roles

This section and its subsections list the communication ports used by Active Roles and its various components. To ensure that Active Roles works properly, open these ports in your organization firewall.

NOTE: For the list of ports used by Active Roles Synchronization Service and Capture Agent, see Communication ports used by Synchronization Service in the Active Roles Synchronization Service Administration Guide.

Ports and URLs used by Active Roles Administration Service

If the environment managed by Active Roles is located behind a firewall, open the following ports between the Active Roles Administration Service instance and your managed environment.

For more information on opening ports, see the instructions of the Windows Defender Firewall with Advanced Security console of your operating system, or the documentation of your network device.

Port to access DNS

Open the following port on the machine running Active Roles Administration Service:

  • Port 53 TCP / UDP, Inbound / Outbound.

Ports to access domain controllers (DCs)

Open the following outbound ports on the machine running Active Roles Administration Service:

  • Port 88 (Kerberos) TCP/UDP.

  • Port 135 (RPC endpoint mapper) TCP.

  • Port 139 (SMB/CIFS) TCP.

  • Port 389 (LDAP) TCP.

  • Port 445 (SMB/CIFS) TCP.

  • Port 636 (LDAP SSL) TCP.

  • Port 3268 (Global Catalog LDAP) TCP.

If Active Roles must access the domain via SSL, open the following ports on the machine running Active Roles Administration Service:

  • Port 3269 (Global Catalog LDAP SSL) TCP, Outbound.

  • The TCP port allocated by RPC endpoint mapper for communication with the DC.

    TIP: You can configure Active Directory DCs to use specific port numbers for RPC communication. For more information, see How to restrict Active Directory RPC traffic to a specific port in the Microsoft Windows Server documentation.

URLs required to access Microsoft Azure and Microsoft 365

To ensure that Active Roles can access the various cloud Microsoft services (for example, Microsoft 365 and Azure AD), make sure that the machine hosting Active Roles Administration Service can resolve and access the following URLs:

Ports required by the Starling Connect Notifications Pane
  • To make sure that the Starling Connect Notifications Pane of the Active Roles Web Interface can display Starling notifications, open the following inbound ports from the client browser inbound to the machine running Active Roles Administration Service:

    • Port 7465 (HTTP) TCP.

    • Port 7466 (HTTPS) TCP.

    NOTE: Starling notifications will work only if the machine running Active Roles Web Interface can resolve the Service machine name.

  • Ports to access Exchange servers

    To communicate with your on-premises Exchange Server instance, open the following ports on the machine running Active Roles Administration Service:

    • Port 135 (RPC endpoint mapper) TCP, Outbound.

    • The TCP port allocated by RPC endpoint mapper for communication with Exchange Server.

      TIP: You can configure Exchange Servers to use specific ports for RPC communication. For more information, contact Microsoft Support.

    To ensure that Exchange Server operations related to the WinRM service can work, also open the following inbound and outbound ports:

    • Port 5985 (HTTP) TCP.

    • Port 5986 (HTTPS) TCP.

    • Port 80 TCP.

    Ports to access SQL Server

    To communicate with your SQL Server instance, open the following outbound ports on the machine hosting the Active Roles Administration Service:

    • Port 1433 (default SQL instance), TCP.

    • Port 1434 (SQL Server Browser instance), UDP.

    Ports required to restart computers remotely with Active Roles

    To restart computers remotely in your organization with Active Roles, open the following outbound ports on the machine hosting the Active Roles Administration Service:

    • Port 137 (WINS) UDP.

    • Port 138 (NetBIOS datagrams) UDP.

    • Port 139 (SMB/CIFS on the managed computers) TCP.

    Ports required by Computer resource management and Home folder provisioning/deprovisioning policies

    To ensure that the Computer resource management and Home folder provisioning/deprovisioning policies work correctly in your organization, open the following outbound ports on the machine hosting the Active Roles Administration Service:

    • Port 139 (SMB/CIFS on the servers that host home folders) TCP.

    • Port 445 (SMB/CIFS on the servers that host home folders) TCP.

    Ports to access SMTP servers for email integration

    Open the following outbound port on the machine hosting the Active Roles Administration Service:

    • Port 25 (Default SMTP port).

      NOTE: By default, Active Roles uses SMTP port 25. You can change this default port in the Configuration > Server Configuration > Mail Configuration > Default Mail Settings > Port number setting in the Active Roles Console.

      If you specify a different port, make sure that the port is already open in the Active Roles host, or open it after you set it.

    Port to access AD LDS instances

    Open the following port on the machine hosting the Active Roles Administration Service:

    • The TCP port specified when registering the AD LDS instance with Active Roles.

    Ports used by Active Roles client components to access the Active Roles Administration Service

    If you set up a firewall between the various Active Roles client components (for example, the Active Roles Console, Web Interface, ADSI Provider, or Management Shell) and the Active Roles Administration Service, then to access the Active Roles Administration Service, open the following ports on the machines running the Active Roles client components.

    • Port 15172 (HTTPS) TCP, Inbound.

    • All high ports (1024-65535) on port 15172.

      NOTE: Client machines randomly select high ports to use for outgoing traffic on port 15172 to access the Active Roles Administration Service.

      TIP: To check the list of high ports used on port 15172, in the Active Roles Console of a client machine, run the netstat -an command.

    For more information on opening ports, see the instructions of the Windows Defender Firewall with Advanced Security console of your operating system, or the documentation of your network device.

    Access to Active Roles Web Interface

    To access the Active Roles Web Interface through a firewall, open the following inbound ports on the machine running the Web Interface instance:

    • Port 80 (Default HTTP) TCP

    • Port 443 (Default HTTPS) TCP

    For more information on opening ports, see the instructions of the Windows Defender Firewall with Advanced Security console of your operating system, or the documentation of your network device.

    NOTE: By default, SSL encryption is disabled for the Web Interface. To enable it:

    1. Set up SSL in the machine running the Active Roles Web Interface as described in the following resources:

    2. Configure SSL redirection in the Active Roles Configuration Center as described in Configure Web Interface for secure communication in the Active Roles Administration Guide.

    After SSL is enabled, Active Roles Web Interface also runs over ports 80 and 443 by default.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating