Managed Active Directory - Firewall Policies for Various Traffic Types

Updated by Jared Ruckle on Oct 14, 2014
Article Code: kb/952

The following tables detail recommended firewall configuration related to traffic from Active Directory.

Active Directory Replication Traffic            

Traffic

Protocol

Source Port

Destination Port

ICMP

ALL

RPC Endpoint Mapper

TCP/UDP

1024-65535

135

RPC Dynamic Assignment

** Default Windows 2008 and later

TCP/UDP

1024-65535

49152-65535**

6000-6199

NetBIOS Name Service

TCP/UDP

1024-65535

137

NetBIOS Datagram Service

UPD

1024-65535

138

NetBIOS Session Service

TCP

1024-65535

139

SMB over IP

TCP/UDP

1024-65535

445

LDAP

TCP/UDP

1024-65535

389

LDAP over SSL

TCP

1024-65535

636

Global Catalog LDAP

TCP

1024-65535

3268

Global Catalog LDAP over SSL

TCP

1024-65535

3269

Kerberos

TCP/UDP

1024-65535

88

DNS

TCP/UDP

1024-65535

53

NTP

UDP

123

123

SMTP

TCP

1024-65535

25

 Active Directory Client Authentication Traffic                                          

Traffic

Protocol

Source Port

Destination Port

ICMP

ALL

RPC Endpoint Mapper

TCP/UDP

1024-65535

135

RPC Dynamic Assignment

** Default Windows 2008 and later

TCP/UDP

1024-65535

49152-65535**

6000-6199

SMB over IP

TCP/UDP

1024-65535

445

LDAP

TCP/UDP

1024-65535

389

LDAP over SSL

TCP

1024-65535

636

Global Catalog LDAP

TCP

1024-65535

3268

Global Catalog LDAP over SSL

TCP

1024-65535

3269

Kerberos

TCP/UDP

1024-65535

88

DNS

TCP/UDP

1024-65535

53

NTP

UDP

123

123

 Active Directory Trust Traffic

Traffic

Protocol

Source Port

Destination Port

ICMP

ALL

RPC Endpoint Mapper

TCP/UDP

1024-65535

135

RPC Dynamic Assignment

** Default Windows 2008 and later

TCP/UDP

1024-65535

49152-65535**

6000-6199

SMB over IP

TCP/UDP

1024-65535

445

LDAP

TCP/UDP

1024-65535

389

LDAP over SSL

TCP

1024-65535

636

Global Catalog LDAP

TCP

1024-65535

3268

Global Catalog LDAP over SSL

TCP

1024-65535

3269

Kerberos

TCP/UDP

1024-65535

88

DNS

TCP/UDP

1024-65535

53

NTP

UDP

123

123