Ports to Open for certificate services

  • Thread starter Thread starter Greg
  • Start date Start date
G

Greg

Guest
Hi,

I am in the process of setting up a CA within my Active Directory. The
enterprise CA will be in the same VLAN as the domain controllers and any
other servers that wish to use the service. All workstations (and end users)
reside in a different VLAN with a firewall between the two.

Computer and user certificates will be issued to domain users and computers
throughout the domain. I was wondering what network ports I needed to open in
order for this to occur... is it the http port that it communicates on for
this purpose?

Thanks in advance.

Greg
 
RE: Ports to Open for certificate services

Hi Greg,

Certificate Services relies on RPC and on DCOM to communicate with clients
by using random TCP ports that are higher than port 1024. See here:
http://support.microsoft.com/kb/832017

--
Have a nice day!

http://winmasterplan.blogspot.com


"Greg" wrote:

> Hi,
>
> I am in the process of setting up a CA within my Active Directory. The
> enterprise CA will be in the same VLAN as the domain controllers and any
> other servers that wish to use the service. All workstations (and end users)
> reside in a different VLAN with a firewall between the two.
>
> Computer and user certificates will be issued to domain users and computers
> throughout the domain. I was wondering what network ports I needed to open in
> order for this to occur... is it the http port that it communicates on for
> this purpose?
>
> Thanks in advance.
>
> Greg
 
RE: Ports to Open for certificate services

Thanks for the response.

I managed to find it myself but thanks anyway. One question though, if I
were to restrict the dynamic ports that can be used (as in
http://support.microsoft.com/kb/154596/) how many should I restrict it to? It
mentions a minimum of 100 but how is this number determined?

BTW, the servers in question will only be used for certificate services.

Cheers

Greg
"Masterplan" wrote:

> Hi Greg,
>
> Certificate Services relies on RPC and on DCOM to communicate with clients
> by using random TCP ports that are higher than port 1024. See here:
> http://support.microsoft.com/kb/832017
>
> --
> Have a nice day!
>
> http://winmasterplan.blogspot.com
>
>
> "Greg" wrote:
>
> > Hi,
> >
> > I am in the process of setting up a CA within my Active Directory. The
> > enterprise CA will be in the same VLAN as the domain controllers and any
> > other servers that wish to use the service. All workstations (and end users)
> > reside in a different VLAN with a firewall between the two.
> >
> > Computer and user certificates will be issued to domain users and computers
> > throughout the domain. I was wondering what network ports I needed to open in
> > order for this to occur... is it the http port that it communicates on for
> > this purpose?
> >
> > Thanks in advance.
> >
> > Greg
 
RE: Ports to Open for certificate services

Hi,

This number is a medium value for most environments and setups.

--
Have a nice day!

http://winmasterplan.blogspot.com


"Greg" wrote:

> Thanks for the response.
>
> I managed to find it myself but thanks anyway. One question though, if I
> were to restrict the dynamic ports that can be used (as in
> http://support.microsoft.com/kb/154596/) how many should I restrict it to? It
> mentions a minimum of 100 but how is this number determined?
>
> BTW, the servers in question will only be used for certificate services.
>
> Cheers
>
> Greg
> "Masterplan" wrote:
>
> > Hi Greg,
> >
> > Certificate Services relies on RPC and on DCOM to communicate with clients
> > by using random TCP ports that are higher than port 1024. See here:
> > http://support.microsoft.com/kb/832017
> >
> > --
> > Have a nice day!
> >
> > http://winmasterplan.blogspot.com
> >
> >
> > "Greg" wrote:
> >
> > > Hi,
> > >
> > > I am in the process of setting up a CA within my Active Directory. The
> > > enterprise CA will be in the same VLAN as the domain controllers and any
> > > other servers that wish to use the service. All workstations (and end users)
> > > reside in a different VLAN with a firewall between the two.
> > >
> > > Computer and user certificates will be issued to domain users and computers
> > > throughout the domain. I was wondering what network ports I needed to open in
> > > order for this to occur... is it the http port that it communicates on for
> > > this purpose?
> > >
> > > Thanks in advance.
> > >
> > > Greg
 
RE: Ports to Open for certificate services

Hi,

How do you determine a number for a given server?

Greg

"Masterplan" wrote:

> Hi,
>
> This number is a medium value for most environments and setups.
>
> --
> Have a nice day!
>
> http://winmasterplan.blogspot.com
>
>
> "Greg" wrote:
>
> > Thanks for the response.
> >
> > I managed to find it myself but thanks anyway. One question though, if I
> > were to restrict the dynamic ports that can be used (as in
> > http://support.microsoft.com/kb/154596/) how many should I restrict it to? It
> > mentions a minimum of 100 but how is this number determined?
> >
> > BTW, the servers in question will only be used for certificate services.
> >
> > Cheers
> >
> > Greg
> > "Masterplan" wrote:
> >
> > > Hi Greg,
> > >
> > > Certificate Services relies on RPC and on DCOM to communicate with clients
> > > by using random TCP ports that are higher than port 1024. See here:
> > > http://support.microsoft.com/kb/832017
> > >
> > > --
> > > Have a nice day!
> > >
> > > http://winmasterplan.blogspot.com
> > >
> > >
> > > "Greg" wrote:
> > >
> > > > Hi,
> > > >
> > > > I am in the process of setting up a CA within my Active Directory. The
> > > > enterprise CA will be in the same VLAN as the domain controllers and any
> > > > other servers that wish to use the service. All workstations (and end users)
> > > > reside in a different VLAN with a firewall between the two.
> > > >
> > > > Computer and user certificates will be issued to domain users and computers
> > > > throughout the domain. I was wondering what network ports I needed to open in
> > > > order for this to occur... is it the http port that it communicates on for
> > > > this purpose?
> > > >
> > > > Thanks in advance.
> > > >
> > > > Greg
 
Back
Top