PingOne for Enterprise

AD Connect in a DMZ

When installing AD Connect on a host in a DMZ, you will need to open the following ports between the DMZ and your internal network:

TCP and UDP are shown together below. Depending on the firewall network device, you may need to add the TCP and UDP rules separately.
TCP/UDP 389, 636, 3268, 3269

These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.

UDP 138

NetBIOS name resolution.

TCP/UDP 445

SAM/LSA.

UDP 123

NTP W32 Time.

TCP/UDP 135, 49152-65535

RPC Endpoint Mapper.

UDP 137

NetBios datagram.

TCP/UDP 88

This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.

TCP/UDP 464

This server port is also used by Kerberos (to set or change the password).

TCP/UDP 53

The DNS service runs on this port. It’s used to convert between URLs and IP Addresses.