AD Connect in a DMZ
When installing AD Connect on a host in a DMZ, you will need to open the following ports between the DMZ and your internal network:
| TCP and UDP are shown together below. Depending on the firewall network device, you may need to add the TCP and UDP rules separately. |
- TCP/UDP 389, 636, 3268, 3269
-
These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.
- UDP 138
-
NetBIOS name resolution.
- TCP/UDP 445
-
SAM/LSA.
- UDP 123
-
NTP W32 Time.
- TCP/UDP 135, 49152-65535
-
RPC Endpoint Mapper.
- UDP 137
-
NetBios datagram.
- TCP/UDP 88
-
This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.
- TCP/UDP 464
-
This server port is also used by Kerberos (to set or change the password).
- TCP/UDP 53
-
The DNS service runs on this port. It’s used to convert between URLs and IP Addresses.