---
title: AD Connect in a DMZ
description: When installing AD Connect on a host in a DMZ, you will need to open the following ports between the DMZ and your internal network:
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_adc_dmz
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_adc_dmz.html
revdate: March 30, 2023
---

# AD Connect in a DMZ

When installing AD Connect on a host in a DMZ, you will need to open the following ports between the DMZ and your internal network:

|   |                                                                                                                                       |
| - | ------------------------------------------------------------------------------------------------------------------------------------- |
|   | TCP and UDP are shown together below. Depending on the firewall network device, you may need to add the TCP and UDP rules separately. |

* TCP/UDP 389, 636, 3268, 3269

  These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.

* UDP 138

  NetBIOS name resolution.

* TCP/UDP 445

  SAM/LSA.

* UDP 123

  NTP W32 Time.

* TCP/UDP 135, 49152-65535

  RPC Endpoint Mapper.

* UDP 137

  NetBios datagram.

* TCP/UDP 88

  This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.

* TCP/UDP 464

  This server port is also used by Kerberos (to set or change the password).

* TCP/UDP 53

  The DNS service runs on this port. It's used to convert between URLs and IP Addresses.