---
title: Secure your AD Connect with IIS deployment
description: Before installing AD Connect with IIS, ensure the deployment platform, the Windows Server® Internet Information Server (IIS) host for AD Connect, is secure.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_secure_adc_iis_deployment
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_secure_adc_iis_deployment.html
revdate: March 30, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Secure your AD Connect with IIS deployment

## About this task

Before installing AD Connect with IIS, ensure the deployment platform, the Windows Server® Internet Information Server (IIS) host for AD Connect, is secure.

You will want to consider:

* Deploying the Windows Server IIS host to a secured network location (such as, a combination of firewall with NAT and reverse proxy, or a DMZ). If the IIS host is to be directly connected to the Internet, this is critical.

* Assigning client browser trusted sites. You will need to add the IIS host as a trusted site to your users' browser clients. We tell you how to do this using Internet Explorer and Mozilla Firefox settings or using Group Policy for IE.

* Using load-balancing and clustering. If you expect to have large numbers of single sign-on (SSO) users, for high-availability you may want to consider using Microsoft Network Load Balancing (NLB) or another load-balancing and clustering solution.

## Steps

1. Follow these deployment requirements:

   1. The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC).

   2. Port 443 (HTTPS) must be the only opened port. You need to verify that this is the case.

   3. Time synchronization must be set up on the Windows Server IIS host.

   4. The Windows Server IIS host should use a trusted Certificate Authority (CA), rather than self-signed certificates.

   5. The Windows Server IIS host must not have a direct Internet connection unless it is deployed in a properly configured DMZ.

2. Follow Microsoft's [Security Best Practices for IIS 8](https://technet.microsoft.com/en-us/library/jj635855.aspx), or the corresponding best practices for your version of IIS, to configure the Windows Server IIS host.

3. **Optional:** If the IIS host is to be directly connected to the Internet, deploy the host in a DMZ. AD Connect needs the following ports open between the DMZ and your internal network (firewall):

   |   |                                                                                                                                       |
   | - | ------------------------------------------------------------------------------------------------------------------------------------- |
   |   | TCP and UDP are shown together below. Depending on the firewall network device, you may want to add the TCP and UDP rules separately. |

   * TCP/UDP 389/636 or 3268 or 3269

     These are the Lightweight Directory Access Protocol (LDAP) ports. Ensure that one of these ports is open for AD Connect with IIS. AD Connect with IIS uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.

   * TCP/UDP 88

     This port belongs exclusively to Kerberos. AD Connect with IIS uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.

   * TCP/UDP 464

     This server port is also used by Kerberos (to set or change the password). Evidently it is also used to join the IIS (and AD Connect) host to the domain.

     Additionally, we assume the following ports are also open. These ports are generally needed by any server operating in a DMZ:

   * UDP 138

     NetBIOS name resolution.

   * TCP/UDP 445

     SAM/LSA.

   * UDP 123

     NTP W32 Time.

   * TCP/UDP 135, 49152-65535

     RPC Endpoint Mapper.

   * UDP 137

     NetBios datagram.

   * TCP/UDP 53

     The DNS service runs on this port. It's used to convert between URLs and IP Addresses, and is also needed to join the IIS (and AD Connect) host to the domain.

4. **Optional:** Configure NLB clustering for AD Connect.

   See [High Availability for AD Connect](p14e_high_availability_adc.html) for instructions.

5. Add the URLs for the Windows Server IIS hosts to the trusted sites list for your users.

   You can use either of these methods to add the URLs as trusted sites:

   * Group Policy settings (Internet Explorer only). See [Add trusted sites using Group Policy](p14e_add_trusted_sites_google_policy.html) for instructions.

   * Browser site security settings (Internet Explorer and Firefox). See [Add trusted sites using Internet Explorer settings](p14e_add_trusted_sites_ie_settings.html) or [Add trusted sites using Firefox settings](p14e_add_trusted_sites_firefox_settings.html) for instructions.

6. You can now install and configure your AD Connect identity bridge. See [Installing AD Connect with IIS](p14e_installing_adc_iis.html) for instructions.