When installing AD Connect on a host in a DMZ, you will need to open the following ports between the DMZ and your internal network:
Note: TCP and UDP are shown together below. Depending on the firewall network device, you
may need to add the TCP and UDP rules separately.
- TCP/UDP 389, 636, 3268, 3269
- These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.
- UDP 138
- NetBIOS name resolution.
- TCP/UDP 445
- SAM/LSA.
- UDP 123
- NTP W32 Time.
- TCP/UDP 135, 49152-65535
- RPC Endpoint Mapper.
- UDP 137
- NetBios datagram.
- TCP/UDP 88
- This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.
- TCP/UDP 464
- This server port is also used by Kerberos (to set or change the password).
- TCP/UDP 53
- The DNS service runs on this port. It’s used to convert between URLs and IP Addresses.