Active Directory ports
Communication from clients to Active Directory domain controllers (AD DCs) and between AD DCs can use a variety of TCP and UDP port numbers.
Note
Do not open all these ports in a production environment to determine which one of them is required, other than for testing purpose. Open only the required ports, and if possible only for the binaries of the services required.
The Active Directory connector (agtaddn) uses published Microsoft ADSI and related APIs. According to Microsoft documentation, these APIs may use any of the following port numbers:
Protocol | TCP # | UDP # |
|---|---|---|
DNS | 53 | 53 |
Kerberos | 88 | 88 |
NetBIOS | 137-139 | 137-139 |
LDAP or LDAPS | 389 or 636 | 389 |
SMB | 445 | |
Kerberos password change | 464 | 464 |
RPC | 1025-5000 and/or 49152-65535 | |
Additional services available on AD DCs, which the APIs leveraged by the Bravura Security Fabric connector likely do connect to, include:
Protocol | TCP # | UDP # |
|---|---|---|
25 | ||
Replication | 135 | |
File replication | 5722 | |
AD web services | 9389 | |
Replication 3268-9 | ||
DHCP | 672,535 | |
GPO | Any port |
There is nothing preventing Microsoft from modifying API or protocol behaviour, such that some of the above ports may start getting connections after a patch is applied to clients and servers. Moreover, Microsoft may introduce new services or further expand the port numbers used by the RPC services mentioned above. As a result, the best practice is to avoid firewall restrictions based on TCP or UDP port numbers between Bravura Security Fabric server and AD DCs.