top of page
Search
  • Writer's picturekhal

Port requirements for a Hybrid Identity Solution.

The following information is a technical reference on the required ports and protocols for implementing a hybrid Azure identity solution. Use the following illustration and refer to the corresponding table if you ever need to know which ports and protocols to open on a firewall.




Protocol

Ports

Description

DNS

53 (TCP/UDP)

DNS lookups on the destination forest.

Kerberos

88 (TCP/UDP)

Kerberos authentication to the AD forest.

MS-RPC

135 (TCP)

Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization.

LDAP

389 (TCP/UDP)

Used for data import from AD. Data is encrypted with Kerberos Sign & Seal.

SMB

445 (TCP)

Used by Seamless SSO to create a computer account in the AD forest.

LDAP/SSL

636 (TCP/UDP)

Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using TLS.

RPC

49152- 65535 (Random high RPC Port)(TCP)

Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization.

WinRM

5985 (TCP)

Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard

AD DS Web Services

9389 (TCP)

Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard


Azure AD Connect and On-premises AD

The next section describes the ports and protocols that are required for communication between the Azure AD Connect server and on-premises AD.


Azure AD Connect and Azure AD

The section below describes the ports and protocols that are required for communication between the Azure AD Connect server and Azure AD.


Protocol

Ports

Description

HTTP

80 (TCP)

Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates.

HTTPS

443(TCP)

Used to synchronize with Azure AD.

For a list of URLs and IP addresses you need to open in your firewall.


Azure AD Connect and AD FS Federation Servers/WAP

The below describes the ports and protocols that are required for communication between the Azure AD Connect server and AD FS Federation/WAP servers.


Protocol

Ports

Description

HTTP

80 (TCP)

Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates.

HTTPS

443(TCP)

Used to synchronize with Azure AD.

WinRM

5985

WinRM Listener


WAP and Federation Servers

The below describes the ports and protocols that are required for communication between the Federation servers and WAP servers.


Protocol

Ports

Description

HTTPS

443(TCP)

Used for authentication.


WAP and Users

The follwoing describes the ports and protocols that are required for communication between users and the WAP servers.


Protocol

Ports

Description

HTTPS

443(TCP)

Used for device authentication.

TCP

49443 (TCP)

Used for certificate authentication.


Pass-through Authentication with Single Sign On (SSO) and Password Hash Sync with Single Sign On (SSO)

The following describes the ports and protocols that are required for communication between the Azure AD Connect and Azure AD.


Pass-through Authentication with SSO


Protocol

Port Number

Description

HTTP

80

Enable outbound HTTP traffic for security validation such as SSL. Also needed for the connector auto-update capability to function properly.

HTTPS

443

Enable outbound HTTPS traffic for operations such as enabling and disabling of the feature, registering connectors, downloading connector updates, and handling all user sign-in requests.

In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges.


Password Hash Sync with SSO


Protocol

Port Number

Description

HTTPS

443

Enable SSO registration (required only for the SSO registration process).

In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges. Again, this is only required for the SSO registration process.


Azure AD Connect Health agent for (AD FS/Sync) and Azure AD

The following describe the endpoints, ports, and protocols that are required for communication between Azure AD Connect Health agents and Azure AD


Ports and Protocols for Azure AD Connect Health agent for (AD FS/Sync) and Azure AD

The below describes the following outbound ports and protocols that are required for communication between the Azure AD Connect Health agents and Azure AD.


Protocol

Ports

Description

HTTPS

443(TCP)

Outbound

Azure Service Bus

5671 (TCP)

Outbound

Azure Service Bus port 5671 is no longer required for the latest version of agent. The latest Azure AD Connect Health agent version only required port 443.

61 views0 comments

Recent Posts

See All
bottom of page