Guest Greg Posted August 27, 2008 Posted August 27, 2008 Hi, I am in the process of setting up a CA within my Active Directory. The enterprise CA will be in the same VLAN as the domain controllers and any other servers that wish to use the service. All workstations (and end users) reside in a different VLAN with a firewall between the two. Computer and user certificates will be issued to domain users and computers throughout the domain. I was wondering what network ports I needed to open in order for this to occur... is it the http port that it communicates on for this purpose? Thanks in advance. Greg
Guest Masterplan Posted August 27, 2008 Posted August 27, 2008 RE: Ports to Open for certificate services Hi Greg, Certificate Services relies on RPC and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024. See here: http://support.microsoft.com/kb/832017 -- Have a nice day! http://winmasterplan.blogspot.com "Greg" wrote: > Hi, > > I am in the process of setting up a CA within my Active Directory. The > enterprise CA will be in the same VLAN as the domain controllers and any > other servers that wish to use the service. All workstations (and end users) > reside in a different VLAN with a firewall between the two. > > Computer and user certificates will be issued to domain users and computers > throughout the domain. I was wondering what network ports I needed to open in > order for this to occur... is it the http port that it communicates on for > this purpose? > > Thanks in advance. > > Greg
Guest Greg Posted August 27, 2008 Posted August 27, 2008 RE: Ports to Open for certificate services Thanks for the response. I managed to find it myself but thanks anyway. One question though, if I were to restrict the dynamic ports that can be used (as in http://support.microsoft.com/kb/154596/) how many should I restrict it to? It mentions a minimum of 100 but how is this number determined? BTW, the servers in question will only be used for certificate services. Cheers Greg "Masterplan" wrote: > Hi Greg, > > Certificate Services relies on RPC and on DCOM to communicate with clients > by using random TCP ports that are higher than port 1024. See here: > http://support.microsoft.com/kb/832017 > > -- > Have a nice day! > > http://winmasterplan.blogspot.com > > > "Greg" wrote: > > > Hi, > > > > I am in the process of setting up a CA within my Active Directory. The > > enterprise CA will be in the same VLAN as the domain controllers and any > > other servers that wish to use the service. All workstations (and end users) > > reside in a different VLAN with a firewall between the two. > > > > Computer and user certificates will be issued to domain users and computers > > throughout the domain. I was wondering what network ports I needed to open in > > order for this to occur... is it the http port that it communicates on for > > this purpose? > > > > Thanks in advance. > > > > Greg
Guest Masterplan Posted August 27, 2008 Posted August 27, 2008 RE: Ports to Open for certificate services Hi, This number is a medium value for most environments and setups. -- Have a nice day! http://winmasterplan.blogspot.com "Greg" wrote: > Thanks for the response. > > I managed to find it myself but thanks anyway. One question though, if I > were to restrict the dynamic ports that can be used (as in > http://support.microsoft.com/kb/154596/) how many should I restrict it to? It > mentions a minimum of 100 but how is this number determined? > > BTW, the servers in question will only be used for certificate services. > > Cheers > > Greg > "Masterplan" wrote: > > > Hi Greg, > > > > Certificate Services relies on RPC and on DCOM to communicate with clients > > by using random TCP ports that are higher than port 1024. See here: > > http://support.microsoft.com/kb/832017 > > > > -- > > Have a nice day! > > > > http://winmasterplan.blogspot.com > > > > > > "Greg" wrote: > > > > > Hi, > > > > > > I am in the process of setting up a CA within my Active Directory. The > > > enterprise CA will be in the same VLAN as the domain controllers and any > > > other servers that wish to use the service. All workstations (and end users) > > > reside in a different VLAN with a firewall between the two. > > > > > > Computer and user certificates will be issued to domain users and computers > > > throughout the domain. I was wondering what network ports I needed to open in > > > order for this to occur... is it the http port that it communicates on for > > > this purpose? > > > > > > Thanks in advance. > > > > > > Greg
Guest Greg Posted August 27, 2008 Posted August 27, 2008 RE: Ports to Open for certificate services Hi, How do you determine a number for a given server? Greg "Masterplan" wrote: > Hi, > > This number is a medium value for most environments and setups. > > -- > Have a nice day! > > http://winmasterplan.blogspot.com > > > "Greg" wrote: > > > Thanks for the response. > > > > I managed to find it myself but thanks anyway. One question though, if I > > were to restrict the dynamic ports that can be used (as in > > http://support.microsoft.com/kb/154596/) how many should I restrict it to? It > > mentions a minimum of 100 but how is this number determined? > > > > BTW, the servers in question will only be used for certificate services. > > > > Cheers > > > > Greg > > "Masterplan" wrote: > > > > > Hi Greg, > > > > > > Certificate Services relies on RPC and on DCOM to communicate with clients > > > by using random TCP ports that are higher than port 1024. See here: > > > http://support.microsoft.com/kb/832017 > > > > > > -- > > > Have a nice day! > > > > > > http://winmasterplan.blogspot.com > > > > > > > > > "Greg" wrote: > > > > > > > Hi, > > > > > > > > I am in the process of setting up a CA within my Active Directory. The > > > > enterprise CA will be in the same VLAN as the domain controllers and any > > > > other servers that wish to use the service. All workstations (and end users) > > > > reside in a different VLAN with a firewall between the two. > > > > > > > > Computer and user certificates will be issued to domain users and computers > > > > throughout the domain. I was wondering what network ports I needed to open in > > > > order for this to occur... is it the http port that it communicates on for > > > > this purpose? > > > > > > > > Thanks in advance. > > > > > > > > Greg
Recommended Posts