Windows Active Directory firewall configuration

[Guest /u/goagex]

Hi!

 

I'm having a hard time finding information regarding firewall configuration for Windows Active Directory.

 

I know what ports needs to be open FROM Clients/Server TO Domain Controllers for Active Directory to work.

 

Here is a link: Configure firewall for AD domain and trusts - Windows Server

 

What I struggle to find is what ports need to be open FROM Domain Controller(s) TO CLients/Servers

I have my servers/clients isolated in different subnets

 

My Google-fu has taken me to different forum/reddit posts, where frustrated firewall administrators have tried to ask the same thing, only to be missunderstood.

 

I have not found any official Microsoft documentation regarding this at all.

 

In some posts people state that ALL ports should be both inbound/outbound, I can't believe this.

 

I would assume that tcp/135 and tcp/49152-65535 needs to be open at least (FROM Domain Controller TO Clients/Member servers)

 

Does anyone know anything about this?

 

How did you configure your firewall in regard to this?

 

Edit 1 (2024-09-20):

 

1: I'm using a stateful firewall, so we only talk about traffic initiated FROM Domain Controller.

 

2: Maybe I should only have said member servers only and not clients, as those may differ I understand.

 

3: I have investigated this before, and I have found the following:

 

When you have a Remote Desktop Session Host (RDSH) in another subnet, I see traffic in the firewall initiated from DC to RDSH. The ports I have seen was the "rpc ephemeral ports" tcp/49152-65535

 

I have also seen traffic on the following ports FROM Domain Controller towards other member servers: tcp/135, tcp/445, tcp/5985

 

What I'm trying to find is the bare minimum that needs to be open.

 

The example above is for RDSH, and I understand that RDS uses many different ports between Gateway/Broker/Sessionhost etc.

 

But what about a simple File Server that is member in the Active Directory?

 

Kind regards / Jonas

 

submitted by /u/goagex

[link] [comments]

 

Continue reading...