none
FIM firewall ports RRS feed

  • Question

  • Hi,

    Please could someone clarify what ports are required (and how FIM components talk to one another) in the following scenario:

    - SSPR Registration & Reset Portal in DMZ (machine 1)

    - FIM Service (machine 2)

    - FIM Sync (machine 3)

    1. When doing a password Registration, how does SSPR Portal connect to the FIM Service?

    2. When doing a password Reset, how does SSPR Portal connect to FIM Service? Then how does FIM Service connect to FIM Sync? then how does FIM Sync connect to AD to reset the password?

    Thanks you,

    DW

    Friday, January 24, 2014 3:08 AM

Answers

  • Hey DW,

    This can be found in the SSPR deployment guide http://www.microsoft.com/en-us/download/details.aspx?id=29959

    It works like this:  

    Password portal communicates with FIM Service (port 5725), FIM Service communicates with Sync Service using WMI, and the AD MA account resets the password over LDAP (TCP/UDP 389)

    From the deployment guide:

    If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:

    TCP/UDP 135 (RPC EPMapper)
    TCP/UDP 389 (LDAP, LDAP Ping)
    TCP 636 (LDAP over SSL)
    TCP 3268 (GC)
    TCP 3269 (GC SSL)
    TCP/UDP 53 (DNS)
    TCP/UDP 88 (Kerberos)
    TCP Dynamic (RPC)
    TCP/UDP 464 (Kerberos Change/Set Password)
    TCP 445 – (CIFS/ MICROSOFT-DS)


    To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

    TCP/UDP 135 (RPC EPMapper)
    TCP 135 (RPC EPMapper)
    TCP 5725
    TCP 5726
    TCP 5000-5001 Dynamic RPC ports (PCNS)
    TCP 57500-57520 Dynamic RPC ports (AD MA)

    -Andrew

    • Edited by Andrew Masse Sunday, January 26, 2014 8:31 PM formatting
    • Marked as answer by D Wind Monday, January 27, 2014 12:34 AM
    Sunday, January 26, 2014 8:30 PM

All replies

  • Hey DW,

    This can be found in the SSPR deployment guide http://www.microsoft.com/en-us/download/details.aspx?id=29959

    It works like this:  

    Password portal communicates with FIM Service (port 5725), FIM Service communicates with Sync Service using WMI, and the AD MA account resets the password over LDAP (TCP/UDP 389)

    From the deployment guide:

    If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:

    TCP/UDP 135 (RPC EPMapper)
    TCP/UDP 389 (LDAP, LDAP Ping)
    TCP 636 (LDAP over SSL)
    TCP 3268 (GC)
    TCP 3269 (GC SSL)
    TCP/UDP 53 (DNS)
    TCP/UDP 88 (Kerberos)
    TCP Dynamic (RPC)
    TCP/UDP 464 (Kerberos Change/Set Password)
    TCP 445 – (CIFS/ MICROSOFT-DS)


    To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

    TCP/UDP 135 (RPC EPMapper)
    TCP 135 (RPC EPMapper)
    TCP 5725
    TCP 5726
    TCP 5000-5001 Dynamic RPC ports (PCNS)
    TCP 57500-57520 Dynamic RPC ports (AD MA)

    -Andrew

    • Edited by Andrew Masse Sunday, January 26, 2014 8:31 PM formatting
    • Marked as answer by D Wind Monday, January 27, 2014 12:34 AM
    Sunday, January 26, 2014 8:30 PM
  • excellent, thank you !
    Monday, January 27, 2014 12:35 AM
  • Hi,

    As the above mentioned  ports needs to opened between the FIM Synchronization Server and the Active Directory domain . 

    Just would like to know ports should be opened in one  directional  from  FIM server to AD or needs to be opened bidirectional.

    Thanks

    Harry

    Thursday, November 13, 2014 1:25 PM