none
dhcp firewall requirements RRS feed

  • Question

  • Hi,

    When I request for firewall definition for our dhcp failover does port 647 tcp for both servers be two way? Does both servers become source and destination at the same time? 

    Also for workstations on TCP port 67, is it two from workstation to server and server to workstation?

    Wednesday, November 13, 2019 3:53 AM

Answers

  • Hi Janus,

    DHCP failover uses TCP port 647 to listen for failover messages between two failover partner servers. For this traffic to be allowed by the Windows firewall, the following inbound and outbound firewall rules are added then you install the DHCP Server role:

    • Microsoft-Windows-DHCP-Failover-TCP-In
    • Microsoft-Windows-DHCP-Failover-TCP-Out

    DHCP Servers use TCP port 647 should be bidirectional DHCP Server1 <--> DHCP Server2.

    Workstations use TCP port 67/68 and should suffice to be one direction, Workstation --> DHCP Server.

    DHCP Server port requirements:
    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by Janus Barinan Thursday, November 14, 2019 1:31 AM
    Wednesday, November 13, 2019 4:30 AM
  • Hi ,

    >>When I request for firewall definition for our dhcp failover does port 647 tcp for both servers be two way? Does both servers become source and destination at the same time? 

    Both DHCP servers in a failover relationship must maintain a persistent TCP connection with each other. DHCP failover partners establish and maintain this connection on port 647, and use it to exchange operational state information and lease information.

    As Leon said, DHCP Servers use TCP port 647 should be bidirectional.

    >>Also for workstations on TCP port 67, is it two from workstation to server and server to workstation?

    TCP/UDP 67 and 68 initiate communication between the client and server. 

    UDP 67 is the destination port of a DHCP server, and port number 68 is used by the client.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by Janus Barinan Thursday, November 14, 2019 1:32 AM
    Wednesday, November 13, 2019 6:43 AM

All replies

  • Hi Janus,

    DHCP failover uses TCP port 647 to listen for failover messages between two failover partner servers. For this traffic to be allowed by the Windows firewall, the following inbound and outbound firewall rules are added then you install the DHCP Server role:

    • Microsoft-Windows-DHCP-Failover-TCP-In
    • Microsoft-Windows-DHCP-Failover-TCP-Out

    DHCP Servers use TCP port 647 should be bidirectional DHCP Server1 <--> DHCP Server2.

    Workstations use TCP port 67/68 and should suffice to be one direction, Workstation --> DHCP Server.

    DHCP Server port requirements:
    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by Janus Barinan Thursday, November 14, 2019 1:31 AM
    Wednesday, November 13, 2019 4:30 AM
  • Hi ,

    >>When I request for firewall definition for our dhcp failover does port 647 tcp for both servers be two way? Does both servers become source and destination at the same time? 

    Both DHCP servers in a failover relationship must maintain a persistent TCP connection with each other. DHCP failover partners establish and maintain this connection on port 647, and use it to exchange operational state information and lease information.

    As Leon said, DHCP Servers use TCP port 647 should be bidirectional.

    >>Also for workstations on TCP port 67, is it two from workstation to server and server to workstation?

    TCP/UDP 67 and 68 initiate communication between the client and server. 

    UDP 67 is the destination port of a DHCP server, and port number 68 is used by the client.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by Janus Barinan Thursday, November 14, 2019 1:32 AM
    Wednesday, November 13, 2019 6:43 AM
  • Thanks Leon!
    Thursday, November 14, 2019 1:32 AM
  • Thanks Candy!
    Thursday, November 14, 2019 1:32 AM
  • Hi ,

    You are welcome!

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, November 14, 2019 1:43 AM
  • Hi All,

    I tried to do a telnet to the partner server in port 647 but I get a connection failed.  I tried both ways and still failed. Windows firewall for both is disabled and corporate firewall is already allowed. The firewall team did a trace and they see that the server is resetting tcp connection. I tried resetting winsock via netsh and rebooted several times and still the problem is the same.

    Thanks!

    Thursday, November 14, 2019 3:40 PM
  • Hello Janus,

    If this is a new issue, I would suggest you create a new thread so we don't get two different topics mixed up :) Thanks!


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, November 14, 2019 9:57 PM