Ports required for communication between a domain member server and domain controller

Clients considering placing the product in their DMZ should identify whether their site is currently using AD Authentication. Intranet Connections implements AD Authentication using IIS Windows Auth (NTLM or Kerberos) and requires that the web server be a member of the domain for authentication requests to be processed. If you are placing a domain member server in the DMZ, the following ports are required for proper communication with the internal domain controller. 

Kerberos: 88 (TCP and UDP)

DNS: 53 (TCP and UDP)

LDAP: 389 (TCP UDP) 636 (TCP)

CIFS: 445 (TCP and UDP)

NTP: 123 (TCP and UDP)

135, 49156, 49158 (TCP)

Intranet Connections recommends that you consult with your Network team for advice regarding this deployment. It is generally safer to keep domain member assets internal to the network and provide limited access to them either through a perimeter security device such as an SSL VPN appliance or by port forwarding on the most restricted list of ports possible (only 443 required in the case of an SSL secured site)

Have more questions? Submit a request


Article is closed for comments.