Thursday, July 28, 2016

MS - Certificate autoenrollment behind a firewall

For anyone who has autoenrollment for certificates on machines that are behind firewalls, here are the ports and servers you want to look at for setting up firewall rules:

Client to domain controller
      Kerberos port 88  (UDP/TCP)
      Ldap (TCP 389)
      RPC (tcp 135)
      RPC on dynamic port (>1023 TCP)

Client to certificate server(s) with the template available
      RPC (TCP 135)
      Dynamic RPC (TCP > 1023) for CA servers on windows 2003 and earlier
      Dynamic RPC (TCP > 49151) for CA servers on newer windows OS's

1 comment:

  1. thank you for taking the time to post this information!