FIM firewall ports

Hi,

Please could someone clarify what ports are required (and how FIM components talk to one another) in the following scenario:

- SSPR Registration & Reset Portal in DMZ (machine 1)

- FIM Service (machine 2)

- FIM Sync (machine 3)

1. When doing a password Registration, how does SSPR Portal connect to the FIM Service?

2. When doing a password Reset, how does SSPR Portal connect to FIM Service? Then how does FIM Service connect to FIM Sync? then how does FIM Sync connect to AD to reset the password?

Thanks you,

DW

January 23rd, 2014 10:10pm

Hey DW,

This can be found in the SSPR deployment guide http://www.microsoft.com/en-us/download/details.aspx?id=29959

It works like this:  

Password portal communicates with FIM Service (port 5725), FIM Service communicates with Sync Service using WMI, and the AD MA account resets the password over LDAP (TCP/UDP 389)

From the deployment guide:

If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:

TCP/UDP 135 (RPC EPMapper)
TCP/UDP 389 (LDAP, LDAP Ping)
TCP 636 (LDAP over SSL)
TCP 3268 (GC)
TCP 3269 (GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP Dynamic (RPC)
TCP/UDP 464 (Kerberos Change/Set Password)
TCP 445 (CIFS/ MICROSOFT-DS)


To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

TCP/UDP 135 (RPC EPMapper)
TCP 135 (RPC EPMapper)
TCP 5725
TCP 5726
TCP 5000-5001 Dynamic RPC ports (PCNS)
TCP 57500-57520 Dynamic RPC ports (AD MA)

-Andrew

  • Edited by Andrew Masse 15 hours 17 minutes ago formatting
  • Marked as answer by Divine Wind 11 hours 14 minutes ago
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2014 3:31pm
excellent, thank you !
January 26th, 2014 7:36pm

Hey DW,

This can be found in the SSPR deployment guide http://www.microsoft.com/en-us/download/details.aspx?id=29959

It works like this:  

Password portal communicates with FIM Service (port 5725), FIM Service communicates with Sync Service using WMI, and the AD MA account resets the password over LDAP (TCP/UDP 389)

From the deployment guide:

If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:

TCP/UDP 135 (RPC EPMapper)
TCP/UDP 389 (LDAP, LDAP Ping)
TCP 636 (LDAP over SSL)
TCP 3268 (GC)
TCP 3269 (GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP Dynamic (RPC)
TCP/UDP 464 (Kerberos Change/Set Password)
TCP 445 (CIFS/ MICROSOFT-DS)


To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

TCP/UDP 135 (RPC EPMapper)
TCP 135 (RPC EPMapper)
TCP 5725
TCP 5726
TCP 5000-5001 Dynamic RPC ports (PCNS)
TCP 57500-57520 Dynamic RPC ports (AD MA)

-Andrew

  • Edited by Andrew Masse Sunday, January 26, 2014 8:31 PM formatting
  • Marked as answer by Divine Wind Monday, January 27, 2014 12:34 AM
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2014 11:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics