Knowledge Search


×
 

[SRX] What ports should be opened up on a firewall for the Integrated User Firewall (LDAP) feature to work?

  [KB30778] Show Article Properties


Summary:

SRX is configured with the integrated user firewall feature using LDAP, and the SRX needs to communicate with Active Directory domain controllers and clients, with a firewall in between.  What ports need to be opened up on the firewall for communication between the SRX and domain controller and client to work?


Solution:

The following ports are used with the integrated user firewall feature and need to be opened up on the firewall in the path between the SRX and domain controller and client:

  • For clients that use plain text or encrypted text, if the port number of the LDAP server is not specified in the SRX configuration, SRX defaults to use port 389 for plaintext or port 636 for encrypted text. For more information on AD and AD domain services port requirements, refer to Microsoft document: Active Directory and Active Directory Domain Services Port Requirements.

  • For WMIC, SRX uses TCP 135 (DCE-RPC) for communication setup (control link) with the domain controller (DC). This port is a well-known port and it is used by many other network management software devices. The communication (data link) is going through a dynamic port negotiated on the control link and firewalls supporting DCE-RPC ALG will be able to open up this port (all modern firewalls do).

  • For probes sent to the domain client, it uses TCP 135, which is the same as DCE-RPC.

Related Links: