You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/reference-connect-ports.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ This table describes the ports and protocols that are required for communication
33
33
| LDAP |389 (TCP/UDP) |Used for data import from AD. Data is encrypted with Kerberos Sign & Seal. |
34
34
| SMB | 445 (TCP) |Used by Seamless SSO to create a computer account in the AD forest and during password writeback. For more information, see [Change a user account's password](/openspecs/windows_protocols/ms-adod/d211aaba-d188-4836-8007-8c62f7c9402d). |
35
35
| LDAP/SSL |636 (TCP/UDP) |Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using TLS. |
36
-
| RPC |49152- 65535 (Random high RPC Port)(TCP) |Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. If the dynamic port has been changed, you need to open that port. See [KB929851](https://support.microsoft.com/kb/929851), [KB832017](https://support.microsoft.com/kb/832017), and [KB224196](https://support.microsoft.com/kb/224196) for more information. |
36
+
| RPC |49152- 65535 (Random high RPC Port)(TCP) |Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. If the dynamic port has been changed, you need to open that port. See [KB929851](https://support.microsoft.com/kb/929851), [KB832017](https://support.microsoft.com/kb/832017), and [KB224196](https://support.microsoft.com/kb/224196) for more information. |
37
37
|WinRM | 5985 (TCP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard|
38
38
|AD DS Web Services | 9389 (TCP) |Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard |
39
39
| Global Catalog | 3268 (TCP) | Used by Seamless SSO to query the global catalog in the forest before creating a computer account in the domain. |
@@ -44,7 +44,7 @@ This table describes the ports and protocols that are required for communication
44
44
| Protocol | Ports | Description |
45
45
| --- | --- | --- |
46
46
| HTTP |80 (TCP) |Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates. |
47
-
| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
47
+
| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
48
48
49
49
For a list of URLs and IP addresses you need to open in your firewall, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) and [Troubleshooting Azure AD Connect connectivity](tshoot-connect-connectivity.md#troubleshoot-connectivity-issues-in-the-installation-wizard).
50
50
@@ -54,40 +54,40 @@ This table describes the ports and protocols that are required for communication
54
54
| Protocol | Ports | Description |
55
55
| --- | --- | --- |
56
56
| HTTP |80 (TCP) |Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates. |
57
-
| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
57
+
| HTTPS |443(TCP) |Used to synchronize with Azure AD. |
58
58
| WinRM |5985 |WinRM Listener |
59
59
60
60
## Table 4 - WAP and Federation Servers
61
61
This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.
62
62
63
63
| Protocol | Ports | Description |
64
64
| --- | --- | --- |
65
-
| HTTPS |443(TCP) |Used for authentication. |
65
+
| HTTPS |443(TCP) |Used for authentication. |
66
66
67
67
## Table 5 - WAP and Users
68
68
This table describes the ports and protocols that are required for communication between users and the WAP servers.
69
69
70
70
| Protocol | Ports | Description |
71
71
| --- | --- | --- |
72
-
| HTTPS |443(TCP) |Used for device authentication. |
72
+
| HTTPS |443(TCP) |Used for device authentication. |
73
73
| TCP |49443 (TCP) |Used for certificate authentication. |
74
74
75
75
## Table 6a & 6b - Pass-through Authentication with Single Sign On (SSO) and Password Hash Sync with Single Sign On (SSO)
76
76
The following tables describes the ports and protocols that are required for communication between the Azure AD Connect and Azure AD.
77
77
78
78
### Table 6a - Pass-through Authentication with SSO
79
-
|Protocol|Port Number|Description
80
-
| --- | --- | ---
81
-
|HTTP|80|Enable outbound HTTP traffic for security validation such as SSL. Also needed for the connector auto-update capability to function properly.
82
-
|HTTPS|443| Enable outbound HTTPS traffic for operations such as enabling and disabling of the feature, registering connectors, downloading connector updates, and handling all user sign-in requests.
79
+
|Protocol| Ports |Description|
80
+
| --- | --- | ---|
81
+
|HTTP|80 (TCP)|Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates. Also needed for the connector auto-update capability to function properly.|
82
+
|HTTPS|443 (TCP)|Used to enable and disable the feature, register connectors, download connector updates, and handle all user sign-in requests.|
83
83
84
84
In addition, Azure AD Connect needs to be able to make direct IP connections to the [Azure data center IP ranges](https://www.microsoft.com/download/details.aspx?id=41653).
85
85
86
86
### Table 6b - Password Hash Sync with SSO
87
87
88
-
|Protocol|Port Number|Description
89
-
| --- | --- | ---
90
-
|HTTPS|443| Enable SSO registration (required only for the SSO registration process).
88
+
|Protocol| Ports |Description|
89
+
| --- | --- | ---|
90
+
|HTTPS|443 (TCP)|Used to enable SSO registration (required only for the SSO registration process).
91
91
92
92
In addition, Azure AD Connect needs to be able to make direct IP connections to the [Azure data center IP ranges](https://www.microsoft.com/download/details.aspx?id=41653). Again, this is only required for the SSO registration process.
93
93
@@ -99,11 +99,11 @@ This table describes the following outbound ports and protocols that are require
99
99
100
100
| Protocol | Ports | Description |
101
101
| --- | --- | --- |
102
-
|HTTPS |443(TCP) |Outbound |
103
-
|Azure Service Bus |5671 (TCP) |Outbound |
102
+
|Azure Service Bus |5671 (TCP) | Used to send health information to Azure AD. (recommended but not required in latest versions)|
103
+
|HTTPS |443 (TCP) |Used to send health information to Azure AD. (failback)|
104
104
105
-
Azure Service Bus port 5671 is no longer required for the latest version of agent. The latest Azure AD Connect Health agent version only required port 443.
105
+
If 5671 is blocked, the agent falls back to 443, but using 5671 is recommended. This endpoint isn't required in the latest version of the agent.
106
+
The latest Azure AD Connect Health agent versions only require port 443.
106
107
107
108
### 7b - Endpoints for Azure AD Connect Health agent for (AD FS/Sync) and Azure AD
108
109
For a list of endpoints, see [the Requirements section for the Azure AD Connect Health agent](how-to-connect-health-agent-install.md#requirements).
0 commit comments