Skip to main content
Skip table of contents

Configure the firewall ports for the Gateway and Active Directory

When you configure the firewall ports for the gateway and Active Directory (AD), there are additional ports you must open up in the firewall beyond the ports described in Configuring firewall ports for the gateway.

If the sits behind a public-facing firewall, then you must open port UDP 4500 to permit traffic from the public Internet to pass through to the gateway.

However, if there is a private-facing firewall that sits between the and Active Directory, you must open up additional firewall ports. If you do not, user authentication fails because the necessary data is blocked by the private-facing firewall.

Blue Cedar recommends opening the firewall ports listed in the following table for your firewall configuration so that the required data traffic can freely travel in both directions between the and the AD infrastructure:

To transport data through
a private-facing firewall...
Use this
port number...
And configure for
this transport protocol...

DNS

53

UDP or TCP

Kerberos 5

88

UDP or TCP

NTP

123

UDP

LDAP

389

UDP or TCP

LDAP over SSL636UDP or TCP
RADIUS1812UDP

SMB

445

TCP

Global Catalog search

3268

TCP

Computer password changes
(Minimum of 30 days after last change)

464

UDP or TCP

The requires access on these ports for all of the AD domain controllers in the domain that the is joined to, and all domains that share mutual trust with this domain.

In particular, the needs access to both a child domain and the AD forest root to which the child is associated. If the access is not given all the ports across all of the domains (including the child domains), the required traffic is blocked and the authentication process fails.

For example, suppose a company has a tiered structure of AD domains. Assume that the overall tier is named "company.com", and the two child domains are named "us.company.com" and "eu.company.com". To ensure that the authentication of users works properly across all domains, the company would have to open up required firewall ports to all of the AD domains (U.S. and European Union). Even if the is only authenticating U.S. users, just opening the firewall ports to the us.company.com domain will not be enough. You will also need to open the firewall ports to the AD servers that belong to the "company.com" domain.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.