Configure the firewall ports for the Gateway and Active Directory

When you configure the firewall ports for the gateway and Active Directory (AD), there are additional ports you must open up in the firewall beyond the ports described in Configuring firewall ports for the gateway.

If the sits behind a public-facing firewall, then you must open port UDP 4500 to permit traffic from the public Internet to pass through to the gateway.

However, if there is a private-facing firewall that sits between the and Active Directory, you must open up additional firewall ports. If you do not, user authentication fails because the necessary data is blocked by the private-facing firewall.

Blue Cedar recommends opening the firewall ports listed in the following table for your firewall configuration so that the required data traffic can freely travel in both directions between the and the AD infrastructure:

The requires access on these ports for all of the AD domain controllers in the domain that the is joined to, and all domains that share mutual trust with this domain.

In particular, the needs access to both a child domain and the AD forest root to which the child is associated. If the access is not given all the ports across all of the domains (including the child domains), the required traffic is blocked and the authentication process fails.

For example, suppose a company has a tiered structure of AD domains. Assume that the overall tier is named "company.com", and the two child domains are named "us.company.com" and "eu.company.com". To ensure that the authentication of users works properly across all domains, the company would have to open up required firewall ports to all of the AD domains (U.S. and European Union). Even if the is only authenticating U.S. users, just opening the firewall ports to the us.company.com domain will not be enough. You will also need to open the firewall ports to the AD servers that belong to the "company.com" domain.