Configure DMZ server ports for Active Directory integrations

If you installed the Okta Active Directory (AD) agent on a DMZ server, you need to open the following ports:

  • 135/TCP RPC
  • 137/UDP NetBIOS
  • 138/UDP NetBIOS
  • 139/TCP NetBIOS
  • 389/TCP/UDP LDAP
  • 636/TCP LDAP SSL
  • 3268/TCP LDAP GC
  • 3269/TCP LDAP GC SSL
  • 53/TCP/UDP DNS
  • 88/TCP/UDP Kerberos
  • 445/TCP SMB
  • 464/TCP/UDP Kerberos Change/Set password
  • 123/UDP NTP

You must also open your DCOM RPC ports. In addition to TCP 135, Microsoft RPC (MS-RPC) uses randomly generated ports from TCP 49152-65535 for Vista/2008 and above. These ports are also known as "random RPC ports." RPC clients use the RPC Endpoint Mapper (EPM) which runs on TCP135 to tell them which dynamic ports were assigned to the server.

For detailed information on configuring your ports on a DMZ server, see Microsoft Support. For more information on the required network ports, see Service overview and network port requirements for Windows. For more information on random RPC ports, see How to configure RPC dynamic port allocation to work with firewalls.