Configure DMZ server ports for Active Directory integrations
If you install the Okta Active Directory (AD) agent onto a DMZ server, you need to open the following ports:
- 53/TCP/UDP DNS
- 88/TCP/UDP Kerberos
- 123/UDP NTP
- 135/TCP RPC
- 137/UDP NetBIOS
- 138/UDP NetBIOS
- 139/TCP NetBIOS
- 389/TCP/UDP LDAP
- 445/TCP SMB
- 464/TCP/UDP Kerberos Change/Set password
- 636/TCP LDAP SSL
- 3268/TCP LDAP GC
- 3269/TCP LDAP GC SSL
You must also open your DCOM RPC ports. In addition to TCP 135, Microsoft RPC (MS-RPC) uses randomly generated ports from TCP 49152 through 65535 for Vista/2008 and later. These ports are also known as random RPC ports. RPC clients use the RPC Endpoint Mapper (EPM) which runs on TCP135 to tell them which dynamic ports were assigned to the server.
For detailed information on configuring your ports on a DMZ server, see Microsoft Support. For more information on the required network ports, see Service overview and network port requirements for Windows. For more information on random RPC ports, see How to configure RPC dynamic port allocation to work with firewalls.