Ports Between Azure AD Connect and Active Directory Server.
DNS
|
53
(TCP/UDP)
|
DNS
lookups on the destination forest.
|
Kerberos
|
88
(TCP/UDP)
|
Kerberos
authentication to the AD forest.
|
MS-RPC
|
135
(TCP/UDP)
|
Used
during the initial configuration of the Azure AD Connect wizard when it binds
to the AD forest.
|
LDAP
|
389
(TCP/UDP)
|
Used
for data import from AD. Data is encrypted with Kerberos Sign & Seal.
|
LDAP/SSL
|
636
(TCP/UDP)
|
Used
for data import from AD. The data transfer is signed and encrypted. Only used
if you are using SSL.
|
Ports Between Azure AD Connect and ADFS Server
HTTP
|
80
(TCP/UDP)
|
Used
to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
|
HTTPS
|
443(TCP/UDP)
|
Used
to synchronize with Azure AD.
|
WinRM
|
5985
|
WinRM
Listener
|
Ports Between ADFS Proxy Servers and ADFS Servers
HTTPS
|
443(TCP/UDP)
|
Used
for authentication.
|
 Error: We cannot reach this server. Make sure Windows PowerShell remote management is enabled on the remote server and any firewalls are configured to allow Windows Remote Management. Also make sure the value that you entered for Server Name is not the Federation Service Name. Resolution |
2. Make sure that the ports for Connecting to the WinRM service should be open. i.e. port number 5985. Use telnet & nslookup commands in Windows Server to do the troubleshooting with ports.
nslookup -a gives a list of all the listening ports(TCP & UDP) on a server.
telnet is used for connecting to remote computer on a specified port. telnet [server_name] [port_number] Ex. telnet google.com 80
General Recommendations:
For connecting to On-Prem Active Directory, Enterprise Admin should be used.
Microsoft Recommendation says that Azure AD Connect should
by-pass the Proxy Server. However if the proxy server is mandatory make sure
that the certain Microsoft Domain and IPs are bypassed from the proxy server.
The bare minimum list is given below.
URL
|
Port
|
Description
|
mscrl.microsoft.com |
HTTP/80
|
Used to download CRL lists. |
*.verisign.com
|
HTTP/80
|
Used to
download CRL lists.
|
*.entrust.com
|
HTTP/80
|
Used to
download CRL lists for MFA.
|
*.windows.net
|
HTTPS/443
|
Used to sign in
to Azure AD.
|
secure.aadcdn.microsoftonline-p.com
|
HTTPS/443
|
Used for MFA.
|
*.microsoftonline.com
|
HTTPS/443
|
Used to
configure your Azure AD directory and import/export data.
|
Find the detailed list here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_identity
Click on the drop down on Office 365
Authentication & Identity to see full list of FQDN and IP addresses.
For proxy Server machine.config file
should be edit as shown below, in this case Proxy is using port 8080.
Path for machine.config -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
Very quickly this web site will be famous among all blogging visitors, due to it's pleasant posts
ReplyDeleteGood post. I learn something totally new and challenging on blogs I stumbleupon on a daily basis. It will always be interesting to read articles from other authors and use a little something from other sites.
ReplyDeletehi!,I like your writing so much! share we be in contact extra about your article on AOL? I require an expert on this space to unravel my problem. May be that's you! Having a look ahead to see you.
ReplyDelete