In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).
Network protocol | Destination port | Protocol |
---|---|---|
TCP | 135 | RPC Endpoint Mapper |
TCP | 49152-65535 | RPC dynamic ports |
This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.
In such a case, the certificate authority must be configured to a static port.
Configuration is done through the Component Services Management Console (dcomcnfg.msc).
In the console, navigate to "Component Services" - "Computers" - "My Computer" - "DCOM Config". Look there for the entry "CertSrv Request". It is edited by right-clicking and then selecting "Properties".
In the "Endpoints" tab, click on "Add..." to add a new endpoint.
Here you select the option "Use static endpoint" and assign a network port.
For the settings to take effect, the Certification Authority service must be restarted.
One thought on “Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)”
Comments are closed.