Required firewall rules for the Certificate Enrollment Web Service (CES)

Author Uwe GradeneggerPosted on Categories Certificate Enrollment Web ServicesTags ,

Implementing a Certificate Enrollment Web Service (CES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Clients to the CES

The CES is a service that is addressed via HTTPS. Accordingly, TCP port 443 is opened.

Network protocolDestination portDescription
TCP443Hypertext Transfer Protocol Secure (HTTPS)

CES to the Certification Authority

Quite analogous to all other clients are the certificate request ports to the certification authority to open.

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

CES to the domain

The CES server is usually a domain member, so the general rules for domain communication apply here.

Network protocolDestination portProtocol
TCP and UDP53Domain Name System
TCP88Kerberos
UDP123NTP
TCP135RPC Endpoint Mapper
TCP and UDP389LDAP
TCP445Server Message Block
RPC Named Pipes
TCP636LDAP over SSL
TCP3268LDAP-GC
TCP3269LDAP-GC over SSL
TCP49152-65535RPC dynamic ports

Restore the default Windows Firewall rules 

Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish