Implementing Certificate Authority Web Enrollment (CAWE) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.
The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.
Required firewall rules from clients for certification authority web registration
In order for clients to use the Certificate Authority Web Registry, they must be able to access it using either HTTP (not recommended) or HTTPS.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 80 | Hypertext Transfer Protocol (HTTP, not recommended) |
| TCP | 443 | Hypertext Transfer Protocol Secure (HTTPS) |
Required firewall rules from Certification Authority web registration to Certification Authority
Quite analogous to all other clients are the certificate request ports to the certification authority to open.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
Required firewall rules from the Certification Authority for Certification Authority web registration
What is special about the CAWE role is that the certificate authority attempts to open a connection to its dynamic RPC ports in response to a certificate request from the CAWE server. If this firewall rule is not set up, the application for certificates via CAWE takes a very long time or aborts completely. The firewall rule must be set up both on the network and on the local Windows firewall of the CAWE server.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
Certification authority web registration to the domain
The CAWE server itself is a domain member, so the general rules for domain communication apply here.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP and UDP | 53 | Domain Name System |
| TCP | 88 | Kerberos |
| UDP | 123 | NTP |
| TCP | 135 | RPC Endpoint Mapper |
| TCP and UDP | 389 | LDAP |
| TCP | 445 | Server Message Block RPC Named Pipes |
| TCP | 636 | LDAP over SSL |
| TCP | 3268 | LDAP-GC |
| TCP | 3269 | LDAP-GC over SSL |
| TCP | 49152-65535 | RPC dynamic ports |
Restore the default Windows Firewall rules
Please note that the default rules below do not include communication from the certification authority to the web registry. A separate firewall rule must be created for this.
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"
Related links:
- Requesting certificates via the Certification Authority web registration takes a very long time
- Firewall rules required for Active Directory Certificate Services
- Required firewall rules for the Network Device Enrollment Service (NDES)
- Required Firewall Rules for Certificate Enrollment Policy (CEP) Web Service
- Required firewall rules for the Certificate Enrollment Web Service (CES)
- Required firewall rules for the online responder (OCSP)
English 
Deutsch
6 thoughts on “Benötigte Firewallregeln für die Zertifizierungsstellen-Webregistrierung (CAWE)”
Comments are closed.