Required firewall rules for Certification Authority Web Enrollment (CAWE)

Implementing Certificate Authority Web Enrollment (CAWE) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Required firewall rules from clients for certification authority web registration

In order for clients to use the Certificate Authority Web Registry, they must be able to access it using either HTTP (not recommended) or HTTPS.

Network protocolDestination portProtocol
TCP80Hypertext Transfer Protocol (HTTP, not recommended)
TCP443Hypertext Transfer Protocol Secure (HTTPS)

Required firewall rules from Certification Authority web registration to Certification Authority

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Quite analogous to all other clients are the certificate request ports to the certification authority to open.

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

Required firewall rules from the Certification Authority for Certification Authority web registration

What is special about the CAWE role is that the certificate authority attempts to open a connection to its dynamic RPC ports in response to a certificate request from the CAWE server. If this firewall rule is not set up, the application for certificates via CAWE takes a very long time or aborts completely. The firewall rule must be set up both on the network and on the local Windows firewall of the CAWE server.

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

Certification authority web registration to the domain

The CAWE server itself is a domain member, so the general rules for domain communication apply here.

Network protocolDestination portProtocol
TCP and UDP53Domain Name System
TCP88Kerberos
UDP123NTP
TCP135RPC Endpoint Mapper
TCP and UDP389LDAP
TCP445Server Message Block
RPC Named Pipes
TCP636LDAP over SSL
TCP3268LDAP-GC
TCP3269LDAP-GC over SSL
TCP49152-65535RPC dynamic ports

Restore the default Windows Firewall rules

Please note that the default rules below do not include communication from the certification authority to the web registry. A separate firewall rule must be created for this.

Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"

Related links:

en_USEnglish