Required firewall rules for the Network Device Enrollment Service (NDES)

Implementing a Network Device Enrollment Service (NDES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Clients to NDES

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

NDES is a web-based service that can be used via HTTP and HTTPS. Accordingly, TCP ports 80 and 443 must be opened. However, the NDES administration web page should only be accessible via HTTPS.

Network protocolDestination portProtocol
TCP80Hypertext Transfer Protocol (HTTP, not recommended)
TCP443Hypertext Transfer Protocol Secure (HTTPS)

NDES to the Certification Authority

Quite analogous to all other clients are the certificate request ports to the certification authority to open.

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

NDES to the domain

The NDES server is usually a domain member, so the general rules for domain communication apply here.

Network protocolDestination portProtocol
TCP and UDP53Domain Name System
TCP88Kerberos
UDP123NTP
TCP135RPC Endpoint Mapper
TCP and UDP389LDAP
TCP445Server Message Block
RPC Named Pipes
TCP636LDAP over SSL
TCP3268LDAP-GC
TCP3269LDAP-GC over SSL
TCP49152-65535RPC dynamic ports

Restore the default Windows Firewall rules

Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"

Special case of role installation of NDES

During the installation of the NDES role, it is required that communication via RPC named pipes (TCP port 445) to the root domain controllers of the forest is possible.

See article "Role configuration for Network Device Enrollment Service (NDES) fails with error message "Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)"." for more information.

Related links:

en_USEnglish