Required firewall rules for the online responder (OCSP)

Implementing an online responder (OCSP) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.

Clients to the OCSP Responder

Clients address the online responder via unencrypted HTTP, accordingly only TCP port 80 must be opened.

Network protocolDestination portProtocol
TCP80Hypertext Transfer Protocol (HTTP)

OCSP Responder to the Certification Authority

Applies only if the online responder is a domain member.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Quite analogous to all other clients are the certificate request ports to the certification authority to open. The online responder uses this to apply for its signature certificate.

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

OCSP responder to the domain

Applies only if the online responder is a domain member.

The OCSP responder server is usually a domain member, so the general rules for domain communication apply here. In addition, since the online responder must actively request certificates, it must also be able to communicate with the domain.

Network protocolDestination portProtocol
TCP and UDP53Domain Name System
TCP88Kerberos
UDP123NTP
TCP135RPC Endpoint Mapper
TCP and UDP389LDAP
TCP445Server Message Block
RPC Named Pipes
TCP636LDAP over SSL
TCP3268LDAP-GC
TCP3269LDAP-GC over SSL
TCP49152-65535RPC dynamic ports

Restore the default Windows Firewall rules

Enable-NetFirewallRule `
-Name "IIS-WebServerRole-HTTP-In-TCP".
Enable-NetFirewallRule `
-Name "IIS-WebServerRole-HTTPS-In-TCP".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-OnlineRevocationServices-OcspSvc-DCOM-In".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-CertificateServices-OcspSvc-RPC-TCP-In".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-OnlineRevocationServices-OcspSvc-TCP-Out

Related links:

en_USEnglish