Implementing a Certificate Enrollment Policy (CEP) web service often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Clients to the CEP
The CEP is a service that is addressed via HTTPS. Accordingly, TCP port 443 is opened.
| Network protocol | Destination port | Description |
|---|---|---|
| TCP | 443 | Hypertext Transfer Protocol Secure (HTTPS) |
CEP to the Certification Authority
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The CEP does not communicate with the certification authority and therefore does not require any corresponding firewall rules.
CEP to the domain
The CEP server is usually a domain member, so the general rules for domain communication apply here.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP and UDP | 53 | Domain Name System |
| TCP | 88 | Kerberos |
| UDP | 123 | NTP |
| TCP | 135 | RPC Endpoint Mapper |
| TCP and UDP | 389 | LDAP |
| TCP | 445 | Server Message Block RPC Named Pipes |
| TCP | 636 | LDAP over SSL |
| TCP | 3268 | LDAP-GC |
| TCP | 3269 | LDAP-GC over SSL |
| TCP | 49152-65535 | RPC dynamic ports |
Restore the default Windows Firewall rules
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"
Related links:
- Firewall rules required for Active Directory Certificate Services
- Required firewall rules for the Network Device Enrollment Service (NDES)
- Required firewall rules for the Certificate Enrollment Web Service (CES)
- Required firewall rules for the online responder (OCSP)
- Required firewall rules for Certification Authority Web Enrollment (CAWE)
English 
Deutsch
4 thoughts on “Benötigte Firewallregeln für den Zertifikatregistrierungsrichtlinien-Webdienst (CEP)”
Comments are closed.