Professional Documents
Culture Documents
On This Page
Active Directory port and protocol requirements Services on which Active Directory depends Services that require Active Directory services
REFERENCES o General information o Remote Procedure Calls and DCOM o Domain controllers and Active Directory o Exchange Server o File Replication Service o Distributed File Replication Service o Internet Information Services o IPsec and VPNs o Multicast Address Dynamic Client Allocation Protocol (MADCAP) o Message Queuing o Mobile Information Server o Microsoft Operations Manager o Systems Management Server o SQL Server o Terminal Services o Controlling communications over the Internet in Windows
SUMMARY
This article discusses the essential network ports, protocols and services that are used by Microsoft client and server operating systems, server-based programs and their subcomponents in the Microsoft Windows server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a road-map to determine what ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network. The port information in this article should not be used to configure Windows Firewall. For information about configuring Windows Firewall, visit the following Microsoft Web sites: http://technet2.microsoft.com/windowsserver/en/library/6490c9fc-6c06-4304-b61c-5577af1445d01033.mspx http://technet.microsoft.com/en-us/network/bb545423.aspx The Windows server system includes a comprehensive and integrated infrastructure that is designed to meet the requirements of developers and of information technology (IT) professionals. This system is designed to run programs and solutions that information workers can use to obtain, to analyze, and to share information quickly and easily. These Microsoft client, server and server program products use a variety of network ports and protocols to communicate with client systems and with other server systems over the network. Dedicated firewalls, host-based firewalls, and Internet Protocol security (IPsec) filters are other important components that are required to help secure your network. However, if these technologies are configured to block ports and protocols that are used by a specific server, that server will no longer respond to client requests. Back to the top
Overview
The following list provides an overview of the information that this article contains: The "System services ports" section of this article contains a brief description of each service, displays the logical name of that service, and indicates the ports and protocols that each service requires for correct operation. Use this section to help identify the ports and protocols that a particular service uses. The "Ports and protocols" section of this article includes a table that summarizes the information from the "System Services Ports" section. The table is sorted by port number instead of by the service name. Use this section to quickly determine which services listen on a particular port. Important This article contains several references to the default dynamic port range. In Windows Server 2008 and in Windows Vista, the default dynamic port range is changed to the following range: Start port: 49152 End port: 65535 For more information about the changes in Windows Vista and Windows Server 2008, click the following article number to view the article in the Microsoft Knowledge Base: 929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 This article uses certain terms in specific ways. To help avoid confusion, make sure that you understand how this document uses these terms. The following list describes these terms: System services: The Windows server system includes many products, such as the Microsoft Windows 2000 Server family, Microsoft Windows Server 2003 family, Microsoft Exchange 2000 Server, and Microsoft SQL Server 2000. Each of these products include many components; system services is one of those components. System services that are required by a particular computer are either started automatically by the operating system during startup or are started as required during typical operations. For example, some system services that are available on computers that are running Windows Server 2003, Enterprise Edition, include the Server service, the Print Spooler service, and the World Wide Web Publishing Service. Each system service has a friendly service name and a service name. The friendly service name is the name that appears in graphical management tools such as the Services Microsoft Management Console (MMC) snap-in. The service name is the name that is used with command-line tools and with many scripting languages. Each system service may provide one or more network services. Application protocol: In the context of this article, an application protocol is a high-level network protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include Hypertext Transfer Protocol (HTTP), server message blocks (SMBs), and Simple Mail Transfer Protocol (SMTP). Protocol: Operating at a lower level than the application protocols, TCP/IP protocols are standard formats for communicating between devices on a network. The TCP/IP suite of protocols includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). Port: This is the network port that the system service listens on for incoming network traffic. This article does not specify which services rely on other services for network communication. For example, many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign them dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services that use RPC or DCOM to communicate with client computers. Many other services rely on network basic input/output system (NetBIOS) or SMBs, protocols that are actually provided by the Server service. Others rely on HTTP or on Hypertext Transfer Protocol Secure (HTTPS). These protocols are provided by Internet Information Services (IIS). A full discussion of the architecture of the Windows operating systems is beyond the scope of this article. However, detailed documentation on this subject is available on Microsoft TechNet and on the Microsoft Developer Network (MSDN). While many services may rely on a particular TCP or UDP port, only a single service or process can be actively listening on that port at any one time. When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used. These are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic port(s) were assigned to the server. For some RPC-based services, you can configure a specific port instead of letting RPC assign one dynamically. You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For more information about this topic, see the "References" section of this article. This article includes information about the system services roles and the server roles for the Microsoft products that are listed in the "Applies to" section at the end of this article. While this information may also apply to Microsoft Windows XP and to Microsoft Windows 2000 Professional, this article is intended to focus on server-class operating systems. Because of this, this article describes the ports that a service listens on instead of the ports that client programs use to connect to a remote system. Back to the top
This section provides a description of each system service, includes the logical name that corresponds to the system service, and displays the ports and the protocols that each service requires.
Application protocol Global Catalog Server Global Catalog Server LDAP Server LDAP Server LDAP SSL LDAP SSL IPsec ISAKMP NAT-T RPC
Protocol Ports TCP TCP TCP UDP TCP UDP UDP UDP TCP 3269 3268 389 389 636 636 500 4500 135 1024 - 65535 49152 - 65535
For more information about how to customize this port, see the "Domain controllers and Active Directory" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
FTP control
ASP.NET State Service
TCP
21
ASP.NET State Service provides support for ASP.NET out-of-process session states. ASP.NET State Service stores session data out-of-process. The service uses sockets to communicate with ASP.NET that is running on a Web server. System service name: aspnet_state
Application protocol
Certificate Services is part of the core operating system. By using Certificate Services, a business can act as its own certification authority (CA). In this way, the business can issue and manage digital certificates for programs and protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Certificate Services relies on RPC and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024. System service name: CertSvc
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
Cluster Service
The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that act as a single computer. Managers, programmers, and users see the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails, other nodes provide the services and data that was formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data to that node. System service name: ClusSvc
Application protocol Cluster Services RPC Cluster Administrator Randomly allocated high UDP ports
Protocol Ports UDP TCP UDP UDP 3343 135 137 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista
Computer Browser
The Computer Browser system service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers to view network domains and resources. Computers that are designated as browsers maintain browse lists that contain all shared resources that are used on the network. Earlier versions of Windows programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing capability. For example, when you open My Network Places on a computer that is running Microsoft Windows 95, a list of domains and computers appears. To display this list, the computer obtains a copy of the browse list from a computer that is designated as a browser. System service name: Browser
Application protocol
NetBIOS Datagram Service UDP NetBIOS Name Resolution UDP NetBIOS Session Service
DHCP Server
TCP
The DHCP Server service uses the Dynamic Host Configuration Protocol (DHCP) to automatically allocate IP addresses. By using this service, you can adjust the advanced network settings of DHCP clients. For example, you can configure network settings such as Domain Name System (DNS) servers and Windows Internet Name Service (WINS) servers. You can establish one or more DHCP servers to maintain TCP/IP configuration information and to provide that information to client computers. System service name: DHCPServer
UDP UDP
67 2535
Application protocol NetBIOS Datagram Service NetBIOS Session Service LDAP Server LDAP Server SMB RPC Randomly allocated high TCP ports
Protocol Ports UDP TCP TCP UDP TCP TCP TCP 138 139 389 389 445 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista
Protocol Ports TCP TCP TCP 135 5722 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Distributed File Replication Service" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista Port 5722 is only used on 2008 domain controller or 2008R2 domain controller.
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista
TCP
random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Distributed Transaction Coordinator" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista
DNS Server
The DNS Server service enables DNS name resolution by answering queries and update requests for DNS names. DNS servers are required to locate devices and services that are identified by using DNS names and to locate domain controllers in Active Directory. System service name: DNS
UDP TCP
53 53
Note The Event Log service uses RPC over named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
For more information about how to configure static TCP/IP ports in Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base: 270836 Exchange Server static port mappings Outlook 2003 clients support direct connectivity to Exchange servers by using RPC. However, these clients can also communicate with Exchange 2003 servers that are hosted on Windows Server 2003-based computers on the Internet. The use of RPC over HTTP communication between Outlook and Exchange server eliminates the need to expose unauthenticated RPC traffic across the Internet. Instead, traffic between the Outlook 2003 client and the Exchange Server 2003 computer is tunneled within HTTPS packets over TCP port 443 (HTTPS). RPC over HTTPS requires that port TCP 443 (HTTPS) be available between the Outlook 2003 client and the server that is functioning as the "RPCProxy" device. The HTTPS packets are terminated at the RPCProxy server and the unwrapped RPC packets are then passed to the Exchange server on three ports, in similar fashion to the direct RPC traffic described above. These RPC over HTTPS ports on the Exchange server are statically mapped to TCP 6001 (the Information Store), TCP 6002 (Directory Referral), and TCP 6004 (DSProxy/NSPI). No endpoint mapper must be exposed when using RPC over HTTPS communication between Outlook 2003 and Exchange 2003, since Outlook 2003 knows to use these statically mapped endpoint ports. In addition, no global catalog needs to be exposed to the Outlook 2003 client because the DSProxy/NSPI interface on the Exchange 2003 server will provide this functionality. Exchange Server can also provide support for other protocols, such as SMTP, Post Office Protocol 3 (POP3), and IMAP.
Application protocol IMAP IMAP over SSL POP3 POP3 over SSL Randomly allocated high TCP ports
Protocol Ports TCP TCP TCP TCP TCP 143 993 110 995 random port number between 1024 65535 random port number between 49152 65535 135 443 or 80 25 25 6001 6002 6004
RPC RPC over HTTPS SMTP SMTP Information Store Directory Referral DSProxy/NSPI
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
ISA Server
Application protocol
Protocol
Configuration Storage (replication) Configuration Storage (workgroup) Firewall Client Application Firewall Control Channel RPC Randomly allocated high TCP ports (note 6)
TCP TCP
TCP/UDP 1025-65535 (note 2) TCP TCP TCP 3847 (note 1) 135 (note 6) random port number between 1024 65535 random port number between 49152 - 65535 (note 7) 2175 (note 1, 4) 8080 (note 5)
TCP TCP
Not used with ISA 2000 FWC application transport / protocols are negotiated within the FWC control channel ISA 2000 FWC control defaults to UDP; ISA 2004 and 2006 default to TCP. Firewall Web Management is used by OEM to provide non-MMC management of ISA Server Also used for intra-array traffic. Used only by the ISA management MMC during remote server and service status monitoring. This is the range in Windows Server 2008 and in Windows Vista.
Fax Service
Fax Service, a Telephony API (TAPI)compliant system service, provides fax capabilities. By using Fax Service, users can send and receive faxes from their desktop programs by using either a local fax device or a shared network fax device. System service name: Fax
Application protocol NetBIOS Session Service SMB RPC Randomly allocated high TCP ports
Protocol Ports TCP TCP TCP TCP 139 445 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
File Replication
The File Replication service (FRS) is a file-based replication engine that automatically copies updates to files and folders between computers that are participating in a common FRS replica set. FRS is the default replication engine that is used to replicate the contents of the SYSVOL folder between Windows 2000-based and Windows
Server 2003-based domain controllers that are located in a common domain. FRS may be configured to replicate files and folders between targets of a DFS root or link by using the DFS Administration tool. System service name: NtFrs
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "File Replication Service" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
Application protocol
FTP Publishing Service provides FTP connectivity. By default, the FTP control port is 21. However, you can configure this system service through the Internet Information Services (IIS) Manager snap-in. The default data (that is used for active mode FTP) port is automatically set to one port less than the control port. Therefore, if you configure the control port to port 4131, the default data port is port 4130. Most FTP clients use passive mode FTP. This means that the client initially connects to the FTP server by using the control port, the FTP server assigns a high TCP port between ports 1025 and 5000, and then the client opens a second connection to the FTP server for transferring data. You can configure the range of high ports by using the IIS metabase. System service name: MSFTPSVC
Protocol Ports TCP TCP 21 20 random port number between 1024 65535 random port number between 49152 65535
Group Policy
To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are unavailable or blocked between the client and a relevant domain controller, policy will not apply or refresh. For a cross-domain logon, where a computer is in one domain, and the user account is in another, these protocols may be required for the client, the resource domain, and the account domain to communicate. ICMP is used for slow link detection. For more information about slow link detection, click the following article number to view the article in the Microsoft Knowledge Base: 227260 How a slow link is detected for processing user profiles and Group Policy System service name: Group Policy
Protocol
Ports
TCP + UDP random port number between 1024 - 65535 random port number between 49152 - 65535 ICMP TCP TCP TCP 389 445 135, random port number between 1024 65535*
For more information about how to customize this port, see the "Domain controllers and Active Directory" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista. Note When the Group Policy Microsoft Management Console (MMC) snap-in creates Group Policy Results reports and Group Policy Modeling reports, it uses DCOM and RPC to send and to receive information from the Resultant Set of Policy (RSoP) provider on the client or on the domain controller. The various binary files that make up the Group Policy Microsoft Management Console (MMC) snap-in features primarily use COM calls to send or to receive information.
HTTP SSL
The HTTP SSL system service enables IIS to perform SSL functions. SSL is an open standard for establishing an encrypted communications channel to help prevent the interception of critical information, such as credit card numbers. Although this service is designed to work on other Internet services, it is primarily used to enable encrypted electronic financial transactions on the World Wide Web (WWW). You can configure the ports for this service through the Internet Information Services (IIS) Manager snap-in. System service name: HTTPFilter
services but will work with the full-featured Windows DHCP or DNS services. When ICF and Internet Connection Sharing act as a gateway for the rest of the computers on your network, they provide DHCP and DNS services to the private network on the internal network interface. They do not provide these services on the external-facing interface. System service name: SharedAccess
Application protocol Protocol Ports DHCP Server DNS DNS UDP UDP TCP 67 53 53
Application protocol Protocol Ports Kerberos Kerberos TCP UDP 88 88 464 464 389
UDP
The License Logging system service is a tool that was originally designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model. License Logging was introduced with Microsoft Windows NT Server 3.51. By default, the License Logging service is disabled in Windows Server 2003. Because of legacy design constraints and evolving license terms and conditions, License Logging may not provide an accurate view of the total number of CALs that are purchased compared to the total number of CALs that are used on a particular server or across the enterprise. The CALs that are reported by License Logging may conflict with the interpretation of the End-User License Agreement (EULA) and with Product Use Rights (PUR). License Logging will not be included in future versions of the Windows operating system. Microsoft recommends that only users of the Microsoft Small Business Server family of operating systems enable this service on their servers. System service name: LicenseService
Note The License Logging service uses RPC over named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Message Queuing
The Message Queuing system service is a messaging infrastructure and development tool for creating distributed messaging programs for Windows. These programs can communicate across heterogeneous networks and can send messages between computers that may be temporarily unable to connect to each other. Message Queuing helps provide security, efficient routing, support for sending messages within transactions, priority-based messaging, and guaranteed message delivery. System service name: MSMQ
Application protocol Protocol Ports MSMQ MSMQ MSMQ-DCs MSMQ-Mgmt MSMQ-Ping MSMQ-RPC MSMQ-RPC RPC
Messenger
The Messenger system service sends messages to or receives messages from users and computers, administrators, and the Alerter service. This service is not related to Windows Messenger. If you disable the Messenger service, notifications that are sent to computers or users who are currently logged on the network are not received. Additionally, the net send command and the net name command no longer function. System service name: Messenger
Application protocol
In Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003, the Message Transfer Agent (MTA) is frequently used to provide backward-compatible message transfer services between Exchange 2000 Serverbased servers and Exchange Server 5.5-based servers in a mixed-mode environment. System service name: MSExchangeMTA
MOM-Clear MOM-Encrypted
Microsoft POP3 Service
TCP TCP
51515 1270
Microsoft POP3 Service provides e-mail transfer and retrieval services. Administrators can use this service to store and manage e-mail accounts on the mail server. When you install Microsoft POP3 Service on the mail server, users can connect to the mail server and can retrieve e-mail by using an e-mail client that supports the POP3 protocol, such as Microsoft Outlook. System service name: POP3SVC
TCP
110
TCP UDP
1433 1434
TCP UDP
1433 1434
137 139 445 389 135, random port number between 1024 65535 135, random port number between 49152 65535
For more information about how to customize this port, see the "Domain controllers and Active Directory" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista. Note The Net Logon service uses RPC over named pipes for down-level clients. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Application protocol Protocol Ports NNTP NNTP over SSL TCP TCP 119 563
Application protocol
The Print Spooler system service manages all local and network print queues and controls all print jobs. Print Spooler is the center of the Windows printing subsystem. It manages the print queues on the system and communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite. System service name: Spooler
Application protocol
NetBIOS Datagram Service UDP NetBIOS Name Resolution UDP NetBIOS Session Service SMB TCP TCP
Note The Spooler service uses RPC over named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Remote Installation
You can use the Remote Installation system service to install Windows 2000, Windows XP, and Windows Server 2003 on Pre-Boot eXecution Environment (PXE) remote boot-enabled client computers. The Boot Information Negotiation Layer (BINL) service, the primary component of Remote Installation Server (RIS), answers PXE client requests, checks Active Directory for client validation, and passes client information to and from the server. The BINL service is installed when you either add the RIS component from Add/Remove Windows Components, or select it when you initially install the operating system. System service name: BINLSVC
Protocol Ports TCP TCP 135 593 138 137 139 445
NetBIOS Datagram Service UDP NetBIOS Name Resolution UDP NetBIOS Session Service SMB TCP TCP
Note The RPC Endpoint Mapper also offers its services by using named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Application protocol
NetBIOS Datagram Service UDP NetBIOS Name Resolution UDP NetBIOS Session Service SMB TCP TCP
Note The RPC service Locator offers its services by using RPC over named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
Security Authority. For additional information about this, see the "References" section of this article. System service name: RemoteAccess
Application protocol GRE (IP protocol 47) IPsec AH (IP protocol 51) L2TP PPTP
Server
Protocol Ports GRE AH UDP TCP n/a n/a n/a 1701 1723
The Server system service provides RPC support and file, print, and named pipe sharing over the network. The Server service allows the sharing of local resources, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between programs that are running on the local computer and on other computers. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-accepting process does not have to be local to the computer. Note If a computer name resolves to multiple IP addresses using WINS, or if WINS failed and the name is resolved using DNS, NetBIOS over TCP/IP (NetBT) will try to ping the IP address or addresses of the file server. Port 139 communications depend on Internet Control Message Protocol (ICMP) echo messages. If Internet Protocol version 6 (IPv6) is not installed, port 445 communications will also depend on ICMP for name resolution. Preloaded Lmhosts entries will bypass the DNS resolver. If IPv6 is installed on Windows Server 2003-based or Windows XP-based systems, port 445 communications will not trigger any ICMP requests. System service name: lanmanserver
Application protocol
NetBIOS Datagram Service UDP NetBIOS Name Resolution UDP NetBIOS Session Service SMB
SharePoint Portal Server
TCP TCP
With the SharePoint Portal Server system service, you can develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes. Microsoft SharePoint Portal Server 2003 provides an enterprise business solution that integrates information from various systems into one solution through single sign-on and enterprise application integration capabilities.
TCP
25
Application protocol Protocol Ports Chargen Chargen Daytime Daytime Discard Discard Echo Echo Quotd Quoted
SMS Remote Control Agent
SMS Remote Control Agent is a system service in Microsoft Systems Management Server (SMS) 2003. SMS Remote Control Agent provides a comprehensive solution for change and for configuration management for the Microsoft operating systems. With this solution, organizations can provide relevant software and updates to users. System service name: Wuser32
TCP UDP TCP UDP TCP UDP TCP UDP TCP UDP
19 19 13 13 9 9 7 7 17 17
Protocol Ports TCP UDP 2703 2703 2701 2701 2702 2702 2704
SMS Remote Control (control) TCP SMS Remote Control (control) UDP SMS Remote Control (data) SMS Remote Control (data) SMS Remote File Transfer TCP UDP TCP
UDP
2704
SNMP Service allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. SNMP Service includes agents that monitor activity in network devices and report to the network console workstation. SNMP Service provides a method of managing network hosts (such as workstation or server computers, routers, bridges, and hubs) from a centrally-located computer that is running network management software. SNMP performs management services by using a distributed architecture of management systems and agents. System service name: SNMP
UDP
161
Application protocol
The SQL Analysis Server system service is a component of SQL Server 2000. With SQL Analysis Server, you can create and manage OLAP cubes and data mining models. The analysis server may access local or remote data sources for creating and storing cubes or data mining models.
Application protocol Protocol Ports OLAP Services 7.0 OLAP Services 7.0
SSDP Discovery Service
SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP Discovery Service manages receipt of device presence announcements, updates its cache, and passes these notifications along to clients with outstanding search requests. SSDP Discovery Service also accepts registration of event callbacks from clients, turns these into subscription requests, and monitors for event notifications. It then passes these requests along to the registered callbacks. This system service also provides hosted devices with periodic announcements. Currently, the SSDP event notification service uses TCP port 5000. Starting with the next Windows XP service pack, it will rely on TCP port 2869.
TCP TCP
2393 2394
Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1 (SP1). System service name: SSDPRSR
Microsoft Systems Management Server (SMS) 2003 provides a comprehensive solution for change and configuration management for Microsoft operating systems. With this solution, organizations can provide relevant software and updates to users quickly and cost-effectively.
Application protocol NetBIOS Datagram Service NetBIOS Name Resolution NetBIOS Session Service RPC SMB Randomly allocated high TCP ports
Protocol Ports UDP UDP TCP TCP TCP TCP 138 137 139 135 445 random port number between 1024 65535 random port number between 49152 65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
TCP
515
Terminal Services
Terminal Services provides a multi-session environment that allows client devices to access a virtual Windows desktop session and Windows-based programs that are running on the server. Terminal Services allows multiple users to be connected interactively to a computer. System service name: TermService
TCP
3389
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 65535 138 137 139 445
NetBIOS Datagram Service NetBIOS Name Resolution NetBIOS Session Service SMB
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista. Note Terminal Services Licensing offers its services by using RPC over named pipes. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
Protocol Ports TCP TCP 135 random port number between 1024 65535 random port number between 49152 -
65535
For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. This is the range in Windows Server 2008 and in Windows Vista.
Windows Media Services in Windows Server 2003 replaces the following four services that are included in Windows Media Services versions 4.0 and 4.1:
Windows Media Monitor Service Windows Media Program Service Windows Media Station Service Windows Media Unicast Service Windows Media Services is now a single service that runs on Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Its core components were developed by using the COM, and it has a flexible architecture that you can customize for specific programs. It supports a greater variety of control protocols, including Real Time Streaming Protocol (RTSP), Microsoft Media Server (MMS) protocol, and HTTP. System service name: WMServer
Application protocol Protocol Ports HTTP MMS MMS MS Theater RTCP RTP RTSP
Windows Time
The Windows Time system service maintains date and time synchronization on all Windows XP and Windows Server 2003-based computers on a network. This service uses Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp is assigned for network validation and for resource access requests. The implementation of NTP and the integration of time providers help make Windows Time a reliable and scalable time service for your enterprise. For computers that are not joined to a domain, you can configure Windows Time to synchronize time with an external time source. If this service is turned off, the time setting for local computers is not synchronized with a time service in the Windows domain or with an externally configured time service. Windows Server 2003 uses NTP. NTP runs on UDP port 123. The Windows 2000 version of this service uses Simple Network Time Protocol (SNTP). SNTP also runs on UDP port 123. When the Windows Time service uses a Windows domain configuration, the service requires domain controller location and authentication services. Therefore, the ports for Kerberos and DNS are required. System service name: W32Time
Application protocol Protocol Ports NTP SNTP UDP UDP 123 123
TCP TCP
80 443
Protocol Application protocol GRE ESP AH TCP UDP TCP UDP TCP UDP TCP UDP TCP UDP TCP TCP TCP TCP TCP TCP TCP UDP TCP GRE (IP protocol 47) IPsec ESP (IP protocol 50) IPsec AH (IP protocol 51) Echo Echo Discard Discard Daytime Daytime Quotd Quotd Chargen Chargen FTP default data FTP control FTP control Telnet SMTP SMTP WINS Replication WINS Replication DNS
System service name Routing and Remote Access Routing and Remote Access Routing and Remote Access Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services Simple TCP/IP Services FTP Publishing Service FTP Publishing Service Application Layer Gateway Service Telnet Simple Mail Transfer Protocol Exchange Server Windows Internet Name Service Windows Internet Name Service DNS Server
53 53
UDP TCP
DNS DNS
DNS Server Internet Connection Firewall/Internet Connection Sharing Internet Connection Firewall/Internet Connection Sharing DHCP Server Internet Connection Firewall/Internet Connection Sharing Trivial FTP Daemon Service Windows Media Services World Wide Web Publishing Service SharePoint Portal Server Kerberos Key Distribution Center Kerberos Key Distribution Center Microsoft Exchange MTA Stacks Microsoft POP3 Service Exchange Server Network News Transfer Protocol Windows Time Windows Time Message Queuing Remote Procedure Call Exchange Server Certificate Services Cluster Service Distributed File System Distributed Link Tracking Distributed Transaction Coordinator
53
UDP
DNS
67 67
UDP UDP
69 80 80 80 88 88 102 110 110 119 123 123 135 135 135 135 135 135 135 135
UDP TCP TCP TCP TCP UDP TCP TCP TCP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP
TFTP HTTP HTTP HTTP Kerberos Kerberos X.400 POP3 POP3 NNTP NTP SNTP RPC RPC RPC RPC RPC RPC RPC RPC
135 135 135 135 135 135 135 135 135 135 135 137 137 137 137 137 138 138 138 138 138 138
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP
RPC RPC RPC RPC RPC RPC RPC RPC RPC RPC RPC NetBIOS Name Resolution NetBIOS Name Resolution NetBIOS Name Resolution NetBIOS Name Resolution NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Datagram Service NetBIOS Datagram Service NetBIOS Datagram Service NetBIOS Datagram Service NetBIOS Datagram Service
Distributed File Replication Service Fax Service Microsoft Exchange Server File Replication Service Group Policy Local Security Authority Remote Storage Notification Remote Storage Server Systems Management Server 2.0 Terminal Services Licensing Terminal Services Session Directory Computer Browser Server Windows Internet Name Service Net Logon Systems Management Server 2.0 Computer Browser Messenger Server Net Logon Distributed File System Systems Management Server 2.0
138 139 139 139 139 139 139 139 139 139 139 143 161 162 389 389 389 389 389 389 443 443
UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP TCP UDP TCP UDP UDP UDP TCP TCP
NetBIOS Datagram Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service NetBIOS Session Service IMAP SNMP LDAP Server DC Locator LDAP Server DC Locator DC Locator DC Locator HTTPS HTTPS
License Logging Service Computer Browser Fax Service Performance Logs and Alerts Print Spooler Server Net Logon Remote Procedure Call Locator Distributed File System Systems Management Server 2.0 License Logging Service Exchange Server SNMP Service Local Security Authority Local Security Authority Distributed File System Distributed File System Netlogon Kerberos Key Distribution Center HTTP SSL World Wide Web Publishing Service
443 443 445 445 445 445 445 445 445 464 464 500 515 548 554 563 593 593 636 636 993 995 1067 1068 1270 1433 1433
TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP TCP UDP TCP TCP TCP TCP TCP TCP TCP UDP TCP TCP TCP TCP TCP TCP TCP
HTTPS RPC over HTTPS SMB SMB SMB SMB SMB SMB SMB Kerberos Password V5 Kerberos Password V5 IPsec ISAKMP LPD RTSP NNTP over SSL RPC over HTTPS endpoint mapper RPC over HTTPS LDAP SSL LDAP SSL IMAP over SSL POP3 over SSL Installation Bootstrap Service Installation Bootstrap Service MOM-Encrypted SQL over TCP SQL over TCP
SharePoint Portal Server Exchange Server 2003 Fax Service Print Spooler Server Remote Procedure Call Locator Distributed File System License Logging Service Net Logon Kerberos Key Distribution Center Kerberos Key Distribution Center Local Security Authority TCP/IP Print Server Windows Media Services Network News Transfer Protocol Remote Procedure Call Exchange Server Local Security Authority Local Security Authority Exchange Server Exchange Server Installation Bootstrap protocol server Installation Bootstrap protocol client Microsoft Operations Manager 2000 Microsoft SQL Server MSSQL$UDDI
1434 1434 1645 1646 1701 1723 1755 1755 1801 1801 1812 1813 1900 2101 2103 2105 2107 2393 2394 2460 2535 2701 2701 2702 2702 2703
UDP UDP UDP UDP UDP TCP TCP UDP TCP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP UDP UDP TCP UDP TCP UDP TCP
SQL Probe SQL Probe Legacy RADIUS Legacy RADIUS L2TP PPTP MMS MMS MSMQ MSMQ RADIUS Accounting SSDP MSMQ-DCs MSMQ-RPC MSMQ-RPC MSMQ-Mgmt OLAP Services 7.0 OLAP Services 7.0 MS Theater MADCAP SMS Remote Control (control) SMS Remote Control (control) SMS Remote Control (data) SMS Remote Control (data) SMS Remote Chat
Microsoft SQL Server MSSQL$UDDI Internet Authentication Service Internet Authentication Service Routing and Remote Access Routing and Remote Access Windows Media Services Windows Media Services Message Queuing Message Queuing Internet Authentication Service SSDP Discovery Service Message Queuing Message Queuing Message Queuing Message Queuing SQL Server: Downlevel OLAP Client Support SQL Server: Downlevel OLAP Client Support Windows Media Services DHCP Server SMS Remote Control Agent SMS Remote Control Agent SMS Remote Control Agent SMS Remote Control Agent SMS Remote Control Agent
2703 2704 2704 2725 2869 2869 3268 3269 3343 3389 3389 3527 4011 4500 5000 5004 5005 5722 6001 6002 6004 42424 51515 102465535
UPD TCP UDP TCP TCP TCP TCP TCP UDP TCP TCP UDP UDP UDP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP
SMS Remote Chat SMS Remote File Transfer SMS Remote File Transfer SQL Analysis Services UPNP
SMS Remote Control Agent SMS Remote Control Agent SMS Remote Control Agent SQL Analysis Server Universal Plug and Play Device Host Local Security Authority Local Security Authority Cluster Service NetMeeting Remote Desktop Sharing Terminal Services Message Queuing Remote Installation Local Security Authority SSDP Discovery Service Windows Media Services Windows Media Services Distributed File System Replication Exchange Server 2003 Exchange Server 2003 Exchange Server 2003 ASP.NET State Service Microsoft Operations Manager 2000 Randomly allocated high TCP ports
SSDP event notification SSDP Discovery Service Global Catalog Server Global Catalog Server Cluster Services Terminal Services Terminal Services MSMQ-Ping BINL NAT-T SSDP legacy event notification RTP RTCP RPC Information Store Directory Referral DSProxy/NSPI ASP.Net Session State MOM-Clear RPC
Note Port 5722 is only used on 2008 domain controller or 2008R2 domain controller.
Microsoft provides part of the information that is in this table in a Microsoft Excel worksheet. This worksheet is available for download from the Microsoft Download Center.
Active Directory / LSA Computer Browser Distributed File System File Replication Service Kerberos Key Distribution Center Net Logon Remote Procedure Call (RPC) Server Simple Mail Transfer Protocol (SMTP) (if so configured) WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication
operations, if DNS is not working) Windows Time World Wide Web Publishing Service
Certificate Services (required for specific configurations) DHCP Server (if so configured) Distributed File System Distributed Link Tracking Server (optional but on by default on Windows 2000 computers) Distributed Transaction Coordinator DNS Server (if so configured) Fax Service (if so configured) File Replication Service File Server for Macintosh (if so configured) Internet Authentication Service (if so configured) License Logging (on by default) Net Logon Print Spooler Remote Installation (if so configured) Remote Procedure Call (RPC) Locator Remote Storage Notification Remote Storage Server Routing and Remote Access Server Simple Mail Transfer Protocol (SMTP) (if so configured) Terminal Services Terminal Services Licensing Terminal Services Session Directory
The Help files for each of the Microsoft products that are described in this article contain additional information that you may find useful to help configure your programs. Windows Server 2003 Help contains step-by-step instructions about how to configure specific technologies and server roles.
For more information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base: 179442 How to configure a firewall for domains and trusts Back to the top
General information
For more information about how to help secure Windows Server and for sample IPsec filters for specific server roles, see the appropriate "Security Guide." To view or download these guides, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/cc163140.aspx For more information about operating system services, security settings, and IPsec filtering, see the "Threats and Countermeasures Guide." To see this guide for Windows Server 2008 or for Windows Vista, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/dd349791.aspx To see this guide for Windows Server 2003 or for Windows XP, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/dd162275.aspx For more information about port assignments for well-known ports, click the following article number to view the article in the Microsoft Knowledge Base: 174904 Information about TCP/IP port assignments Additionally, see "Appendix B - Port Reference for MS TCP/IP" in the Microsoft Windows NT 4.0 Resource Kit. To do this, visit the following Microsoft Web site: http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/port_nts.mspx Additionally, see "TCP and UDP Port Assignments" in the Windows 2000 Server Resource Kit. To do this, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/cc977599.aspx Additionally, see the "Port Assignments and Protocol Numbers" document from the Windows 2000 Resource Kits. To do this, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/cc959834.aspx
The Internet Assigned Numbers Authority coordinates the use of well-known ports. To view this organization's list of TCP/IP port assignments, visit the following Web site: http://www.iana.org/assignments/port-numbers Back to the top
Exchange Server
For more information about how to restrict Exchange 2000 Server and Exchange Server 2003 MAPI traffic, click the following article number to view the article in the Microsoft Knowledge Base: 270836 Exchange 2000 and Exchange 2003 static port mappings
For more information about the network ports and protocols that are supported by Exchange 2000 Server, click the following article number to view the article in the Microsoft Knowledge Base: 278339 TCP/UDP ports used by Exchange 2000 Server For more information about the ports that are used by Exchange Server 5.5 and earlier versions of Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base: 176466 TCP Ports and Microsoft Exchange: In-depth discussion There may be additional items to consider for your particular environment. You can receive more information and help with planning an Exchange implementation, from the following Microsoft Web sites:
For Exchange Server 2007, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/bb124558.aspx For Exchange Server 2003, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/bb123872.aspx For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: 280132 Exchange 2000 Windows 2000 connectivity through firewalls 282446 DSProxy configuration for static ports on Exchange cluster 827330 How to troubleshoot client RPC over HTTP connection issues in Office Outlook 2003 831051 How to use the RPC ping utility to troubleshoot connectivity issues with the Exchange over the Internet feature in Outlook 2007 and in Outlook 2003 833401 How to configure RPC over HTTP in Exchange Server 2003 Additionally, visit the following Microsoft TechNet Web site: http://technet.microsoft.com/en-us/library/cc179036.aspx Back to the top
In this example, nnnnn represents a single, static RPC port that DFSR will use for replication. Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no member is specified, Dfsrdiag.exe uses the local computer. Back to the top
Message Queuing
For more information about the ports that are used by Microsoft Message Queuing, click the following article number to view the article in the Microsoft Knowledge Base: 178517 TCP ports, UDP ports, and RPC ports that are used by Message Queuing
SQL Server
For more information about how SQL Server 2000 dynamically determines ports for secondary instances, click the following article number to view the article in the Microsoft Knowledge Base: 286303 Behavior of SQL Server 2000 Network Library during dynamic port detection For more information about the ports that are used by SQL Server 7.0 and SQL Server 2000 for OLAP, click the following article number to view the article in the Microsoft Knowledge Base: 301901 TCP ports used by OLAP services when connecting through a firewall
Terminal Services
For more information about how to configure the port that is used by Terminal Services, click the following article number to view the article in the Microsoft Knowledge Base: 187623 How to change Terminal Server's listening port Back to the top