Configuring the Windows Firewall for SharePoint Farm Traffic (Muti-Tier)

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

This document outlines the firewall ports required to be opened and on which server depending on the services running (Windows, SharePoint, Database Server) for a mutli-tiered SharePoint Server farm.

Of course, this is only one scenario and it all depends on SharePoint farm and network configuration you have and whether you configured behind gateways, firewalls etc.

SharePoint Network Diagram – An example

SharePoint Farm Firewall Ports

Web Front End Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
80TCPInhttp
443TCPInhttps/ssl
25TCPInSMTP for e-mail integration
16500 – 16519TCPInPorts used by the search index component
1433TCPOutServer default communication port (if no alias or custom port)
1434UDPOutSQL Server default port used to establish connection (if no alias or custom port)

Distributed Cache
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPIn/OutDistributed Cache

Application Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
80TCPInClient to SharePoint web server traffic (SharePoint – Office Web Apps communication)
443TCPInEncrypted client to SharePoint web server traffic (Encrypted SharePoint – Office Web Apps communication)
CustomTCPInSharePoint Central Administration v4
25TCPInSMTP for e-mail integration
16500 – 16519TCPInPorts used by the search index component
32843-32845TCPInCommunication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint
32846TCPIn/OutSharePoint User Code Service Inbound rule Added to Windows firewall by SharePoint
808-809TCPInOffice Web Apps

Search Index Query Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
16500 – 16519TCPInPorts used by the search index component
137 - 139TCPOutSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPInSMB – Index Propagation / File Shares crawl ( NetBIOS )

Search Administration & Crawl Content Processing
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCP Outhttp
80TCP Outhttps/ssl
443TCP Out
16500 – 16519 TCPIn / OutPorts used by the search index component
137 - 139TCPOutSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPOutSMB – Index Propagation / File Shares crawl ( NetBIOS )
1433TCPOutServer default communication port (if no alias or custom port)
32843-32845TCPIn Communication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint

Routes to the to query server
The crawl component processes crawls of content resources, and propagates the resulting index fragment files to query server components:
• TCP Port 32845 (SML/Named Pipes)

Routes to the Webserver
Windows Communication Foundation (WCF)
• TCP port 32843
• TCP port 32844 (SSL)

Routes to the Database server
Database communication:
On the Query Server, the query processor (also known as the Search Query and Settings Service) communicates with the following two databases in SQL Server:

• Search Administration database
• Property database types

On the Crawl Server, each crawl component is attached to a crawl database in SQL Server. The crawl component adds information such as content resource location and crawl schedules to its associated crawl database.

• TCP/SSL port 1433 (default) for default instance (customizable)
• TCP/SSL random port for named instances (customizable)

Routes to the Webserver
Search crawling —The crawl component on the Crawl Server processes crawls of content resources. Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content; this configuration can result in custom ports.
• TCP 80
• TCP 443 (SSL)
• Custom ports

Active Directory Server

The following table lists the port requirements for inbound connections from each server role to an Active Directory Domain Services domain controller.

PortsProtocolBoundUsage
88TCP / UDPInUser Profile Synchronization Service(FIM) (Kerberos)
445TCP / UDPInWhen SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP port 445
389TCP / UDPInUser Profile Synchronization Service(FIM) (LDAP )
464TCP / UDPInUser Profile Service(FIM) -User List Resolution / Kerberos password change
5725TCPInUser Profile Synchronization Service(FIM) - Synchronizing profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management agent

LDAP/LDAPS ports are required for server roles based on the following conditions:

  • Web servers   Use LDAP/LDAPS ports if LDAP authentication is configured.
  • Query server   Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.

Names Resolution (DNS) Server

The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory Domain Services domain controller and the DNS server.

PortsProtocolBoundUsage
53TCP / UDPInUser Profile Synchronization Service(FIM) - DNS

Distributed Cache Server

SQL Server

The following table lists the port requirements for inbound connections from each server role to a server running SQL Server. Most database connections are on TCP port 1433 by default for the default instance, but this is customizable. (Because TCP port 1433 is a well-known port for accessing a SQL Server, you could configure your server running SQL Server to listen on a different port and block port 1433.) For named instances, you can choose a random port.

PortsProtocolBoundUsage
1433TCPInServer default communication port (if no alias or custom port)
1434UDPInSQL Server default port used to establish connection (if no alias or custom port)
445TCPInSQL Server using named pipes
2383TCPInSQL Analysis Server default communication port (if no alias or custom port)

External Content File Share Server

PortsProtocolBoundUsage
137TCP InSMB – Index Propagation / File Shares crawl ( TCP )
138TCP InSMB – Index Propagation / File Shares crawl ( TCP )
139TCP InSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPInSMB – Index Propagation / File Shares crawl ( NetBIOS )

External Content (OLAP) Server

PortProtocolBoundUsage
1433TCPInSQL (Default Instance)
1434UDPInSQL (Default Instance)

SMTP Server

E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.

PortsProtocolBoundUsage
25TCPInSMTP - Cannot be configured

Share This Post
Related Posts
Configuring the Windows Firewall for SharePoint Farm Traffic (Single Server)

Leave Your Comment

Your Comment*

Your Name*
Your Webpage