Configuring the Windows Firewall for SharePoint Farm Traffic (Muti-Tier)
Applies to: SharePoint Server 2013, SharePoint Foundation 2013
This document outlines the firewall ports required to be opened and on which server depending on the services running (Windows, SharePoint, Database Server) for a mutli-tiered SharePoint Server farm.
Of course, this is only one scenario and it all depends on SharePoint farm and network configuration you have and whether you configured behind gateways, firewalls etc.
SharePoint Network Diagram – An example
Web Front End Server
When a range is specified all ports between the range must be opened.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 22233-22236 | TCP | Out | Ports required for the AppFabric Caching Service |
| 80 | TCP | In | http |
| 443 | TCP | In | https/ssl |
| 25 | TCP | In | SMTP for e-mail integration |
| 16500 – 16519 | TCP | In | Ports used by the search index component |
| 1433 | TCP | Out | Server default communication port (if no alias or custom port) |
| 1434 | UDP | Out | SQL Server default port used to establish connection (if no alias or custom port) |
Distributed Cache
When a range is specified all ports between the range must be opened.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 22233-22236 | TCP | In/Out | Distributed Cache |
Application Server
When a range is specified all ports between the range must be opened.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 22233-22236 | TCP | Out | Ports required for the AppFabric Caching Service |
| 80 | TCP | In | Client to SharePoint web server traffic (SharePoint – Office Web Apps communication) |
| 443 | TCP | In | Encrypted client to SharePoint web server traffic (Encrypted SharePoint – Office Web Apps communication) |
| Custom | TCP | In | SharePoint Central Administration v4 |
| 25 | TCP | In | SMTP for e-mail integration |
| 16500 – 16519 | TCP | In | Ports used by the search index component |
| 32843-32845 | TCP | In | Communication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint |
| 32846 | TCP | In/Out | SharePoint User Code Service Inbound rule Added to Windows firewall by SharePoint |
| 808-809 | TCP | In | Office Web Apps |
Search Index Query Server
When a range is specified all ports between the range must be opened.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 22233-22236 | TCP | Out | Ports required for the AppFabric Caching Service |
| 16500 – 16519 | TCP | In | Ports used by the search index component |
| 137 - 139 | TCP | Out | SMB – Index Propagation / File Shares crawl ( TCP ) |
| 445 | TCP / UDP | In | SMB – Index Propagation / File Shares crawl ( NetBIOS ) |
Search Administration & Crawl Content Processing
When a range is specified all ports between the range must be opened.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 22233-22236 | TCP | Out | http |
| 80 | TCP | Out | https/ssl |
| 443 | TCP | Out | |
| 16500 – 16519 | TCP | In / Out | Ports used by the search index component |
| 137 - 139 | TCP | Out | SMB – Index Propagation / File Shares crawl ( TCP ) |
| 445 | TCP / UDP | Out | SMB – Index Propagation / File Shares crawl ( NetBIOS ) |
| 1433 | TCP | Out | Server default communication port (if no alias or custom port) |
| 32843-32845 | TCP | In | Communication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint |
Routes to the to query server
The crawl component processes crawls of content resources, and propagates the resulting index fragment files to query server components:
• TCP Port 32845 (SML/Named Pipes)
Routes to the Webserver
Windows Communication Foundation (WCF)
• TCP port 32843
• TCP port 32844 (SSL)
Routes to the Database server
Database communication:
On the Query Server, the query processor (also known as the Search Query and Settings Service) communicates with the following two databases in SQL Server:
• Search Administration database
• Property database types
On the Crawl Server, each crawl component is attached to a crawl database in SQL Server. The crawl component adds information such as content resource location and crawl schedules to its associated crawl database.
• TCP/SSL port 1433 (default) for default instance (customizable)
• TCP/SSL random port for named instances (customizable)
Routes to the Webserver
Search crawling —The crawl component on the Crawl Server processes crawls of content resources. Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content; this configuration can result in custom ports.
• TCP 80
• TCP 443 (SSL)
• Custom ports
Active Directory Server
The following table lists the port requirements for inbound connections from each server role to an Active Directory Domain Services domain controller.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 88 | TCP / UDP | In | User Profile Synchronization Service(FIM) (Kerberos) |
| 445 | TCP / UDP | In | When SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP port 445 |
| 389 | TCP / UDP | In | User Profile Synchronization Service(FIM) (LDAP ) |
| 464 | TCP / UDP | In | User Profile Service(FIM) -User List Resolution / Kerberos password change |
| 5725 | TCP | In | User Profile Synchronization Service(FIM) - Synchronizing profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management agent |
LDAP/LDAPS ports are required for server roles based on the following conditions:
- Web servers Use LDAP/LDAPS ports if LDAP authentication is configured.
- Query server Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.
Names Resolution (DNS) Server
The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory Domain Services domain controller and the DNS server.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 53 | TCP / UDP | In | User Profile Synchronization Service(FIM) - DNS |
Distributed Cache Server
SQL Server
The following table lists the port requirements for inbound connections from each server role to a server running SQL Server. Most database connections are on TCP port 1433 by default for the default instance, but this is customizable. (Because TCP port 1433 is a well-known port for accessing a SQL Server, you could configure your server running SQL Server to listen on a different port and block port 1433.) For named instances, you can choose a random port.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 1433 | TCP | In | Server default communication port (if no alias or custom port) |
| 1434 | UDP | In | SQL Server default port used to establish connection (if no alias or custom port) |
| 445 | TCP | In | SQL Server using named pipes |
| 2383 | TCP | In | SQL Analysis Server default communication port (if no alias or custom port) |
External Content File Share Server
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 137 | TCP | In | SMB – Index Propagation / File Shares crawl ( TCP ) |
| 138 | TCP | In | SMB – Index Propagation / File Shares crawl ( TCP ) |
| 139 | TCP | In | SMB – Index Propagation / File Shares crawl ( TCP ) |
| 445 | TCP / UDP | In | SMB – Index Propagation / File Shares crawl ( NetBIOS ) |
External Content (OLAP) Server
| Port | Protocol | Bound | Usage |
|---|---|---|---|
| 1433 | TCP | In | SQL (Default Instance) |
| 1434 | UDP | In | SQL (Default Instance) |
SMTP Server
E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.
| Ports | Protocol | Bound | Usage |
|---|---|---|---|
| 25 | TCP | In | SMTP - Cannot be configured |
Share This Post