services and ports requirements for the windows server systems (kb832017)

The "System services ports" section of this article contains a brief description of each service,

displays the logical name of that service, and indicates the ports and protocols that each service

requires for correct operation. Use this section to help identify the ports and protocols that a

particular service uses.

The "Ports and protocols" section of this article includes a table that summarizes the information

from the "System Services Ports" section. The table is sorted by port number instead of by the

service name. Use this section to quickly determine which services listen on a particular port.

Start port: 49152

End port: 65535

System services: The Windows server system includes many products, such as the Microsoft

Windows 2000 Server family, Microsoft Windows Server 2003 family, Microsoft Exchange 2000

Server, and Microsoft SQL Server 2000. Each of these products include many components; system

services is one of those components. System services that are required by a particular computer are

either started automatically by the operating system during startup or are started as required during

typical operations. For example, some system services that are available on computers that are

running Windows Server 2003, Enterprise Edition, include the Server service, the Print Spooler

service, and the World Wide Web Publishing Service. Each system service has a friendly service

name and a service name. The friendly service name is the name that appears in graphical

Article ID: 832017 - Last Review: November 2, 2009 - Revision: 39.0

Service overview and network port requirements for the Windows Server system

This article discusses the essential network ports, protocols and services that are used by Microsoft client

and server operating systems, server-based programs and their subcomponents in the Microsoft Windows

server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a

road-map to determine what ports and protocols Microsoft operating systems and programs require for

network connectivity in a segmented network.

The port information in this article should not be used to configure Windows Firewall. For information about

configuring Windows Firewall, visit the following Microsoft Web sites:

http://technet2.microsoft.com/windowsserver/en/library/6490c9fc-6c06-4304-b61c-

5577af1445d01033.mspx (http://technet2.microsoft.com/windowsserver/en/library/6490c9fc-6c06-4304-b61c-55

77af1445d01033.mspx)

http://technet.microsoft.com/en-us/network/bb545423.aspx (http://technet.microsoft.com/en-

us/network/bb545423.aspx)

The Windows server system includes a comprehensive and integrated infrastructure that is designed to

meet the requirements of developers and of information technology (IT) professionals. This system is

designed to run programs and solutions that information workers can use to obtain, to analyze, and to share

information quickly and easily. These Microsoft client, server and server program products use a variety of

network ports and protocols to communicate with client systems and with other server systems over the

network. Dedicated firewalls, host-based firewalls, and Internet Protocol security (IPsec) filters are other

important components that are required to help secure your network. However, if these technologies are

configured to block ports and protocols that are used by a specific server, that server will no longer respond

to client requests.

Overview

The following list provides an overview of the information that this article contains:

Important This article contains several references to the default dynamic port range. In Windows Server

2008 and in Windows Vista, the default dynamic port range is changed to the following range:

For more information about the changes in Windows Vista and Windows Server 2008, click the following

article number to view the article in the Microsoft Knowledge Base:

929851 (http://support.microsoft.com/kb/929851/ ) The default dynamic port range for TCP/IP has

changed in Windows Vista and in Windows Server 2008

This article uses certain terms in specific ways. To help avoid confusion, make sure that you understand

how this document uses these terms. The following list describes these terms:

of 30Service overview and network port requirements for the Windows Server system

11/28/2009http://support.microsoft.com/kb/832017

management tools such as the Services Microsoft Management Console (MMC) snap-in. The service

name is the name that is used with command-line tools and with many scripting languages. Each

system service may provide one or more network services.

Application protocol: In the context of this article, an application protocol is a high-level network

protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include

Hypertext Transfer Protocol (HTTP), server message blocks (SMBs), and Simple Mail Transfer

Protocol (SMTP).

Protocol: Operating at a lower level than the application protocols, TCP/IP protocols are standard

formats for communicating between devices on a network. The TCP/IP suite of protocols includes

TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

Port: This is the network port that the system service listens on for incoming network traffic.

This article does not specify which services rely on other services for network communication. For example,

many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign

them dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services

that use RPC or DCOM to communicate with client computers. Many other services rely on network basic

input/output system (NetBIOS) or SMBs, protocols that are actually provided by the Server service. Others

rely on HTTP or on Hypertext Transfer Protocol Secure (HTTPS). These protocols are provided by Internet

Information Services (IIS). A full discussion of the architecture of the Windows operating systems is beyond

the scope of this article. However, detailed documentation on this subject is available on Microsoft TechNet

and on the Microsoft Developer Network (MSDN). While many services may rely on a particular TCP or UDP

port, only a single service or process can be actively listening on that port at any one time.

When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically

assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used.

These are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the

RPC endpoint mapper to tell them which dynamic port(s) were assigned to the server. For some RPC-based

services, you can configure a specific port instead of letting RPC assign one dynamically. You can also

restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For

more information about this topic, see the "References" section of this article.

This article includes information about the system services roles and the server roles for the Microsoft

products that are listed in the "Applies to" section at the end of this article. While this information may also

apply to Microsoft Windows XP and to Microsoft Windows 2000 Professional, this article is intended to focus

on server-class operating systems. Because of this, this article describes the ports that a service listens on

instead of the ports that client programs use to connect to a remote system.

System services ports

This section provides a description of each system service, includes the logical name that corresponds to the

system service, and displays the ports and the protocols that each service requires.

Active Directory (Local Security Authority)

Active Directory runs under the LSASS process and includes the authentication and replication engines for

Windows 2000 and Windows Server 2003 domain controllers. Domain controllers, client computers and

application servers require network connectivity to Active Directory over specific hard-coded ports in

addition to a range of ephemeral TCP ports between 1024 and 65535 unless a tunneling protocol is used to

encapsulate such traffic, An encapsulated solution might consist of a VPN gateway located behind a filtering

router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must

allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator

Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol

(ISAKMP) (UDP port 500) through the router as opposed to opening all the ports and protocols listed below.

Finally, the port used for Active Directory replication may be hard-coded as described in the following article

in the Microsoft Knowledge Base:

224196 (http://support.microsoft.com/kb/224196/ ) Restricting Active Directory replication traffic and

client RPC traffic to a specific port

Note Packet filters for L2TP traffic are not required, because L2TP is protected by IPsec ESP.

System service name: LSASS

Application protocol Protocol Ports

Global Catalog Server TCP 3269

Global Catalog Server TCP 3268



¹ For more information about how to customize this port, see the "Domain controllers and Active Directory"

section in the "References" section.

² This is the range in Windows Server 2008 and in Windows Vista.

Application Layer Gateway Service

This subcomponent of the Internet Connection Sharing (ICS)/Internet Connection Firewall (ICF) service

provides support for plug-ins that allow network protocols to pass through the firewall and work behind

Internet Connection Sharing. Application Layer Gateway (ALG) plug-ins can open ports and change data

(such as ports and IP addresses) that are embedded in packets. File Transfer Protocol (FTP) is the only

network protocol with a plug-in that is included with Windows Server 2003, Standard Edition, and Windows

Server 2003, Enterprise Edition. The ALG FTP plug–in is designed to support active FTP sessions through the

network address translation (NAT) engine that these components use. The ALG FTP plug–in supports these

sessions by redirecting all traffic that passes through the NAT and that is destined for port 21 to a private

listening port in the range of 3000 to 5000 on the loopback adapter. The ALG FTP plug–in then monitors and

updates FTP control channel traffic so that the FTP plug-in can forward port mappings through the NAT for

the FTP data channels. The FTP plug–in also updates ports in the FTP control channel stream.

System service name: ALG

ASP.NET State Service

ASP.NET State Service provides support for ASP.NET out-of-process session states. ASP.NET State Service

stores session data out-of-process. The service uses sockets to communicate with ASP.NET that is running

on a Web server.

System service name: aspnet_state

Certificate Services

Certificate Services is part of the core operating system. By using Certificate Services, a business can act as

its own certification authority (CA). In this way, the business can issue and manage digital certificates for

programs and protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets

Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Certificate Services relies on RPC

and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024.

System service name: CertSvc

¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"



Cluster Service

The Cluster service controls server cluster operations and manages the cluster database. A cluster is a

collection of independent computers that act as a single computer. Managers, programmers, and users see

LDAP Server TCP 389

LDAP Server UDP 389

LDAP SSL TCP 636

LDAP SSL UDP 636

IPsec ISAKMP UDP 500

NAT-T UDP 4500

RPC TCP 135

RPC randomly allocated high TCP ports¹ TCP 1024 - 65535 49152 - 65535²


FTP control TCP 21


ASP.NET Session State TCP 42424


RPC TCP 135

Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535 random port number between 49152 - 65535²



the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails,

other nodes provide the services and data that was formerly provided by the missing node. When a node is

added or repaired, the cluster software migrates some data to that node.

System service name: ClusSvc



² This is the range in Windows Server 2008 and in Windows Vista

Computer Browser

The Computer Browser system service maintains an up-to-date list of computers on your network and

supplies the list to programs that request it. The Computer Browser service is used by Windows-based

computers to view network domains and resources. Computers that are designated as browsers maintain

browse lists that contain all shared resources that are used on the network. Earlier versions of Windows

programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing

capability. For example, when you open My Network Places on a computer that is running Microsoft

Windows 95, a list of domains and computers appears. To display this list, the computer obtains a copy of

the browse list from a computer that is designated as a browser.

System service name: Browser

DHCP Server

The DHCP Server service uses the Dynamic Host Configuration Protocol (DHCP) to automatically allocate IP

addresses. By using this service, you can adjust the advanced network settings of DHCP clients. For

example, you can configure network settings such as Domain Name System (DNS) servers and Windows

Internet Name Service (WINS) servers. You can establish one or more DHCP servers to maintain TCP/IP

configuration information and to provide that information to client computers.

System service name: DHCPServer

Distributed File System

The Distributed File System (DFS) integrates disparate file shares that are located across a local area

network (LAN) or wide area network (WAN) into a single logical namespace. The DFS service is required for

Active Directory domain controllers to advertise the SYSVOL shared folder.

System service name: Dfs


Cluster Services UDP 3343

RPC TCP 135

Cluster Administrator UDP 137

Randomly allocated high UDP ports¹ UDP random port number between 1024 - 65535 random port number between 49152 - 65535²


NetBIOS Datagram Service UDP 138

NetBIOS Name Resolution UDP 137

NetBIOS Session Service TCP 139


DHCP Server UDP 67

MADCAP UDP 2535




LDAP Server TCP 389

LDAP Server UDP 389

SMB TCP 445

RPC TCP 135






Distributed File System Replication

The Distributed File System Replication (DFSR) service is a state-based, multi-master file replication engine

that automatically copies updates to files and folders between computers that are participating in a common

replication group. DFSR was added in Windows Server 2003 R2. You can configure DFSR by using the

Dfsrdiag.exe command-line tool to replicate files on specific ports between Windows Server 2003 R2

computers, regardless of whether they are participating in Distributed File System Namespaces (DFSN) or

not.

System service name: DFSR

¹ For more information about how to customize this port, see the "Distributed File Replication Service"



Distributed Link Tracking Server

The Distributed Link Tracking Server system service stores information so that files that are moved between

volumes can be tracked to each volume in the domain. The Distributed Link Tracking Server service runs on

each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track

linked documents that have been moved to a location in another NTFS file system volume in the same

domain.

System service name: TrkSvr




Distributed Transaction Coordinator

The Distributed Transaction Coordinator (DTC) system service is responsible for coordinating transactions

that are distributed across multiple computer systems and resource managers, such as databases, message

queues, file systems, or other transaction-protected resource managers. The DTC system service is required

if transactional components are configured through COM+. It is also required for transactional queues in

Message Queuing (also known as MSMQ) and SQL Server operations that span multiple systems.

System service name: MSDTC

¹ For more information about how to customize this port, see the "Distributed Transaction Coordinator"



DNS Server

The DNS Server service enables DNS name resolution by answering queries and update requests for DNS

names. DNS servers are required to locate devices and services that are identified by using DNS names and

to locate domain controllers in Active Directory.

System service name: DNS



RPC TCP 135



RPC TCP 135



RPC TCP 135




Event Log

The Event Log system service logs event messages that are generated by programs and by the Windows

operating system. Event Log reports contain information that can be useful in diagnosing problems. Reports

are viewed in Event Viewer. The Event Log service writes events that are sent by programs, by services,

and by the operating system to log files. The events contain diagnostic information in addition to errors that

are specific to the source program, the service, or the component. The logs can be viewed programmatically

through the event log APIs or through the Event Viewer in an MMC snap-in.

System service name: Eventlog

Note The Event Log service uses RPC over named pipes. This service has the same firewall requirements as

those of the "File and Printer Sharing" feature.

Microsoft Exchange Server and Outlook clients

Versions of Microsoft Exchange Server and Exchange clients have various port and protocol requirements.

These requirements depend upon which version of Exchange Server or Exchange client is in use.

For Outlook clients to connect to versions of Exchange prior to Exchange 2003, direct RPC connectivity to

the Exchange server is required. RPC connections made from Outlook to the Exchange server will first

contact the RPC endpoint mapper (Port TCP 135) to request information on the port mappings of the various

endpoints required. The Outlook client then tries to make connections to the Exchange server directly by

using these endpoint ports.

Exchange 5.5 uses two ports for client communication. One port is for the Information Store, and one port

is for the Directory. Exchange 2000 and 2003 use three ports for client communication. One port is for the

Information Store, one is for Directory Referral (RFR), and one port is for DSProxy/NSPI.

In most cases, these two or three ports will be mapped randomly into the range TCP 1024-65535. If

required, these ports can be configured to always bind to a static port mapping rather than to use the

ephemeral ports.

For more information about how to configure static TCP/IP ports in Exchange Server, click the following


270836 (http://support.microsoft.com/kb/270836/ ) Exchange Server static port mappings

Outlook 2003 clients support direct connectivity to Exchange servers by using RPC. However, these clients

can also communicate with Exchange 2003 servers that are hosted on Windows Server 2003-based

computers on the Internet. The use of RPC over HTTP communication between Outlook and Exchange server

eliminates the need to expose unauthenticated RPC traffic across the Internet. Instead, traffic between the

Outlook 2003 client and the Exchange Server 2003 computer is tunneled within HTTPS packets over TCP

port 443 (HTTPS).

RPC over HTTPS requires that port TCP 443 (HTTPS) be available between the Outlook 2003 client and the

server that is functioning as the "RPCProxy" device. The HTTPS packets are terminated at the RPCProxy

server and the unwrapped RPC packets are then passed to the Exchange server on three ports, in similar

fashion to the direct RPC traffic described above. These RPC over HTTPS ports on the Exchange server are

statically mapped to TCP 6001 (the Information Store), TCP 6002 (Directory Referral), and TCP 6004

(DSProxy/NSPI). No endpoint mapper must be exposed when using RPC over HTTPS communication

between Outlook 2003 and Exchange 2003, since Outlook 2003 knows to use these statically mapped

endpoint ports. In addition, no global catalog needs to be exposed to the Outlook 2003 client because the

DSProxy/NSPI interface on the Exchange 2003 server will provide this functionality.

Exchange Server can also provide support for other protocols, such as SMTP, Post Office Protocol 3 (POP3),


DNS UDP 53

DNS TCP 53


RPC/named pipes (NP) TCP 139

RPC/NP TCP 445

RPC/NP UDP 137

RPC/NP UDP 138



1. Not used with ISA 2000

2. FWC application transport / protocols are negotiated within the FWC control channel

3. ISA 2000 FWC control defaults to UDP; ISA 2004 and 2006 default to TCP.

4. Firewall Web Management is used by OEM to provide non-MMC management of ISA Server

5. Also used for intra-array traffic.

6. Used only by the ISA management MMC during remote server and service status monitoring.

7. This is the range in Windows Server 2008 and in Windows Vista.

and IMAP.




ISA Server

Notes:

Fax Service

Fax Service, a Telephony API (TAPI)–compliant system service, provides fax capabilities. By using Fax

Service, users can send and receive faxes from their desktop programs by using either a local fax device or

a shared network fax device.

System service name: Fax


IMAP TCP 143

IMAP over SSL TCP 993

POP3 TCP 110

POP3 over SSL TCP 995


RPC TCP 135

RPC over HTTPS TCP 443 or 80

SMTP TCP 25

SMTP UDP 25

Information Store TCP 6001

Directory Referral TCP 6002

DSProxy/NSPI TCP 6004


Configuration Storage (domain) TCP 2171 (note 1)

Configuration Storage (replication) TCP 2173 (note 1)

Configuration Storage (workgroup) TCP 2172 (note 1)

Firewall Client Application TCP/UDP 1025-65535 (note 2)

Firewall Client Control Channel TCP/UDP 1745 (note 3)

Firewall Control Channel TCP 3847 (note 1)

RPC TCP 135 (note 6)

Randomly allocated high TCP ports (note 6)

TCP random port number between 1024 - 65535 random port number between 49152 - 65535 (note 7)

Web Management TCP 2175 (note 1, 4)

Web Proxy Client TCP 8080 (note 5)



SMB TCP 445






File Replication

The File Replication service (FRS) is a file-based replication engine that automatically copies updates to files

and folders between computers that are participating in a common FRS replica set. FRS is the default

replication engine that is used to replicate the contents of the SYSVOL folder between Windows 2000-based

and Windows Server 2003-based domain controllers that are located in a common domain. FRS may be

configured to replicate files and folders between targets of a DFS root or link by using the DFS

Administration tool.

System service name: NtFrs

¹ For more information about how to customize this port, see the "File Replication Service" section in the

"References" section.


File Server for Macintosh

By using the File Server for Macintosh system service, Macintosh computer users can store and access files

on a computer that is running Windows Server 2003. If this service is turned off or blocked, Macintosh

clients cannot access or store files on that computer.

System service name: MacFile

FTP Publishing Service

FTP Publishing Service provides FTP connectivity. By default, the FTP control port is 21. However, you can

configure this system service through the Internet Information Services (IIS) Manager snap-in. The default

data (that is used for active mode FTP) port is automatically set to one port less than the control port.

Therefore, if you configure the control port to port 4131, the default data port is port 4130. Most FTP clients

use passive mode FTP. This means that the client initially connects to the FTP server by using the control

port, the FTP server assigns a high TCP port between ports 1025 and 5000, and then the client opens a

second connection to the FTP server for transferring data. You can configure the range of high ports by

using the IIS metabase.

System service name: MSFTPSVC

¹ This is the range in Windows Server 2008 and in Windows Vista.

Group Policy

To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM,

ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are unavailable or blocked between the

client and a relevant domain controller, policy will not apply or refresh. For a cross-domain logon, where a

computer is in one domain, and the user account is in another, these protocols may be required for the

client, the resource domain, and the account domain to communicate. ICMP is used for slow link detection.

For more information about slow link detection, click the following article number to view the article in the

Microsoft Knowledge Base:

227260 (http://support.microsoft.com/kb/227260/ ) How a slow link is detected for processing user

RPC TCP 135



RPC TCP 135



File Server for Macintosh TCP 548


FTP control TCP 21

FTP default data TCP 20

Rrandomly allocated high TCP ports TCP random port number between 1024 - 65535 random port number between 49152 - 65535¹



profiles and Group Policy

System service name: Group Policy




HTTP SSL

The HTTP SSL system service enables IIS to perform SSL functions. SSL is an open standard for establishing

an encrypted communications channel to help prevent the interception of critical information, such as credit

card numbers. Although this service is designed to work on other Internet services, it is primarily used to

enable encrypted electronic financial transactions on the World Wide Web (WWW). You can configure the

ports for this service through the Internet Information Services (IIS) Manager snap-in.

System service name: HTTPFilter

Internet Authentication Service

Internet Authentication Service (IAS) performs centralized authentication, authorization, auditing, and

accounting of users who are connecting to a network. These users can be on a LAN connection or on a

remote connection. IAS implements the Internet Engineering Task Force (IETF) standard Remote

Authentication Dial-In User Service (RADIUS) protocol.

System service name: IAS

Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

This system service provides NAT, addressing, and name resolution services for all computers on your home

network or your small-office network. When the Internet Connection Sharing feature is enabled, your

computer becomes an "Internet gateway" on the network, and other client computers can then share one

connection to the Internet, such as a dial-up connection or a broadband connection. This service provides

basic DHCP and DNS services but will work with the full-featured Windows DHCP or DNS services. When ICF

and Internet Connection Sharing act as a gateway for the rest of the computers on your network, they

provide DHCP and DNS services to the private network on the internal network interface. They do not

provide these services on the external-facing interface.

System service name: SharedAccess

Kerberos Key Distribution Center

When you use the Kerberos Key Distribution Center (KDC) system service, users can log on to the network

by using the Kerberos version 5 authentication protocol. As in other implementations of the Kerberos


DCOM¹ TCP + UDP random port number between 1024 - 65535 random port number between 49152 - 65535²

ICMP (ping) ICMP

LDAP TCP 389

SMB TCP 445

RPC TCP 135, random port number between 1024 - 65535*


HTTPS TCP 443


Legacy RADIUS UDP 1645

Legacy RADIUS UDP 1646

RADIUS Accounting UDP 1813

RADIUS Authentication UDP 1812


DHCP Server UDP 67

DNS UDP 53

DNS TCP 53



protocol, the KDC is a single process that provides two services: the Authentication Service and the Ticket-

Granting Service. The Authentication Service issues ticket granting tickets, and the Ticket-Granting Service

issues tickets for connection to computers in its own domain.

System service name: kdc

License Logging

The License Logging system service is a tool that was originally designed to help customers manage licenses

for Microsoft server products that are licensed in the Server Client Access License (CAL) model. License

Logging was introduced with Microsoft Windows NT Server 3.51. By default, the License Logging service is

disabled in Windows Server 2003. Because of legacy design constraints and evolving license terms and

conditions, License Logging may not provide an accurate view of the total number of CALs that are

purchased compared to the total number of CALs that are used on a particular server or across the

enterprise. The CALs that are reported by License Logging may conflict with the interpretation of the End-

User License Agreement (EULA) and with Product Use Rights (PUR). License Logging will not be included in

future versions of the Windows operating system. Microsoft recommends that only users of the Microsoft

Small Business Server family of operating systems enable this service on their servers.

System service name: LicenseService

Note The License Logging service uses RPC over named pipes. This service has the same firewall

requirements as those of the "File and Printer Sharing" feature.

Message Queuing

The Message Queuing system service is a messaging infrastructure and development tool for creating

distributed messaging programs for Windows. These programs can communicate across heterogeneous

networks and can send messages between computers that may be temporarily unable to connect to each

other. Message Queuing helps provide security, efficient routing, support for sending messages within

transactions, priority-based messaging, and guaranteed message delivery.

System service name: MSMQ

Messenger

The Messenger system service sends messages to or receives messages from users and computers,

administrators, and the Alerter service. This service is not related to Windows Messenger. If you disable the

Messenger service, notifications that are sent to computers or users who are currently logged on the

network are not received. Additionally, the net send command and the net name command no longer

function.


Kerberos TCP 88

Kerberos UDP 88

Kerberos Password V5 UDP 464

Kerberos Password V5 TCP 464




SMB TCP 445


MSMQ TCP 1801

MSMQ UDP 1801

MSMQ-DCs TCP 2101

MSMQ-Mgmt TCP 2107

MSMQ-Ping UDP 3527

MSMQ-RPC TCP 2105

MSMQ-RPC TCP 2103

RPC TCP 135



System service name: Messenger

Microsoft Exchange MTA Stacks

In Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003, the Message Transfer Agent (MTA)

is frequently used to provide backward-compatible message transfer services between Exchange 2000

Server-based servers and Exchange Server 5.5-based servers in a mixed-mode environment.

System service name: MSExchangeMTA

Microsoft Operations Manager 2000

Microsoft Operations Manager (MOM) 2000 delivers enterprise-class operations management by providing

comprehensive event management, proactive monitoring and alerting, reporting, and trend analysis. After

you install MOM 2000 Service Pack 1 (SP1), MOM 2000 no longer uses a clear text communications channel,

and all traffic between the MOM agent and the MOM server is encrypted over TCP port 1270. The MOM

Administrator console uses DCOM to connect to the server. This means that administrators who manage the

MOM server over the network must have access to random high TCP ports.

System service name: one point

Microsoft POP3 Service

Microsoft POP3 Service provides e-mail transfer and retrieval services. Administrators can use this service to

store and manage e-mail accounts on the mail server. When you install Microsoft POP3 Service on the mail

server, users can connect to the mail server and can retrieve e-mail by using an e-mail client that supports

the POP3 protocol, such as Microsoft Outlook.

System service name: POP3SVC

MSSQLSERVER

MSSQLSERVER is a system service in Microsoft SQL Server 2000. SQL Server provides a powerful and

comprehensive data management platform. You can configure the ports that each instance of SQL Server

uses by using the Server Network Utility.

System service name: MSSQLSERVER

MSSQL$UDDI

The MSSQL$UDDI system service is installed during the installation of the Universal Description, Discovery,

and Integration (UDDI) feature of the Windows Server 2003 family of operating systems. MSSQL$UDDI

provides UDDI capabilities in an enterprise. The SQL Server database engine is the core component of

MSSQL$UDDI.

System service name: MSSQLSERVER

Net Logon




X.400 TCP 102


MOM-Clear TCP 51515

MOM-Encrypted TCP 1270


POP3 TCP 110


SQL over TCP TCP 1433

SQL Probe UDP 1434


SQL over TCP TCP 1433

SQL Probe UDP 1434



The Net Logon system service maintains a security channel between your computer and the domain

controller to authenticate users and services. It passes the user's credentials to a domain controller and

returns the domain security identifiers and the user rights for the user. This is typically referred to as pass-

through authentication. Net Logon is configured to start automatically only when a member computer or

domain controller is joined to a domain. In the Windows 2000 Server and Windows Server 2003 families,

Net Logon publishes service resource locator records in the DNS. When this service runs, it relies on the

WORKSTATION service and on the Local Security Authority service to listen for incoming requests. On

domain member computers, Net Logon uses RPC over named pipes. On domain controllers, it uses RPC over

named pipes, RPC over TCP/IP, mailslots, and Lightweight Directory Access Protocol (LDAP).

System service name: Netlogon




Note The Net Logon service uses RPC over named pipes for down-level clients. This service has the same

firewall requirements as those of the "File and Printer Sharing" feature.

NetMeeting Remote Desktop Sharing

The NetMeeting Remote Desktop Sharing system service allows authorized users to remotely access your

Windows desktop from another personal computer over a corporate intranet by using Windows NetMeeting.

You must explicitly enable this service in NetMeeting. You can disable or shut down this feature by using an

icon in the Windows notification area.

System service name: mnmsrvc

Network News Transfer Protocol (NNTP)

The Network News Transfer Protocol (NNTP) system service allows computers that are running Windows

Server 2003 to act as news servers. Clients can use a news client, such as Microsoft Outlook Express, to

retrieve newsgroups from the server and to read the headers or the bodies of the articles in each

newsgroup.

System service name: NNTPSVC

Performance Logs and Alerts

The Performance Logs and Alerts system service collects, based on preconfigured schedule parameters,

performance data from local or remote computers and then writes that data to a log or triggers a message.

Based on the information that is contained in the named log collection setting, the Performance Logs and

Alerts service starts and stops each named performance data collection. This service only runs if at least

one performance data collection is scheduled.

System service name: SysmonLog

Print Spooler

The Print Spooler system service manages all local and network print queues and controls all print jobs.

Print Spooler is the center of the Windows printing subsystem. It manages the print queues on the system





SMB TCP 445

RPC¹ TCP 135, random port number between 1024 - 65535 135, random port number between 49152 - 65535²


Terminal Services TCP 3389


NNTP TCP 119

NNTP over SSL TCP 563





and communicates with printer drivers and input/output (I/O) components, such as the USB port and the

TCP/IP protocol suite.

System service name: Spooler

Note The Spooler service uses RPC over named pipes. This service has the same firewall requirements as

those of the "File and Printer Sharing" feature.

Remote Installation

You can use the Remote Installation system service to install Windows 2000, Windows XP, and Windows

Server 2003 on Pre-Boot eXecution Environment (PXE) remote boot-enabled client computers. The Boot

Information Negotiation Layer (BINL) service, the primary component of Remote Installation Server (RIS),

answers PXE client requests, checks Active Directory for client validation, and passes client information to

and from the server. The BINL service is installed when you either add the RIS component from

Add/Remove Windows Components, or select it when you initially install the operating system.

System service name: BINLSVC

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) system service is an interprocess communication (IPC) mechanism that

enables data exchange and invocation of functionality that reside in a different process. The different

process can be on the same computer, on the LAN, or in a remote location, and can be accessed over a

WAN connection or over a VPN connection. The RPC service serves as the RPC endpoint mapper and

Component Object Model (COM) Service Control Manager. Many services depend on the RPC service to start

successfully.

System service name: RpcSs

Note The RPC Endpoint Mapper also offers its services by using named pipes. This service has the same


Remote Procedure Call (RPC) Locator

The Remote Procedure Call (RPC) Locator system service manages the RPC name service database. When

this service is turned on, RPC clients can locate RPC servers. This service is turned off by default.

System service name: RpcLocator

Note The RPC service Locator offers its services by using RPC over named pipes. This service has the same






SMB TCP 445


BINL UDP 4011


RPC TCP 135

RPC over HTTPS TCP 593




SMB TCP 445





SMB TCP 445



Remote Storage Notification

The Remote Storage Notification system service notifies users when they read from or write to files that are

only available from a secondary storage media. Stopping this service prevents this notification.

System service name: Remote_Storage_User_Link




Remote Storage Server

The Remote Storage Server system service stores infrequently used files on a secondary storage medium. If

you stop this service, users cannot move or retrieve files from the secondary storage media.

System service name: Remote_Storage_Server




Routing and Remote Access

The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT

routing services. Additionally, the Routing and Remote Access service also provides dial-up and VPN remote

access services. Although Routing and Remote Access can use all the following protocols, the service

typically uses only a subset of them. For example, if you configure a VPN gateway that lies behind a filtering

router, you will probably use only one technology. If you use L2TP with IPsec, you must allow IPsec ESP (IP

protocol 50), NAT-T (UDP on port 4500), and IPsec ISAKMP (UDP on port 500) through the router.

Note Although NAT-T and IPsec ISAKMP are required for L2TP, these ports are actually monitored by the

Local Security Authority. For additional information about this, see the "References" section of this article.

System service name: RemoteAccess

Server

The Server system service provides RPC support and file, print, and named pipe sharing over the network.

The Server service allows the sharing of local resources, such as disks and printers, so that other users on

the network can access them. It also allows named pipe communication between programs that are running

on the local computer and on other computers. Named pipe communication is memory that is reserved for

the output of one process to be used as input for another process. The input-accepting process does not

have to be local to the computer.

Note If a computer name resolves to multiple IP addresses using WINS, or if WINS failed and the name is

resolved using DNS, NetBIOS over TCP/IP (NetBT) will try to ping the IP address or addresses of the file

server. Port 139 communications depend on Internet Control Message Protocol (ICMP) echo messages. If

Internet Protocol version 6 (IPv6) is not installed, port 445 communications will also depend on ICMP for

name resolution. Preloaded Lmhosts entries will bypass the DNS resolver. If IPv6 is installed on Windows


RPC TCP 135



RPC TCP 135



GRE (IP protocol 47) GRE n/a

IPsec AH (IP protocol 51) AH n/a

IPsec ESP (IP protocol 50) ESP n/a

L2TP UDP 1701

PPTP TCP 1723



Echo, port 7, RFC 862

Discard, port 9, RFC 863

Character Generator, port 19, RFC 864

Daytime, port 13, RFC 867

Quote of the Day, port 17, RFC 865

Server 2003-based or Windows XP-based systems, port 445 communications will not trigger any ICMP

requests.

System service name: lanmanserver

SharePoint Portal Server

With the SharePoint Portal Server system service, you can develop an intelligent portal that seamlessly

connects users, teams, and knowledge so that people can take advantage of relevant information across

business processes. Microsoft SharePoint Portal Server 2003 provides an enterprise business solution that

integrates information from various systems into one solution through single sign-on and enterprise

application integration capabilities.

Simple Mail Transfer Protocol (SMTP)

The Simple Mail Transfer Protocol (SMTP) system service is an e-mail submission and relay agent. It accepts

and queues e-mail for remote destinations, and it retries at specified intervals. Windows domain controllers

use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for the

Windows Server 2003 COM component can use the SMTP service to submit and to queue outbound e-mail.

System service name: SMTPSVC

Simple TCP/IP Services

Simple TCP/IP Services implements support for the following protocols:

System service name: SimpTcp

SMS Remote Control Agent

SMS Remote Control Agent is a system service in Microsoft Systems Management Server (SMS) 2003. SMS

Remote Control Agent provides a comprehensive solution for change and for configuration management for





SMB TCP 445


HTTP TCP 80

HTTPS TCP 443


SMTP TCP 25


Chargen TCP 19

Chargen UDP 19

Daytime TCP 13

Daytime UDP 13

Discard TCP 9

Discard UDP 9

Echo TCP 7

Echo UDP 7

Quotd TCP 17

Quoted UDP 17



the Microsoft operating systems. With this solution, organizations can provide relevant software and updates

to users.

System service name: Wuser32

SNMP Service

SNMP Service allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the

local computer. SNMP Service includes agents that monitor activity in network devices and report to the

network console workstation. SNMP Service provides a method of managing network hosts (such as

workstation or server computers, routers, bridges, and hubs) from a centrally-located computer that is

running network management software. SNMP performs management services by using a distributed

architecture of management systems and agents.

System service name: SNMP

SNMP Trap Service

SNMP Trap Service receives trap messages that are generated by local or by remote SNMP agents and then

forwards those messages to SNMP management programs that are running on your computer. SNMP Trap

Service, when configured for an agent, generates trap messages if any specific events occur. These

messages are sent to a trap destination. For example, an agent can be configured to initiate an

authentication trap if an unrecognized management system sends a request for information. Trap

destinations include the computer name, the IP address, or the Internetwork Packet Exchange (IPX) address

of the management system. The trap destination must be a network-enabled host that is running SNMP

management software.

System service name: SNMPTRAP

SQL Analysis Server

The SQL Analysis Server system service is a component of SQL Server 2000. With SQL Analysis Server, you

can create and manage OLAP cubes and data mining models. The analysis server may access local or

remote data sources for creating and storing cubes or data mining models.

SQL Server: Downlevel OLAP Client Support

This system service is used by SQL Server 2000 when the SQL Analysis Server service has to support

connections from downlevel (OLAP Services 7.0) clients. These are the default ports for OLAP services that

are used by SQL 7.0.

SSDP Discovery Service


SMS Remote Chat TCP 2703

SMS Remote Chat UDP 2703

SMS Remote Control (control) TCP 2701

SMS Remote Control (control) UDP 2701

SMS Remote Control (data) TCP 2702

SMS Remote Control (data) UDP 2702

SMS Remote File Transfer TCP 2704

SMS Remote File Transfer UDP 2704


SNMP UDP 161


SNMP Traps Outbound UDP 162


SQL Analysis Services TCP 2725


OLAP Services 7.0 TCP 2393

OLAP Services 7.0 TCP 2394



SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP

Discovery Service manages receipt of device presence announcements, updates its cache, and passes these

notifications along to clients with outstanding search requests. SSDP Discovery Service also accepts

registration of event callbacks from clients, turns these into subscription requests, and monitors for event

notifications. It then passes these requests along to the registered callbacks. This system service also

provides hosted devices with periodic announcements. Currently, the SSDP event notification service uses

TCP port 5000. Starting with the next Windows XP service pack, it will rely on TCP port 2869.

Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1

(SP1).

System service name: SSDPRSR

Systems Management Server 2.0

Microsoft Systems Management Server (SMS) 2003 provides a comprehensive solution for change and

configuration management for Microsoft operating systems. With this solution, organizations can provide

relevant software and updates to users quickly and cost-effectively.




TCP/IP Print Server

The TCP/IP Print Server system service enables TCP/IP–based printing by using the Line Printer Daemon

(LPD) protocol. The LPD service on the server receives documents from Line Printer Remote (LPR) utilities

that are running on UNIX computers.

System service name: LPDSVC

Telnet

The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. A Telnet server

supports two types of authentication and supports the following four types of terminals:

American National Standards Institute (ANSI)

VT-100

VT-52

VTNT

System service name: TlntSvr

Terminal Services

Terminal Services provides a multi-session environment that allows client devices to access a virtual

Windows desktop session and Windows-based programs that are running on the server. Terminal Services

allows multiple users to be connected interactively to a computer.


SSDP UDP 1900

SSDP event notification TCP 2869

SSDP legacy event notification TCP 5000





RPC TCP 135

SMB TCP 445



LPD TCP 515


Telnet TCP 23



System service name: TermService

Terminal Services Licensing

The Terminal Services Licensing system service installs a license server and provides licenses to registered

clients when the clients connect to a terminal server (a server that has Terminal Server enabled). Terminal

Services Licensing is a low-impact service that stores the client licenses that have been issued for a terminal

server, and then tracks the licenses that have been issued to client computers or terminals.

System service name: TermServLicensing




Note Terminal Services Licensing offers its services by using RPC over named pipes. This service has the

same firewall requirements as those of the "File and Printer Sharing" feature.

Terminal Services Session Directory

The Terminal Services Session Directory system service allows clusters of load-balanced terminal servers to

correctly route a user's connection request to the server where the user already has a session running.

Users are routed to the first-available terminal server, regardless of whether they are running another

session in the server cluster. The load-balancing functionality pools the processing resources of several

servers by using the TCP/IP networking protocol. You can use this service with a cluster of terminal servers

to increase the performance of a single terminal server by distributing sessions across multiple servers.

Terminal Services Session Directory keeps track of disconnected sessions on the cluster and makes sure

that users are reconnected to those sessions.

System service name: Tssdis




Trivial FTP Daemon

The Trivial FTP Daemon system service does not require a user name or a password and is an integral part

of the Remote Installation Services (RIS). The Trivial FTP Daemon service implements support for the Trivial

FTP Protocol (TFTP) that is defined by the following RFCs:

RFC 1350 - TFTP

RFC 2347 - Option extension

RFC 2348 - Block size option

RFC 2349 - Timeout interval, and transfer size options

Trivial File Transfer Protocol (TFTP) is a file transfer protocol that is designed to support diskless boot

environments. The TFTP service listens on UDP port 69 but responds from a randomly allocated high port.

Therefore, enabling this port will let the TFTP service receive incoming TFTP requests, but will not let the

selected server respond to those requests. The service is free to respond to any such request from any

source port it wishes, and the remote client will then use that port for the duration of the transfer.


Terminal Services TCP 3389


RPC TCP 135





SMB TCP 445


RPC TCP 135




Communication is bidirectional. If you need to enable this protocol through a firewall, it may be useful to

open UDP port 69 inbound. You can then rely on other firewall features, which dynamically allow the service

to respond through temporary holes on any other port.

System service name: tftpd

Universal Plug and Play Device Host

The Universal Plug and Play Host discovery system service implements all the components that are required

for device registration, control, and the response to events for hosted devices. The information that is

registered that pertains to a device (the description, the lifetimes, and the containers) are optionally stored

to disk and are announced on the network after registration, or when the operating system restarts. The

service also includes the Web server that serves the device, in addition to service descriptions and a

presentation page.

System service name: UPNPHost

Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) enables NetBIOS name resolution. This service helps you locate

network resources by using NetBIOS names. WINS servers are required unless all domains have been

upgraded to the Active Directory directory service and unless all computers on the network are running

Windows 2000 or later. WINS servers communicate with network clients by using NetBIOS name resolution.

WINS replication is only required between WINS servers.

System service name: WINS

Windows Media Services

Windows Media Services in Windows Server 2003 replaces the following four services that are included in

Windows Media Services versions 4.0 and 4.1:

Windows Media Monitor Service

Windows Media Program Service

Windows Media Station Service

Windows Media Unicast Service

Windows Media Services is now a single service that runs on Windows Server 2003, Standard Edition;

Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Its core

components were developed by using the COM, and it has a flexible architecture that you can customize for

specific programs. It supports a greater variety of control protocols, including Real Time Streaming Protocol

(RTSP), Microsoft Media Server (MMS) protocol, and HTTP.

System service name: WMServer

Windows Time


TFTP UDP 69


UPNP TCP 2869



WINS Replication TCP 42

WINS Replication UDP 42


HTTP TCP 80

MMS TCP 1755

MMS UDP 1755

MS Theater UDP 2460

RTCP UDP 5005

RTP UDP 5004

RTSP TCP 554



The Windows Time system service maintains date and time synchronization on all Windows XP and Windows

Server 2003-based computers on a network. This service uses Network Time Protocol (NTP) to synchronize

computer clocks so that an accurate clock value, or timestamp is assigned for network validation and for

resource access requests. The implementation of NTP and the integration of time providers help make

Windows Time a reliable and scalable time service for your enterprise. For computers that are not joined to

a domain, you can configure Windows Time to synchronize time with an external time source. If this service

is turned off, the time setting for local computers is not synchronized with a time service in the Windows

domain or with an externally configured time service. Windows Server 2003 uses NTP. NTP runs on UDP

port 123. The Windows 2000 version of this service uses Simple Network Time Protocol (SNTP). SNTP also

runs on UDP port 123.

When the Windows Time service uses a Windows domain configuration, the service requires domain

controller location and authentication services. Therefore, the ports for Kerberos and DNS are required.

System service name: W32Time

World Wide Web Publishing Service

World Wide Web Publishing Service provides the infrastructure that is necessary to register, to manage, to

monitor, and to serve Web sites and programs that are registered with IIS. This system service contains a

process manager and a configuration manager. The process manager controls the processes where custom

applications and Web sites reside. The configuration manager reads the stored system configuration for

World Wide Web Publishing Service and makes sure that Http.sys is configured to route HTTP requests to

the appropriate application pools or operating system processes. You can configure the ports that are used

by this service through the Internet Information Services (IIS) Manager snap-in. If the administrative Web

site is enabled, a virtual Web site is created that uses HTTP traffic on TCP port 8098.

System service name: W3SVC

Ports and protocols

The following table summarizes the information from the "System services ports" section. This table is

sorted by port number instead of by the service name.


NTP UDP 123

SNTP UDP 123


HTTP TCP 80

HTTPS TCP 443

Port Protocol Application protocol System service name

n/a GRE GRE (IP protocol 47) Routing and Remote Access

n/a ESP IPsec ESP (IP protocol 50) Routing and Remote Access

n/a AH IPsec AH (IP protocol 51) Routing and Remote Access

7 TCP Echo Simple TCP/IP Services

7 UDP Echo Simple TCP/IP Services

9 TCP Discard Simple TCP/IP Services

9 UDP Discard Simple TCP/IP Services

13 TCP Daytime Simple TCP/IP Services

13 UDP Daytime Simple TCP/IP Services

17 TCP Quotd Simple TCP/IP Services

17 UDP Quotd Simple TCP/IP Services

19 TCP Chargen Simple TCP/IP Services

19 UDP Chargen Simple TCP/IP Services

20 TCP FTP default data FTP Publishing Service

21 TCP FTP control FTP Publishing Service

21 TCP FTP control Application Layer Gateway Service



23 TCP Telnet Telnet

25 TCP SMTP Simple Mail Transfer Protocol

25 TCP SMTP Exchange Server

42 TCP WINS Replication Windows Internet Name Service

42 UDP WINS Replication Windows Internet Name Service

53 TCP DNS DNS Server

53 UDP DNS DNS Server

53 TCP DNS Internet Connection Firewall/Internet Connection Sharing

53 UDP DNS Internet Connection Firewall/Internet Connection Sharing

67 UDP DHCP Server DHCP Server

67 UDP DHCP Server Internet Connection Firewall/Internet Connection Sharing

69 UDP TFTP Trivial FTP Daemon Service

80 TCP HTTP Windows Media Services

80 TCP HTTP World Wide Web Publishing Service

80 TCP HTTP SharePoint Portal Server

88 TCP Kerberos Kerberos Key Distribution Center

88 UDP Kerberos Kerberos Key Distribution Center

102 TCP X.400 Microsoft Exchange MTA Stacks

110 TCP POP3 Microsoft POP3 Service

110 TCP POP3 Exchange Server

119 TCP NNTP Network News Transfer Protocol

123 UDP NTP Windows Time

123 UDP SNTP Windows Time

135 TCP RPC Message Queuing

135 TCP RPC Remote Procedure Call

135 TCP RPC Exchange Server

135 TCP RPC Certificate Services

135 TCP RPC Cluster Service

135 TCP RPC Distributed File System

135 TCP RPC Distributed Link Tracking

135 TCP RPC Distributed Transaction Coordinator

135 TCP RPC Distributed File Replication Service

135 TCP RPC Fax Service

135 TCP RPC Microsoft Exchange Server

135 TCP RPC File Replication Service

135 TCP RPC Group Policy

135 TCP RPC Local Security Authority

135 TCP RPC Remote Storage Notification

135 TCP RPC Remote Storage Server

135 TCP RPC Systems Management Server 2.0

135 TCP RPC Terminal Services Licensing

135 TCP RPC Terminal Services Session Directory



137 UDP NetBIOS Name Resolution Computer Browser

137 UDP NetBIOS Name Resolution Server

137 UDP NetBIOS Name Resolution Windows Internet Name Service

137 UDP NetBIOS Name Resolution Net Logon

137 UDP NetBIOS Name Resolution Systems Management Server 2.0

138 UDP NetBIOS Datagram Service Computer Browser

138 UDP NetBIOS Datagram Service Messenger

138 UDP NetBIOS Datagram Service Server

138 UDP NetBIOS Datagram Service Net Logon

138 UDP NetBIOS Datagram Service Distributed File System

138 UDP NetBIOS Datagram Service Systems Management Server 2.0

138 UDP NetBIOS Datagram Service License Logging Service

139 TCP NetBIOS Session Service Computer Browser

139 TCP NetBIOS Session Service Fax Service

139 TCP NetBIOS Session Service Performance Logs and Alerts

139 TCP NetBIOS Session Service Print Spooler

139 TCP NetBIOS Session Service Server

139 TCP NetBIOS Session Service Net Logon

139 TCP NetBIOS Session Service Remote Procedure Call Locator

139 TCP NetBIOS Session Service Distributed File System

139 TCP NetBIOS Session Service Systems Management Server 2.0

139 TCP NetBIOS Session Service License Logging Service

143 TCP IMAP Exchange Server

161 UDP SNMP SNMP Service

162 UDP SNMP Traps Outbound SNMP Trap Service

389 TCP LDAP Server Local Security Authority

389 UDP LDAP Server Local Security Authority

389 TCP LDAP Server Distributed File System

389 UDP LDAP Server Distributed File System

443 TCP HTTPS HTTP SSL

443 TCP HTTPS World Wide Web Publishing Service

443 TCP HTTPS SharePoint Portal Server

443 TCP RPC over HTTPS Exchange Server 2003

445 TCP SMB Fax Service

445 TCP SMB Print Spooler

445 TCP SMB Server

445 TCP SMB Remote Procedure Call Locator

445 TCP SMB Distributed File System

445 TCP SMB License Logging Service

445 TCP SMB Net Logon

464 UDP Kerberos Password V5 Kerberos Key Distribution Center

464 TCP Kerberos Password V5 Kerberos Key Distribution Center

500 UDP IPsec ISAKMP Local Security Authority

515 TCP LPD TCP/IP Print Server



548 TCP File Server for Macintosh File Server for Macintosh

554 TCP RTSP Windows Media Services

563 TCP NNTP over SSL Network News Transfer Protocol

593 TCP RPC over HTTPS endpoint mapper

Remote Procedure Call

593 TCP RPC over HTTPS Exchange Server

636 TCP LDAP SSL Local Security Authority

636 UDP LDAP SSL Local Security Authority

993 TCP IMAP over SSL Exchange Server

995 TCP POP3 over SSL Exchange Server

1067 TCP Installation Bootstrap Service Installation Bootstrap protocol server

1068 TCP Installation Bootstrap Service Installation Bootstrap protocol client

1270 TCP MOM-Encrypted Microsoft Operations Manager 2000

1433 TCP SQL over TCP Microsoft SQL Server

1433 TCP SQL over TCP MSSQL$UDDI

1434 UDP SQL Probe Microsoft SQL Server

1434 UDP SQL Probe MSSQL$UDDI

1645 UDP Legacy RADIUS Internet Authentication Service

1646 UDP Legacy RADIUS Internet Authentication Service

1701 UDP L2TP Routing and Remote Access

1723 TCP PPTP Routing and Remote Access

1755 TCP MMS Windows Media Services

1755 UDP MMS Windows Media Services

1801 TCP MSMQ Message Queuing

1801 UDP MSMQ Message Queuing

1812 UDP RADIUS Authentication Internet Authentication Service

1813 UDP RADIUS Accounting Internet Authentication Service

1900 UDP SSDP SSDP Discovery Service

2101 TCP MSMQ-DCs Message Queuing

2103 TCP MSMQ-RPC Message Queuing

2105 TCP MSMQ-RPC Message Queuing

2107 TCP MSMQ-Mgmt Message Queuing

2393 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support

2394 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support

2460 UDP MS Theater Windows Media Services

2535 UDP MADCAP DHCP Server

2701 TCP SMS Remote Control (control) SMS Remote Control Agent

2701 UDP SMS Remote Control (control) SMS Remote Control Agent

2702 TCP SMS Remote Control (data) SMS Remote Control Agent

2702 UDP SMS Remote Control (data) SMS Remote Control Agent

2703 TCP SMS Remote Chat SMS Remote Control Agent

2703 UPD SMS Remote Chat SMS Remote Control Agent

2704 TCP SMS Remote File Transfer SMS Remote Control Agent

2704 UDP SMS Remote File Transfer SMS Remote Control Agent

2725 TCP SQL Analysis Services SQL Analysis Server



Active Directory / LSA

Computer Browser


File Replication Service

Kerberos Key Distribution Center

Net Logon

Remote Procedure Call (RPC)

Server

Simple Mail Transfer Protocol (SMTP) (if so configured)

WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication

operations, if DNS is not working)

Windows Time

World Wide Web Publishing Service

Microsoft provides the information in this table in a Microsoft Excel worksheet. This worksheet is available

for download from the Microsoft Download Center:

Download the Port_Requirements_for_Microsoft_Windows_Server_System.xls package now. (http://download.

microsoft.com/download/1/5/c/15c5287d-7a49-4c83-8ce0-aea7641b1835/Port_Requirements_for_Microsoft_Windows_Server

_System.xls)

Active Directory port and protocol requirements

Application servers, client computers and domain controllers that are located in common or external forests

have service dependencies so that user and computer initiated operations like domain join, logon

authentication, remote administration, and Active Directory replication work correctly. Such services and

operations require network connectivity over specific port and networking protocols.

A summarized list of services, ports and protocols required for member computers and domain controllers to

inter-operate with each other or for application servers to access Active Directory include but are not limited

to the following.

Services on which Active Directory depends

Services that require Active Directory services

2869 TCP UPNP Universal Plug and Play Device Host

2869 TCP SSDP event notification SSDP Discovery Service

3268 TCP Global Catalog Server Local Security Authority

3269 TCP Global Catalog Server Local Security Authority

3343 UDP Cluster Services Cluster Service

3389 TCP Terminal Services NetMeeting Remote Desktop Sharing

3389 TCP Terminal Services Terminal Services

3527 UDP MSMQ-Ping Message Queuing

4011 UDP BINL Remote Installation

4500 UDP NAT-T Local Security Authority

5000 TCP SSDP legacy event notification

SSDP Discovery Service

5004 UDP RTP Windows Media Services

5005 UDP RTCP Windows Media Services

6001 TCP Information Store Exchange Server 2003

6002 TCP Directory Referral Exchange Server 2003

6004 TCP DSProxy/NSPI Exchange Server 2003

42424 TCP ASP.Net Session State ASP.NET State Service

51515 TCP MOM-Clear Microsoft Operations Manager 2000

1024-65535

TCP RPC Randomly allocated high TCP ports



Certificate Services (required for specific configurations)

DHCP Server (if so configured)


Distributed Link Tracking Server (optional but on by default on Windows 2000 computers)

Distributed Transaction Coordinator

DNS Server (if so configured)

Fax Service (if so configured)


File Server for Macintosh (if so configured)

Internet Authentication Service (if so configured)

License Logging (on by default)

Net Logon

Print Spooler

Remote Installation (if so configured)

Remote Procedure Call (RPC) Locator

Remote Storage Notification

Remote Storage Server

Routing and Remote Access

Server

Simple Mail Transfer Protocol (SMTP) (if so configured)

Terminal Services

Terminal Services Licensing

Terminal Services Session Directory

The Help files for each of the Microsoft products that are described in this article contain additional

information that you may find useful to help configure your programs. Windows Server 2003 Help contains

step-by-step instructions about how to configure specific technologies and server roles.

For more information about a related topic, click the following article number to view the article in the

Microsoft Knowledge Base:

179442 (http://support.microsoft.com/kb/179442/ ) How to configure a firewall for domains and trusts

General information

For more information about how to help secure Windows Server and for sample IPsec filters for specific

server roles, see the appropriate "Security Guide." To view or download these guides, visit the following

Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc163140.aspx (http://technet.microsoft.com/en-

us/library/cc163140.aspx)

For more information about operating system services, security settings, and IPsec filtering, see the

"Threats and Countermeasures Guide." To see this guide for Windows Server 2008 or for Windows Vista,

visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/dd349791.aspx (http://technet.microsoft.com/en-

us/library/dd349791.aspx)

To see this guide for Windows Server 2003 or for Windows XP, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/dd162275.aspx (http://technet.microsoft.com/en-

us/library/dd162275.aspx)

For more information about port assignments for well-known ports, click the following article number to

view the article in the Microsoft Knowledge Base:

174904 (http://support.microsoft.com/kb/174904/ ) Information about TCP/IP port assignments

Additionally, see "Appendix B - Port Reference for MS TCP/IP" in the Microsoft Windows NT 4.0 Resource Kit.

To do this, visit the following Microsoft Web site:

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-

us/net/port_nts.mspx (http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/

port_nts.mspx)

Additionally, see "TCP and UDP Port Assignments" in the Windows 2000 Server Resource Kit. To do this,


http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?



mfr=true (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx?mfr=true)

Additionally, see the "Port Assignments and Protocol Numbers" document from the Windows 2000 Resource

Kits. To do this, visit the following Microsoft Web site:



The Internet Assigned Numbers Authority coordinates the use of well-known ports. To view this

organization's list of TCP/IP port assignments, visit the following Web site:

http://www.iana.org/assignments/port-numbers (http://www.iana.org/assignments/port-numbers)

Remote Procedure Calls and DCOM

For a detailed discussion of DCOM, see the "Using Distributed COM with Firewalls" white paper. To do this,


http://msdn2.microsoft.com/en-us/library/ms809327.aspx (http://msdn2.microsoft.com/en-

us/library/ms809327.aspx)

For a detailed description of RPC, visit the following Microsoft Web site:



For more information about configuring RPC to work with a firewall, click the following article number to


154596 (http://support.microsoft.com/kb/154596/ ) How to configure RPC dynamic port allocation to work

with firewalls

For more information about the RPC protocol and how computers that are running Windows 2000 initialize,

see the "Windows 2000 Startup and Logon Traffic Analysis" white paper. To do this, visit the following

Microsoft Web site:

http://technet.microsoft.com/en-us/library/Bb742590.aspx (http://technet.microsoft.com/en-

us/library/Bb742590.aspx)

Domain controllers and Active Directory

For more information about how to restrict Active Directory replication and client logon traffic, click the

following article number to view the article in the Microsoft Knowledge Base:

224196 (http://support.microsoft.com/kb/224196/ ) Restricting Active Directory replication traffic and

client RPC traffic to a specific port

For an explanation of how the Directory System Agent, LDAP, and the local system authority are related,




For additional information about how LDAP and the global catalog work in Windows 2000, visit the following

Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-

12cf8fb1af501033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4b

d8-a68c-12cf8fb1af501033.mspx?mfr=true)

Exchange Server

For more information about how to restrict Exchange 2000 Server and Exchange Server 2003 MAPI traffic,

click the following article number to view the article in the Microsoft Knowledge Base:

270836 (http://support.microsoft.com/kb/270836/ ) Exchange 2000 and Exchange 2003 static port

mappings

For more information about the network ports and protocols that are supported by Exchange 2000 Server,


278339 (http://support.microsoft.com/kb/278339/ ) TCP/UDP ports used by Exchange 2000 Server

For more information about the ports that are used by Exchange Server 5.5 and earlier versions of

Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base:

176466 (http://support.microsoft.com/kb/176466/ ) TCP Ports and Microsoft Exchange: In-depth

discussion

There may be additional items to consider for your particular environment. You can receive more

information and help with planning an Exchange implementation, from the following Microsoft Web sites:



For Exchange Server 2007, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb124558.aspx (http://technet.microsoft.com/en-

us/library/bb124558.aspx)

For Exchange Server 2003, visit the following Microsoft Web site:



For more information, click the following article numbers to view the articles in the Microsoft Knowledge

Base:

280132 (http://support.microsoft.com/kb/280132/ ) Exchange 2000 Windows 2000 connectivity through

firewalls

282446 (http://support.microsoft.com/kb/282446/ ) DSProxy configuration for static ports on Exchange

cluster

827330 (http://support.microsoft.com/kb/827330/ ) How to troubleshoot client RPC over HTTP connection

issues in Office Outlook 2003

831051 (http://support.microsoft.com/kb/831051/ ) How to use the RPC ping utility to troubleshoot

connectivity issues with the Exchange over the Internet feature in Outlook 2007 and in Outlook 2003

833401 (http://support.microsoft.com/kb/833401/ ) How to configure RPC over HTTP in Exchange Server

2003

Additionally, visit the following Microsoft TechNet Web site:




For more information about how to configure FRS to work with a firewall, click the following article number

to view the article in the Microsoft Knowledge Base:

319553 (http://support.microsoft.com/kb/319553/ ) How to restrict FRS replication traffic to a specific

static port

Distributed File Replication Service

The Distributed File Replication Service includes the Dfsrdiag.exe command-line tool. Dfsrdiag.exe can set

the server RPC port that is used for administration and replication. To use Dfsrdiag.exe to set the server

RPC port, follow this example:

dfsrdiag StaticRPC /port:nnnnn /Member:Branch01.sales.contoso.com

In this example, nnnnn represents a single, static RPC port that DFSR will use for replication.

Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no

member is specified, Dfsrdiag.exe uses the local computer.

Internet Information Services

For more information about the ports that are used by IIS 4.0, by IIS 5.0, and by IIS 5.1, click the following


327859 (http://support.microsoft.com/kb/327859/ ) Inetinfo services use additional ports beyond well-

known ports

For information about how FTP works, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/3454a19f-ac86-4a50-8049-

c72ee801cd321033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/3454a19f-ac86-4

a50-8049-c72ee801cd321033.mspx?mfr=true)

IPsec and VPNs

For more information about how to configure IPSec default exemptions in Windows, click the following


811832 (http://support.microsoft.com/kb/811832/ ) IPsec default exemptions can be used to bypass IPsec

protection in some scenarios

For more information about the ports and protocols that are used by IPSec, click the following article

number to view the article in the Microsoft Knowledge Base:



233256 (http://support.microsoft.com/kb/233256/ ) How to enable IPSec traffic through a firewall

For more information about new and updated features in L2TP and IPSec, click the following article number

to view the article in the Microsoft Knowledge Base:

818043 (http://support.microsoft.com/kb/818043/ ) L2TP/IPSec NAT-T update for Windows XP and

Windows 2000

Multicast Address Dynamic Client Allocation Protocol (MADCAP)

For more information about how to plan MADCAP servers, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/5396ded4-3318-4ca1-84c6-

b85a1435d87d1033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/Library/5396ded4-331

8-4ca1-84c6-b85a1435d87d1033.mspx?mfr=true)

Message Queuing

For more information about the ports that are used by Microsoft Message Queuing, click the following article


178517 (http://support.microsoft.com/kb/178517/ ) TCP ports, UDP ports, and RPC ports that are used by

Message Queuing

Mobile Information Server

For more information about the ports that are used by Microsoft Mobile Information Server 2001, click the

following article number to view the article in the Microsoft Knowledge Base:

294297 (http://support.microsoft.com/kb/294297/ ) TCP/IP ports used by Microsoft Mobile Information

Server

Microsoft Operations Manager

For information about how to plan for and to deploy MOM, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/opsmgr/default.aspx (http://technet.microsoft.com/en-

us/opsmgr/default.aspx)

Systems Management Server

For more information about the ports that are used by SMS 2003, click the following article number to view

the article in the Microsoft Knowledge Base:

826852 (http://support.microsoft.com/kb/826852/ ) Ports that Systems Management Server 2003 uses to

communicate through a firewall or through a proxy server

For more information about the ports that are used by SMS 2.0, click the following article number to view

the article in the Microsoft Knowledge Base:

167128 (http://support.microsoft.com/kb/167128/ ) Network ports used by Remote Helpdesk functions

For more information about how to configure SMS through a firewall, click the following article number to


200898 (http://support.microsoft.com/kb/200898/ ) How to use Systems Management Server 2.0 through

a firewall

For more information about the ports that are used by SMS 2.0 Remote Tools, click the following article


256884 (http://support.microsoft.com/kb/256884/ ) TCP and UDP ports that are used by Remote Control

have changed in SMS 2.0 Service Pack 2

SQL Server

For more information about how SQL Server 2000 dynamically determines ports for secondary instances,


286303 (http://support.microsoft.com/kb/286303/ ) Behavior of SQL Server 2000 Network Library during

dynamic port detection

For more information about the ports that are used by SQL Server 7.0 and SQL Server 2000 for OLAP, click

the following article number to view the article in the Microsoft Knowledge Base:

301901 (http://support.microsoft.com/kb/301901/ ) TCP ports used by OLAP services when connecting

through a firewall



Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)

Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)

Microsoft Windows Server 2003, Standard Edition (32-bit x86)

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

Microsoft Windows Server 2003, Web Edition

Microsoft Systems Management Server 2003

Microsoft Windows 2000 Professional Edition

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Datacenter Server

Microsoft SQL Server 2000 Standard Edition

Microsoft SQL Server 2000 Enterprise Edition

Microsoft Exchange 2000 Server Standard Edition

Microsoft Exchange 2000 Enterprise Server

Microsoft Internet Security and Acceleration Server 2000 Standard Edition

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

Microsoft Windows XP Professional x64 Edition

Microsoft Windows XP Tablet PC Edition

Microsoft Systems Management Server 2.0

Microsoft SharePoint Portal Server 2001

Microsoft Operations Manager 2000 Enterprise Edition

Microsoft Application Center 2000 Standard Edition

Windows Server 2008 Datacenter without Hyper-V

Windows Server 2008 Enterprise without Hyper-V

Terminal Services

For more information about how to configure the port that is used by Terminal Services, click the following


187623 (http://support.microsoft.com/kb/187623/ ) How to change Terminal Server's listening port

Controlling communications over the Internet in Windows

For additional information about how Windows XP Service Pack 1 (SP1) communicates over the Internet,

see the "Using Windows XP Professional with Service Pack 1 in a Managed Environment" white paper. To do

so, visit the following Microsoft Web site:



For additional information about how Windows 2000 Service Pack 4 (SP4) communicates over the Internet,

see the "Using Windows 2000 with Service Pack 4 in a Managed Environment" white paper. To do so, visit

the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=b27e5699-d9c9-4573-ae5b-

5904d51a523a (http://www.microsoft.com/downloads/details.aspx?familyid=b27e5699-d9c9-4573-ae5b-5904d51a

523a)

For additional information about how Windows Server 2003 communicates over the Internet, see the "Using

Windows Server 2003 in a Managed Environment" white paper. To do so, visit the following Microsoft Web

site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=D217E2FF-6871-404D-9931-

C13AB669766F (http://www.microsoft.com/downloads/details.aspx?FamilyID=D217E2FF-6871-404D-9931-C13AB6

69766F)

For more information about how Windows Server 2008 communicates over the Internet, see the “Using

Windows Server 2008: Controlling Communication with the Internet” white paper. To do so, visit the

following Microsoft Web site:

http://www.microsoft.com/downloadS/details.aspx?familyid=89DDFD58-C6DB-4BE8-A7F4-

9C326F967D45&displaylang=en (http://www.microsoft.com/downloadS/details.aspx?familyid=89DDFD58-C6DB-

4BE8-A7F4-9C326F967D45&displaylang=en)

APPLIES TO



Windows Server 2008 for Itanium-Based Systems

Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Datacenter without Hyper-V

Windows Server 2008 R2 Enterprise

Windows Server 2008 R2 Enterprise without Hyper-V

Windows Server 2008 R2 Standard

Windows Server 2008 R2 Standard without Hyper-V

Windows Server 2008 Standard without Hyper-V

Windows Server 2008 Datacenter

Windows Server 2008 Enterprise

Windows Server 2008 Standard

Windows Web Server 2008 R2

Windows Web Server 2008

Microsoft Support ©2009 Microsoft

Keywords: kbfirewall kbhowtomaster KB832017

Get Help Now

Contact a support professional by E-mail, Online, or Phone



services and ports requirements for the windows server systems (kb832017)

Documents