Firewalls with NETID domain

Last updated: July 26, 2023
Audience: IT Staff / Technical

Firewalls on domain controllers and member servers and workstations need to be properly configured to ensure proper function of the trust and ultimately the domains themselves.

Your Domain Controllers

At a minimum, the following ports:

tcp 53, 88, 135, 389, 445, 636, 3268, 3269, *
udp 53, 88, 135, 389, 445

need to be granted access to:

172.22.1.0/24 (172.22.1.0-172.22.1.255)
172.16.31.0/24 (172.16.31.0-172.16.31.255)
10.4.10.16/28 (10.4.10.17-10.4.10.31)

for network traffic TO and FROM your domain controllers.

* Additionally a range of dynamic RPC ports for the RPC endpoint mapper needs access if you want to be able to do trust validation. By default, this is a large set of ports: 49152-65535/TCP. You can limit it to a much smaller set on your servers. See the links below for more on this. The NETID domain controllers have the default set of dynamic RPC ports.

Your Workstations and Servers

If you have firewalls on your member servers or workstations, then the ports:

tcp 53, 88, 135, 137, 139, 389, 445, 636, 3268, 3269, *
udp 53, 88, 123, 135, 137, 138, 389, 445, *

* see note above about RPC endpoint mapper. In this case, both TCP and UDP are needed and the purpose goes beyond just trust validation.

need to be granted access to:

172.22.1.0/24
172.16.31.0/24
10.4.10.16/28

for network traffic TO and FROM your client computers.

This will ensure authentication and normal Windows operations work correctly between the NETID domain and your domain.

Troubleshooting Problems

You will need to verify and demonstrate that your firewall settings permit the required traffic noted above. At that time, UW-IT engineers will look into any issues related to the NETID domain. If it appears that the firewall is causing the issues we will ask that it be disabled to test functionality.

Future Changes

Should the networks that the NETID domain controllers are on change in the future, an announcement will be made to all trust requestors in advance.

Related Documents

How to configure a firewall for Active Directory domains and trusts

How to restrict Active Directory RPC traffic to a specific port

Windows Domains and Firewalls

Domain Controllers on p172 at the UW