Ports Used with Active Directory Integrations

The IQService provisioning agent calls functions exposed by Microsoft’s .net packages that are a "black box" that communicate to Active Directory indirectly. IdentityNow does not control what port numbers these APIs leverage to interact with Active Directory. Microsoft publishes a list of ports that the .net API and ADSI interfaces use to communicate with an Active Directory server. Were a firewall to be placed between IQService and the Active Directory domain controllers it would need to be exceedingly permissive by opening a large number of dynamic ports. The complete list of ports is published by Microsoft here: Active Directory and Active Directory Domain Services Port Requirements.

The IQService agent uses a sub-set of these ports documented by Microsoft. For communication between IQService and a domain controller SailPoint recommends at least the following ports must be opened:

• LDAP Ports 389 and 636

• Kerberos port 88

• Active Directory Web Services 9389

• Active Directory port 3268

• Active Directory port 3269

• Active Directory DNS port 53

• Active Directory Replication, Login services port 445

• Kerberos Passwords, port 464

• Authentication port UDP 137

• Authentication port TCP 137

For more information, refer to IQService Architecture - Network Ports and Firewalls.