Ports Used with Active Directory Integrations

The IQService provisioning agent calls functions exposed by Microsoft’s .net packages that are a "black box" that communicate to Active Directory indirectly. Identity Security Cloud does not control what port numbers these APIs leverage to interact with Active Directory. Microsoft publishes a list of ports that the .net API and ADSI interfaces use to communicate with an Active Directory server. Were a firewall to be placed between IQService and the Active Directory domain controllers it would need to be exceedingly permissive by opening a large number of dynamic ports. The complete list of ports is published by Microsoft here: Active Directory and Active Directory Domain Services Port Requirements.

The IQService agent uses a sub-set of these ports documented by Microsoft. For communication between IQService and a domain controller SailPoint recommends at least the following ports must be opened:

LDAP Ports 389 and 636
Kerberos port 88
Active Directory Web Services 9389
Active Directory port 3268
Active Directory port 3269
Active Directory DNS port 53
Active Directory Replication, Login services port 445
Kerberos Passwords, port 464
Authentication port UDP 137
Authentication port TCP 139

For more information, refer to IQService Architecture - Network Ports and Firewalls.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Ports Used with Active Directory Integrations

Documentation Feedback