Implementing a Network Device Enrollment Service (NDES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Clients to NDES
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
NDES is a web-based service that can be used via HTTP and HTTPS. Accordingly, TCP ports 80 and 443 must be opened. However, the NDES administration web page should only be accessible via HTTPS.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 80 | Hypertext Transfer Protocol (HTTP, not recommended) |
| TCP | 443 | Hypertext Transfer Protocol Secure (HTTPS) |
NDES to the Certification Authority
Quite analogous to all other clients are the certificate request ports to the certification authority to open.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
NDES to the domain
The NDES server is usually a domain member, so the general rules for domain communication apply here.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP and UDP | 53 | Domain Name System |
| TCP | 88 | Kerberos |
| UDP | 123 | NTP |
| TCP | 135 | RPC Endpoint Mapper |
| TCP and UDP | 389 | LDAP |
| TCP | 445 | Server Message Block RPC Named Pipes |
| TCP | 636 | LDAP over SSL |
| TCP | 3268 | LDAP-GC |
| TCP | 3269 | LDAP-GC over SSL |
| TCP | 49152-65535 | RPC dynamic ports |
Restore the default Windows Firewall rules
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTP-In-TCP"
Enable-NetFirewallRule -Name "IIS-WebServerRole-HTTPS-In-TCP"
Special case of role installation of NDES
During the installation of the NDES role, it is required that communication via RPC named pipes (TCP port 445) to the root domain controllers of the forest is possible.
See article "Role configuration for Network Device Enrollment Service (NDES) fails with error message "Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)"." for more information.
Related links:
- Firewall rules required for Active Directory Certificate Services
- Required Firewall Rules for Certificate Enrollment Policy (CEP) Web Service
- Required firewall rules for the Certificate Enrollment Web Service (CES)
- Required firewall rules for the online responder (OCSP)
- Required firewall rules for Certification Authority Web Enrollment (CAWE)
- Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).
English 
Deutsch
9 thoughts on “Benötigte Firewallregeln für den Registrierungsdienst für Netzwerkgeräte (NDES)”
Comments are closed.