Implementing an online responder (OCSP) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
Clients to the OCSP Responder
Clients address the online responder via unencrypted HTTP, accordingly only TCP port 80 must be opened.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 80 | Hypertext Transfer Protocol (HTTP) |
OCSP Responder to the Certification Authority
Applies only if the online responder is a domain member.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Quite analogous to all other clients are the certificate request ports to the certification authority to open. The online responder uses this to apply for its signature certificate.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
OCSP responder to the domain
Applies only if the online responder is a domain member.
The OCSP responder server is usually a domain member, so the general rules for domain communication apply here. In addition, since the online responder must actively request certificates, it must also be able to communicate with the domain.
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP and UDP | 53 | Domain Name System |
| TCP | 88 | Kerberos |
| UDP | 123 | NTP |
| TCP | 135 | RPC Endpoint Mapper |
| TCP and UDP | 389 | LDAP |
| TCP | 445 | Server Message Block RPC Named Pipes |
| TCP | 636 | LDAP over SSL |
| TCP | 3268 | LDAP-GC |
| TCP | 3269 | LDAP-GC over SSL |
| TCP | 49152-65535 | RPC dynamic ports |
Restore the default Windows Firewall rules
Enable-NetFirewallRule `
-Name "IIS-WebServerRole-HTTP-In-TCP".
Enable-NetFirewallRule `
-Name "IIS-WebServerRole-HTTPS-In-TCP".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-OnlineRevocationServices-OcspSvc-DCOM-In".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-CertificateServices-OcspSvc-RPC-TCP-In".
Enable-NetFirewallRule `
-Name "Microsoft-Windows-OnlineRevocationServices-OcspSvc-TCP-Out
Related links:
- Firewall rules required for Active Directory Certificate Services
- Required firewall rules for the Network Device Enrollment Service (NDES)
- Required Firewall Rules for Certificate Enrollment Policy (CEP) Web Service
- Required firewall rules for the Certificate Enrollment Web Service (CES)
- Required firewall rules for Certification Authority Web Enrollment (CAWE)
English 
Deutsch
2 thoughts on “Benötigte Firewallregeln für den Onlineresponder (OCSP)”
Comments are closed.