- The default dynamic port range for TCP/IP has changed since Windows Vista and in Windows Server 2008
- Introduction
- More Information
- References
- Default Port Numbers You Need to Know as a Sysadmin
- Application/Web Servers
- Well-Known Common Protocols
- Database/Datastore
- Messaging/Transfer
- How to configure a firewall for Active Directory domains and trusts
- More information
- Windows Server 2008 and later versions
- Active Directory
- Reference
The default dynamic port range for TCP/IP has changed since Windows Vista and in Windows Server 2008
This article describes the changes to the default dynamic port range for TCP/IP in Windows Vista and in Windows Server 2008.
Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure that you are running Windows Vista with Service Pack 2 (SP2). For more information, go to the following Microsoft website: Support is ending for some versions of Windows
Original product version: В Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 — all editions
Original KB number: В 929851
Introduction
To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and Windows Server 2008. The new default start port is 49152, and the new default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000.
More Information
You can view the dynamic port range on a computer that is running Windows Vista or Windows Server 2008 by using the following netsh commands:
- netsh int ipv4 show dynamicport tcp
- netsh int ipv4 show dynamicport udp
- netsh int ipv6 show dynamicport tcp
- netsh int ipv6 show dynamicport udp
The range is set separately for each transport (TCP or UDP). The port range is now truly a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server 2008 may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of 49152 through 65535. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows: netsh int set dynamic start= number num= range .
This command sets the dynamic port range for TCP. The start port is number, and the total number of ports is range.
The following are sample commands:
- netsh int ipv4 set dynamicport tcp start=10000 num=1000
- netsh int ipv4 set dynamicport udp start=10000 num=1000
- netsh int ipv6 set dynamicport tcp start=10000 num=1000
- netsh int ipv6 set dynamicport udp start=10000 num=1000
These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000.
When you install Microsoft Exchange Server 2007 on a Windows Server 2008-based computer, the default port range is 1025 through 60000.
For more information about security in Microsoft Exchange 2007, go to the following Microsoft TechNet website:
Exchange 2007 Security Guide
References
For more information about IANA port-assignment standards, go to the following IANA website:
Service Name and Transport Protocol Port Number Registry
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Default Port Numbers You Need to Know as a Sysadmin
One of the challenging tasks for an administrator is to remember the default port number.
You may remember the most common one like HTTP, FTP, SSH but if you are working on various technology stacks then its difficult to remember all of them.
Here I have listed the default port numbers of various applications to help you in the real world.
Application/Web Servers
| Name | Port Number |
| Tomcat Startup | 8080 |
| Tomcat Startup (SSL) | 8443 |
| Tomcat Shutdown | 8005 |
| Tomcat AJP Connector | 8009 |
| GlassFish HTTP | 8080 |
| GlassFish HTTPS | 8181 |
| GlassFish Admin Server | 4848 |
| Jetty | 8080 |
| Jonas Admin Console | 9000 |
| IHS Administration | 8008 |
| JBoss Admin Console | 8080 |
| WildFly Admin Console | 9990 |
| WebLogic Admin Console | 7001 |
| WAS Admin Console (SSL) | 9043 |
| WAS Admin Console | 9060 |
| WAS JVM HTTP | 9080 (first one only) |
| WAS JVM HTTPS | 9443 (first one only) |
| Alfresco Explorer/Share | 8080 |
| Apache Derby Network Server | 1527 |
| OHS | 7777 |
| OHS (SSL) | 4443 |
| Jenkins | 8080 |
Well-Known Common Protocols
| Name | Port Number |
| FTP | 21 |
| HTTP | 80 |
| HTTPS | 443 |
| LDAP | 389 |
| LDAP (SSL) | 636 |
| SNMP | 161 |
| SSH | 22 |
| Telnet | 23 |
| SMTP | 25 |
| Microsoft RDP | 3389 |
| DNS Service | 53 |
| NNTP | 119 |
| IMAP | 143 |
| IMAP (SSL) | 993 |
Database/Datastore
| Name | Port Number |
| DB2 | 50000 |
| Redis Server | 6379 |
| Oracle Listener | 1521 |
| mongoDB | 27017 |
| MySQL | 3306 |
| MS SQL | 1433 |
| Memcached | 11211 |
| MariaDB | 3306 |
Messaging/Transfer
| Name | Port Number |
| MQ Listener | 1414 |
| IBM Connect:Direct | 1364 |
| RabbitMQ Web UI | 15672 |
| Tibco RV Daemon | 7474 |
| GoToMyPC | 8200 |
| Name | Port Number |
| Syslog | 514 (UDP) |
Some of the abbreviation used in the above list
- WAS – WebSphere Application Server
- AJP – Apache JServ Protocol
- SSL – Secure Socket Layer
- HTTP – Hyper Text Transfer Protocol
- LDAP – Lightweight Directory Access Protocol
- SSH – Secure Shell
- SMTP – Simple Mail Transfer Protocol
- IHS – IBM HTTP Server
- NNTP – Network News Transport Protocol
- SNMP – Simple Network Management Protocol
I hope this cheat sheet helps you as a reference guide at your work. If you are looking to upgrade your skills then check out thousands of online courses here.
How to configure a firewall for Active Directory domains and trusts
This article describes how to configure a firewall for Active Directory domains and trusts.
Original product version: В Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 Standard, Windows Server 2012 Standard
Original KB number: В 179442
Not all the ports that are listed in the tables here are required in all scenarios. For example, if the firewall separates members and DCs, you don’t have to open the FRS or DFSR ports. Also, if you know that no clients use LDAP with SSL/TLS, you don’t have to open ports 636 and 3269.
More information
The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.
| Client Port(s) | Server Port | Service |
|---|---|---|
| 1024-65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 1024-65535/TCP | 1024-65535/TCP | RPC for LSA, SAM, NetLogon (*) |
| 1024-65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 1024-65535/TCP | 636/TCP | LDAP SSL |
| 1024-65535/TCP | 3268/TCP | LDAP GC |
| 1024-65535/TCP | 3269/TCP | LDAP GC SSL |
| 53,1024-65535/TCP/UDP | 53/TCP/UDP | DNS |
| 1024-65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 1024-65535/TCP | 445/TCP | SMB |
| 1024-65535/TCP | 1024-65535/TCP | FRS RPC (*) |
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.
For more information about how to define RPC server ports that are used by the LSA RPC services, see:
Windows Server 2008 and later versions
Windows Server 2008 newer versions of Windows Server have increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535. Therefore, you must increase the RPC port range in your firewalls. This change was made to comply with Internet Assigned Numbers Authority (IANA) recommendations. This differs from a mixed-mode domain that consists of Windows Server 2003 domain controllers, Windows 2000 server-based domain controllers, or legacy clients, where the default dynamic port range is 1025 through 5000.
For more information about the dynamic port range change in Windows Server 2012 and Windows Server 2012 R2, see:
- The default dynamic port range for TCP/IP has changed.
- Dynamic Ports in Windows Server.
| Client Port(s) | Server Port | Service |
|---|---|---|
| 49152 -65535/UDP | 123/UDP | W32Time |
| 49152 -65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 49152 -65535/TCP | 464/TCP/UDP | Kerberos password change |
| 49152 -65535/TCP | 49152-65535/TCP | RPC for LSA, SAM, NetLogon (*) |
| 49152 -65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 49152 -65535/TCP | 636/TCP | LDAP SSL |
| 49152 -65535/TCP | 3268/TCP | LDAP GC |
| 49152 -65535/TCP | 3269/TCP | LDAP GC SSL |
| 53, 49152 -65535/TCP/UDP | 53/TCP/UDP | DNS |
| 49152 -65535/TCP | 49152 -65535/TCP | FRS RPC (*) |
| 49152 -65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 49152 -65535/TCP/UDP | 445/TCP | SMB (**) |
| 49152 -65535/TCP | 49152-65535/TCP | DFSR RPC (*) |
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.
(*) For information about how to define RPC server ports that are used by the LSA RPC services, see:
(**) For the operation of the trust this port is not required, it is used for trust creation only.
External trust 123/UDP is only needed if you have manually configured the Windows Time Service to Sync with a server across the external trust.
Active Directory
In Windows 2000 and Windows XP, the Internet Control Message Protocol (ICMP) must be allowed through the firewall from the clients to the domain controllers so that the Active Directory Group Policy client can function correctly through a firewall. ICMP is used to determine whether the link is a slow link or a fast link.
In Windows Server 2008 and later versions, the Network Location Awareness Service provides the bandwidth estimate based on traffic with other stations on the network. There is no traffic generated for the estimate.
The Windows Redirector also uses ICMP Ping messages to verify that a server IP is resolved by the DNS service before a connection is made, and when a server is located by using DFS. If you want to minimize ICMP traffic, you can use the following sample firewall rule:
Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be changed by a specific registry setting. Or, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel. This limits the number of ports that the firewall has to open. For PPTP, the following ports must be enabled.
| Client Ports | Server Port | Protocol |
|---|---|---|
| 1024-65535/TCP | 1723/TCP | PPTP |
In addition, you would have to enable IP PROTOCOL 47 (GRE).
When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannot display a list of the remote domain’s users, consider the following behavior:
- Windows NT 4.0 tries to resolve manually typed names by contacting the PDC for the remote user’s domain (UDP 138). If that communication fails, a Windows NT 4.0-based computer contacts its own PDC, and then asks for resolution of the name.
- Windows 2000 and Windows Server 2003 also try to contact the remote user’s PDC for resolution over UDP 138. However, they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.
Reference
Service overview and network port requirements for Windows is a valuable resource outlining the required network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system. Administrators and support professionals may use the article as a roadmap to determine which ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network.
You should not use the port information in Service overview and network port requirements for Windows to configure Windows Firewall. For information about how to configure Windows Firewall, see Windows Firewall with Advanced Security.
