Professional Documents
Culture Documents
This article discusses the essential network ports, protocols and services that are used by Microsoft client
and server operating systems, server-based programs and their subcomponents in the Microsoft Windows
server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a
road-map to determine what ports and protocols Microsoft operating systems and programs require for
network connectivity in a segmented network.
The port information in this article should not be used to configure Windows Firewall. For information about
configuring Windows Firewall, visit the following Microsoft Web sites:
http://technet2.microsoft.com/windowsserver/en/library/6490c9fc-6c06-4304-b61c-
5577af1445d01033.mspx (http://technet2.microsoft.com/windowsserver/en/library/6490c9fc-6c06-4304-b61c-55
77af1445d01033.mspx)
http://technet.microsoft.com/en-us/network/bb545423.aspx (http://technet.microsoft.com/en-
us/network/bb545423.aspx)
The Windows server system includes a comprehensive and integrated infrastructure that is designed to
meet the requirements of developers and of information technology (IT) professionals. This system is
designed to run programs and solutions that information workers can use to obtain, to analyze, and to share
information quickly and easily. These Microsoft client, server and server program products use a variety of
network ports and protocols to communicate with client systems and with other server systems over the
network. Dedicated firewalls, host-based firewalls, and Internet Protocol security (IPsec) filters are other
important components that are required to help secure your network. However, if these technologies are
configured to block ports and protocols that are used by a specific server, that server will no longer respond
to client requests.
Overview
The following list provides an overview of the information that this article contains:
z The "System services ports" section of this article contains a brief description of each service,
displays the logical name of that service, and indicates the ports and protocols that each service
requires for correct operation. Use this section to help identify the ports and protocols that a
particular service uses.
z The "Ports and protocols" section of this article includes a table that summarizes the information
from the "System Services Ports" section. The table is sorted by port number instead of by the
service name. Use this section to quickly determine which services listen on a particular port.
Important This article contains several references to the default dynamic port range. In Windows Server
2008 and in Windows Vista, the default dynamic port range is changed to the following range:
For more information about the changes in Windows Vista and Windows Server 2008, click the following
article number to view the article in the Microsoft Knowledge Base:
929851 (http://support.microsoft.com/kb/929851/ ) The default dynamic port range for TCP/IP has
changed in Windows Vista and in Windows Server 2008
This article uses certain terms in specific ways. To help avoid confusion, make sure that you understand
how this document uses these terms. The following list describes these terms:
z System services: The Windows server system includes many products, such as the Microsoft
Windows 2000 Server family, Microsoft Windows Server 2003 family, Microsoft Exchange 2000
Server, and Microsoft SQL Server 2000. Each of these products include many components; system
services is one of those components. System services that are required by a particular computer are
either started automatically by the operating system during startup or are started as required during
typical operations. For example, some system services that are available on computers that are
running Windows Server 2003, Enterprise Edition, include the Server service, the Print Spooler
service, and the World Wide Web Publishing Service. Each system service has a friendly service
name and a service name. The friendly service name is the name that appears in graphical
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 2 of 30
management tools such as the Services Microsoft Management Console (MMC) snap-in. The service
name is the name that is used with command-line tools and with many scripting languages. Each
system service may provide one or more network services.
z Application protocol: In the context of this article, an application protocol is a high-level network
protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include
Hypertext Transfer Protocol (HTTP), server message blocks (SMBs), and Simple Mail Transfer
Protocol (SMTP).
z Protocol: Operating at a lower level than the application protocols, TCP/IP protocols are standard
formats for communicating between devices on a network. The TCP/IP suite of protocols includes
TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
z Port: This is the network port that the system service listens on for incoming network traffic.
This article does not specify which services rely on other services for network communication. For example,
many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign
them dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services
that use RPC or DCOM to communicate with client computers. Many other services rely on network basic
input/output system (NetBIOS) or SMBs, protocols that are actually provided by the Server service. Others
rely on HTTP or on Hypertext Transfer Protocol Secure (HTTPS). These protocols are provided by Internet
Information Services (IIS). A full discussion of the architecture of the Windows operating systems is beyond
the scope of this article. However, detailed documentation on this subject is available on Microsoft TechNet
and on the Microsoft Developer Network (MSDN). While many services may rely on a particular TCP or UDP
port, only a single service or process can be actively listening on that port at any one time.
When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically
assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used.
These are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the
RPC endpoint mapper to tell them which dynamic port(s) were assigned to the server. For some RPC-based
services, you can configure a specific port instead of letting RPC assign one dynamically. You can also
restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For
more information about this topic, see the "References" section of this article.
This article includes information about the system services roles and the server roles for the Microsoft
products that are listed in the "Applies to" section at the end of this article. While this information may also
apply to Microsoft Windows XP and to Microsoft Windows 2000 Professional, this article is intended to focus
on server-class operating systems. Because of this, this article describes the ports that a service listens on
instead of the ports that client programs use to connect to a remote system.
Note Packet filters for L2TP traffic are not required, because L2TP is protected by IPsec ESP.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 3 of 30
Certificate Services
Certificate Services is part of the core operating system. By using Certificate Services, a business can act as
its own certification authority (CA). In this way, the business can issue and manage digital certificates for
programs and protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets
Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Certificate Services relies on RPC
and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024.
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Cluster Service
The Cluster service controls server cluster operations and manages the cluster database. A cluster is a
collection of independent computers that act as a single computer. Managers, programmers, and users see
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 4 of 30
the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails,
other nodes provide the services and data that was formerly provided by the missing node. When a node is
added or repaired, the cluster software migrates some data to that node.
Randomly allocated high UDP ports¹ UDP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista
Computer Browser
The Computer Browser system service maintains an up-to-date list of computers on your network and
supplies the list to programs that request it. The Computer Browser service is used by Windows-based
computers to view network domains and resources. Computers that are designated as browsers maintain
browse lists that contain all shared resources that are used on the network. Earlier versions of Windows
programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing
capability. For example, when you open My Network Places on a computer that is running Microsoft
Windows 95, a list of domains and computers appears. To display this list, the computer obtains a copy of
the browse list from a computer that is designated as a browser.
DHCP Server
The DHCP Server service uses the Dynamic Host Configuration Protocol (DHCP) to automatically allocate IP
addresses. By using this service, you can adjust the advanced network settings of DHCP clients. For
example, you can configure network settings such as Domain Name System (DNS) servers and Windows
Internet Name Service (WINS) servers. You can establish one or more DHCP servers to maintain TCP/IP
configuration information and to provide that information to client computers.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 5 of 30
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Distributed File Replication Service"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Distributed Transaction Coordinator"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista
DNS Server
The DNS Server service enables DNS name resolution by answering queries and update requests for DNS
names. DNS servers are required to locate devices and services that are identified by using DNS names and
to locate domain controllers in Active Directory.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 6 of 30
DNS UDP 53
DNS TCP 53
Event Log
The Event Log system service logs event messages that are generated by programs and by the Windows
operating system. Event Log reports contain information that can be useful in diagnosing problems. Reports
are viewed in Event Viewer. The Event Log service writes events that are sent by programs, by services,
and by the operating system to log files. The events contain diagnostic information in addition to errors that
are specific to the source program, the service, or the component. The logs can be viewed programmatically
through the event log APIs or through the Event Viewer in an MMC snap-in.
For Outlook clients to connect to versions of Exchange prior to Exchange 2003, direct RPC connectivity to
the Exchange server is required. RPC connections made from Outlook to the Exchange server will first
contact the RPC endpoint mapper (Port TCP 135) to request information on the port mappings of the various
endpoints required. The Outlook client then tries to make connections to the Exchange server directly by
using these endpoint ports.
Exchange 5.5 uses two ports for client communication. One port is for the Information Store, and one port
is for the Directory. Exchange 2000 and 2003 use three ports for client communication. One port is for the
Information Store, one is for Directory Referral (RFR), and one port is for DSProxy/NSPI.
In most cases, these two or three ports will be mapped randomly into the range TCP 1024-65535. If
required, these ports can be configured to always bind to a static port mapping rather than to use the
ephemeral ports.
For more information about how to configure static TCP/IP ports in Exchange Server, click the following
article number to view the article in the Microsoft Knowledge Base:
270836 (http://support.microsoft.com/kb/270836/ ) Exchange Server static port mappings
Outlook 2003 clients support direct connectivity to Exchange servers by using RPC. However, these clients
can also communicate with Exchange 2003 servers that are hosted on Windows Server 2003-based
computers on the Internet. The use of RPC over HTTP communication between Outlook and Exchange server
eliminates the need to expose unauthenticated RPC traffic across the Internet. Instead, traffic between the
Outlook 2003 client and the Exchange Server 2003 computer is tunneled within HTTPS packets over TCP
port 443 (HTTPS).
RPC over HTTPS requires that port TCP 443 (HTTPS) be available between the Outlook 2003 client and the
server that is functioning as the "RPCProxy" device. The HTTPS packets are terminated at the RPCProxy
server and the unwrapped RPC packets are then passed to the Exchange server on three ports, in similar
fashion to the direct RPC traffic described above. These RPC over HTTPS ports on the Exchange server are
statically mapped to TCP 6001 (the Information Store), TCP 6002 (Directory Referral), and TCP 6004
(DSProxy/NSPI). No endpoint mapper must be exposed when using RPC over HTTPS communication
between Outlook 2003 and Exchange 2003, since Outlook 2003 knows to use these statically mapped
endpoint ports. In addition, no global catalog needs to be exposed to the Outlook 2003 client because the
DSProxy/NSPI interface on the Exchange 2003 server will provide this functionality.
Exchange Server can also provide support for other protocols, such as SMTP, Post Office Protocol 3 (POP3),
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 7 of 30
and IMAP.
Application protocol Protocol Ports
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
SMTP TCP 25
SMTP UDP 25
ISA Server
Randomly allocated high TCP ports (note TCP random port number between 1024 - 65535
6) random port number between 49152 - 65535 (note
7)
Fax Service
Fax Service, a Telephony API (TAPI)–compliant system service, provides fax capabilities. By using Fax
Service, users can send and receive faxes from their desktop programs by using either a local fax device or
a shared network fax device.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 8 of 30
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
File Replication
The File Replication service (FRS) is a file-based replication engine that automatically copies updates to files
and folders between computers that are participating in a common FRS replica set. FRS is the default
replication engine that is used to replicate the contents of the SYSVOL folder between Windows 2000-based
and Windows Server 2003-based domain controllers that are located in a common domain. FRS may be
configured to replicate files and folders between targets of a DFS root or link by using the DFS
Administration tool.
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "File Replication Service" section in the
"References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Rrandomly allocated high TCP ports TCP random port number between 1024 - 65535
random port number between 49152 - 65535¹
¹ This is the range in Windows Server 2008 and in Windows Vista.
Group Policy
To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM,
ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are unavailable or blocked between the
client and a relevant domain controller, policy will not apply or refresh. For a cross-domain logon, where a
computer is in one domain, and the user account is in another, these protocols may be required for the
client, the resource domain, and the account domain to communicate. ICMP is used for slow link detection.
For more information about slow link detection, click the following article number to view the article in the
Microsoft Knowledge Base:
227260 (http://support.microsoft.com/kb/227260/ ) How a slow link is detected for processing user
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 9 of 30
HTTP SSL
The HTTP SSL system service enables IIS to perform SSL functions. SSL is an open standard for establishing
an encrypted communications channel to help prevent the interception of critical information, such as credit
card numbers. Although this service is designed to work on other Internet services, it is primarily used to
enable encrypted electronic financial transactions on the World Wide Web (WWW). You can configure the
ports for this service through the Internet Information Services (IIS) Manager snap-in.
DNS UDP 53
DNS TCP 53
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 10 of 30
protocol, the KDC is a single process that provides two services: the Authentication Service and the Ticket-
Granting Service. The Authentication Service issues ticket granting tickets, and the Ticket-Granting Service
issues tickets for connection to computers in its own domain.
Kerberos TCP 88
Kerberos UDP 88
License Logging
The License Logging system service is a tool that was originally designed to help customers manage licenses
for Microsoft server products that are licensed in the Server Client Access License (CAL) model. License
Logging was introduced with Microsoft Windows NT Server 3.51. By default, the License Logging service is
disabled in Windows Server 2003. Because of legacy design constraints and evolving license terms and
conditions, License Logging may not provide an accurate view of the total number of CALs that are
purchased compared to the total number of CALs that are used on a particular server or across the
enterprise. The CALs that are reported by License Logging may conflict with the interpretation of the End-
User License Agreement (EULA) and with Product Use Rights (PUR). License Logging will not be included in
future versions of the Windows operating system. Microsoft recommends that only users of the Microsoft
Small Business Server family of operating systems enable this service on their servers.
Message Queuing
The Message Queuing system service is a messaging infrastructure and development tool for creating
distributed messaging programs for Windows. These programs can communicate across heterogeneous
networks and can send messages between computers that may be temporarily unable to connect to each
other. Message Queuing helps provide security, efficient routing, support for sending messages within
transactions, priority-based messaging, and guaranteed message delivery.
Messenger
The Messenger system service sends messages to or receives messages from users and computers,
administrators, and the Alerter service. This service is not related to Windows Messenger. If you disable the
Messenger service, notifications that are sent to computers or users who are currently logged on the
network are not received. Additionally, the net send command and the net name command no longer
function.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 11 of 30
MSSQLSERVER
MSSQLSERVER is a system service in Microsoft SQL Server 2000. SQL Server provides a powerful and
comprehensive data management platform. You can configure the ports that each instance of SQL Server
uses by using the Server Network Utility.
MSSQL$UDDI
The MSSQL$UDDI system service is installed during the installation of the Universal Description, Discovery,
and Integration (UDDI) feature of the Windows Server 2003 family of operating systems. MSSQL$UDDI
provides UDDI capabilities in an enterprise. The SQL Server database engine is the core component of
MSSQL$UDDI.
Net Logon
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 12 of 30
The Net Logon system service maintains a security channel between your computer and the domain
controller to authenticate users and services. It passes the user's credentials to a domain controller and
returns the domain security identifiers and the user rights for the user. This is typically referred to as pass-
through authentication. Net Logon is configured to start automatically only when a member computer or
domain controller is joined to a domain. In the Windows 2000 Server and Windows Server 2003 families,
Net Logon publishes service resource locator records in the DNS. When this service runs, it relies on the
WORKSTATION service and on the Local Security Authority service to listen for incoming requests. On
domain member computers, Net Logon uses RPC over named pipes. On domain controllers, it uses RPC over
named pipes, RPC over TCP/IP, mailslots, and Lightweight Directory Access Protocol (LDAP).
Print Spooler
The Print Spooler system service manages all local and network print queues and controls all print jobs.
Print Spooler is the center of the Windows printing subsystem. It manages the print queues on the system
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 13 of 30
and communicates with printer drivers and input/output (I/O) components, such as the USB port and the
TCP/IP protocol suite.
Remote Installation
You can use the Remote Installation system service to install Windows 2000, Windows XP, and Windows
Server 2003 on Pre-Boot eXecution Environment (PXE) remote boot-enabled client computers. The Boot
Information Negotiation Layer (BINL) service, the primary component of Remote Installation Server (RIS),
answers PXE client requests, checks Active Directory for client validation, and passes client information to
and from the server. The BINL service is installed when you either add the RIS component from
Add/Remove Windows Components, or select it when you initially install the operating system.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 14 of 30
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Note Although NAT-T and IPsec ISAKMP are required for L2TP, these ports are actually monitored by the
Local Security Authority. For additional information about this, see the "References" section of this article.
Server
The Server system service provides RPC support and file, print, and named pipe sharing over the network.
The Server service allows the sharing of local resources, such as disks and printers, so that other users on
the network can access them. It also allows named pipe communication between programs that are running
on the local computer and on other computers. Named pipe communication is memory that is reserved for
the output of one process to be used as input for another process. The input-accepting process does not
have to be local to the computer.
Note If a computer name resolves to multiple IP addresses using WINS, or if WINS failed and the name is
resolved using DNS, NetBIOS over TCP/IP (NetBT) will try to ping the IP address or addresses of the file
server. Port 139 communications depend on Internet Control Message Protocol (ICMP) echo messages. If
Internet Protocol version 6 (IPv6) is not installed, port 445 communications will also depend on ICMP for
name resolution. Preloaded Lmhosts entries will bypass the DNS resolver. If IPv6 is installed on Windows
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 15 of 30
Server 2003-based or Windows XP-based systems, port 445 communications will not trigger any ICMP
requests.
HTTP TCP 80
SMTP TCP 25
Chargen TCP 19
Chargen UDP 19
Daytime TCP 13
Daytime UDP 13
Discard TCP 9
Discard UDP 9
Echo TCP 7
Echo UDP 7
Quotd TCP 17
Quoted UDP 17
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 16 of 30
the Microsoft operating systems. With this solution, organizations can provide relevant software and updates
to users.
SNMP Service
SNMP Service allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the
local computer. SNMP Service includes agents that monitor activity in network devices and report to the
network console workstation. SNMP Service provides a method of managing network hosts (such as
workstation or server computers, routers, bridges, and hubs) from a centrally-located computer that is
running network management software. SNMP performs management services by using a distributed
architecture of management systems and agents.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 17 of 30
SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP
Discovery Service manages receipt of device presence announcements, updates its cache, and passes these
notifications along to clients with outstanding search requests. SSDP Discovery Service also accepts
registration of event callbacks from clients, turns these into subscription requests, and monitors for event
notifications. It then passes these requests along to the registered callbacks. This system service also
provides hosted devices with periodic announcements. Currently, the SSDP event notification service uses
TCP port 5000. Starting with the next Windows XP service pack, it will rely on TCP port 2869.
Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1
(SP1).
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Telnet
The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. A Telnet server
supports two types of authentication and supports the following four types of terminals:
American National Standards Institute (ANSI)
VT-100
VT-52
VTNT
Telnet TCP 23
Terminal Services
Terminal Services provides a multi-session environment that allows client devices to access a virtual
Windows desktop session and Windows-based programs that are running on the server. Terminal Services
allows multiple users to be connected interactively to a computer.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 18 of 30
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
Note Terminal Services Licensing offers its services by using RPC over named pipes. This service has the
same firewall requirements as those of the "File and Printer Sharing" feature.
Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM"
section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Trivial File Transfer Protocol (TFTP) is a file transfer protocol that is designed to support diskless boot
environments. The TFTP service listens on UDP port 69 but responds from a randomly allocated high port.
Therefore, enabling this port will let the TFTP service receive incoming TFTP requests, but will not let the
selected server respond to those requests. The service is free to respond to any such request from any
source port it wishes, and the remote client will then use that port for the duration of the transfer.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 19 of 30
Communication is bidirectional. If you need to enable this protocol through a firewall, it may be useful to
open UDP port 69 inbound. You can then rely on other firewall features, which dynamically allow the service
to respond through temporary holes on any other port.
TFTP UDP 69
Windows Media Services is now a single service that runs on Windows Server 2003, Standard Edition;
Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Its core
components were developed by using the COM, and it has a flexible architecture that you can customize for
specific programs. It supports a greater variety of control protocols, including Real Time Streaming Protocol
(RTSP), Microsoft Media Server (MMS) protocol, and HTTP.
HTTP TCP 80
Windows Time
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 20 of 30
The Windows Time system service maintains date and time synchronization on all Windows XP and Windows
Server 2003-based computers on a network. This service uses Network Time Protocol (NTP) to synchronize
computer clocks so that an accurate clock value, or timestamp is assigned for network validation and for
resource access requests. The implementation of NTP and the integration of time providers help make
Windows Time a reliable and scalable time service for your enterprise. For computers that are not joined to
a domain, you can configure Windows Time to synchronize time with an external time source. If this service
is turned off, the time setting for local computers is not synchronized with a time service in the Windows
domain or with an externally configured time service. Windows Server 2003 uses NTP. NTP runs on UDP
port 123. The Windows 2000 version of this service uses Simple Network Time Protocol (SNTP). SNTP also
runs on UDP port 123.
When the Windows Time service uses a Windows domain configuration, the service requires domain
controller location and authentication services. Therefore, the ports for Kerberos and DNS are required.
HTTP TCP 80
n/a GRE GRE (IP protocol 47) Routing and Remote Access
n/a ESP IPsec ESP (IP protocol 50) Routing and Remote Access
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 21 of 30
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 22 of 30
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 23 of 30
548 TCP File Server for Macintosh File Server for Macintosh
2393 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support
2394 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support
2701 TCP SMS Remote Control (control) SMS Remote Control Agent
2701 UDP SMS Remote Control (control) SMS Remote Control Agent
2702 TCP SMS Remote Control (data) SMS Remote Control Agent
2702 UDP SMS Remote Control (data) SMS Remote Control Agent
2704 TCP SMS Remote File Transfer SMS Remote Control Agent
2704 UDP SMS Remote File Transfer SMS Remote Control Agent
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 24 of 30
A summarized list of services, ports and protocols required for member computers and domain controllers to
inter-operate with each other or for application servers to access Active Directory include but are not limited
to the following.
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 25 of 30
The Help files for each of the Microsoft products that are described in this article contain additional
information that you may find useful to help configure your programs. Windows Server 2003 Help contains
step-by-step instructions about how to configure specific technologies and server roles.
For more information about a related topic, click the following article number to view the article in the
Microsoft Knowledge Base:
179442 (http://support.microsoft.com/kb/179442/ ) How to configure a firewall for domains and trusts
General information
For more information about how to help secure Windows Server and for sample IPsec filters for specific
server roles, see the appropriate "Security Guide." To view or download these guides, visit the following
Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc163140.aspx (http://technet.microsoft.com/en-
us/library/cc163140.aspx)
For more information about operating system services, security settings, and IPsec filtering, see the
"Threats and Countermeasures Guide." To see this guide for Windows Server 2008 or for Windows Vista,
visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/dd349791.aspx (http://technet.microsoft.com/en-
us/library/dd349791.aspx)
To see this guide for Windows Server 2003 or for Windows XP, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/dd162275.aspx (http://technet.microsoft.com/en-
us/library/dd162275.aspx)
For more information about port assignments for well-known ports, click the following article number to
view the article in the Microsoft Knowledge Base:
174904 (http://support.microsoft.com/kb/174904/ ) Information about TCP/IP port assignments
Additionally, see "Appendix B - Port Reference for MS TCP/IP" in the Microsoft Windows NT 4.0 Resource Kit.
To do this, visit the following Microsoft Web site:
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-
us/net/port_nts.mspx (http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/
port_nts.mspx)
Additionally, see "TCP and UDP Port Assignments" in the Windows 2000 Server Resource Kit. To do this,
visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 26 of 30
mfr=true (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx?mfr=true)
Additionally, see the "Port Assignments and Protocol Numbers" document from the Windows 2000 Resource
Kits. To do this, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc959834.aspx (http://technet.microsoft.com/en-
us/library/cc959834.aspx)
The Internet Assigned Numbers Authority coordinates the use of well-known ports. To view this
organization's list of TCP/IP port assignments, visit the following Web site:
http://www.iana.org/assignments/port-numbers (http://www.iana.org/assignments/port-numbers)
For a detailed description of RPC, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms950395.aspx (http://msdn2.microsoft.com/en-
us/library/ms950395.aspx)
For more information about configuring RPC to work with a firewall, click the following article number to
view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/ ) How to configure RPC dynamic port allocation to work
with firewalls
For more information about the RPC protocol and how computers that are running Windows 2000 initialize,
see the "Windows 2000 Startup and Logon Traffic Analysis" white paper. To do this, visit the following
Microsoft Web site:
http://technet.microsoft.com/en-us/library/Bb742590.aspx (http://technet.microsoft.com/en-
us/library/Bb742590.aspx)
For an explanation of how the Directory System Agent, LDAP, and the local system authority are related,
visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms675902.aspx (http://msdn2.microsoft.com/en-
us/library/ms675902.aspx)
For additional information about how LDAP and the global catalog work in Windows 2000, visit the following
Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-
12cf8fb1af501033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4b
d8-a68c-12cf8fb1af501033.mspx?mfr=true)
Exchange Server
For more information about how to restrict Exchange 2000 Server and Exchange Server 2003 MAPI traffic,
click the following article number to view the article in the Microsoft Knowledge Base:
270836 (http://support.microsoft.com/kb/270836/ ) Exchange 2000 and Exchange 2003 static port
mappings
For more information about the network ports and protocols that are supported by Exchange 2000 Server,
click the following article number to view the article in the Microsoft Knowledge Base:
278339 (http://support.microsoft.com/kb/278339/ ) TCP/UDP ports used by Exchange 2000 Server
For more information about the ports that are used by Exchange Server 5.5 and earlier versions of
Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base:
176466 (http://support.microsoft.com/kb/176466/ ) TCP Ports and Microsoft Exchange: In-depth
discussion
There may be additional items to consider for your particular environment. You can receive more
information and help with planning an Exchange implementation, from the following Microsoft Web sites:
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 27 of 30
For Exchange Server 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb124558.aspx (http://technet.microsoft.com/en-
us/library/bb124558.aspx)
For Exchange Server 2003, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb123872.aspx (http://technet.microsoft.com/en-
us/library/bb123872.aspx)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge
Base:
280132 (http://support.microsoft.com/kb/280132/ ) Exchange 2000 Windows 2000 connectivity through
firewalls
In this example, nnnnn represents a single, static RPC port that DFSR will use for replication.
Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no
member is specified, Dfsrdiag.exe uses the local computer.
For information about how FTP works, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/3454a19f-ac86-4a50-8049-
c72ee801cd321033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/3454a19f-ac86-4
a50-8049-c72ee801cd321033.mspx?mfr=true)
For more information about the ports and protocols that are used by IPSec, click the following article
number to view the article in the Microsoft Knowledge Base:
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 28 of 30
For more information about new and updated features in L2TP and IPSec, click the following article number
to view the article in the Microsoft Knowledge Base:
818043 (http://support.microsoft.com/kb/818043/ ) L2TP/IPSec NAT-T update for Windows XP and
Windows 2000
Message Queuing
For more information about the ports that are used by Microsoft Message Queuing, click the following article
number to view the article in the Microsoft Knowledge Base:
178517 (http://support.microsoft.com/kb/178517/ ) TCP ports, UDP ports, and RPC ports that are used by
Message Queuing
For more information about the ports that are used by SMS 2.0, click the following article number to view
the article in the Microsoft Knowledge Base:
167128 (http://support.microsoft.com/kb/167128/ ) Network ports used by Remote Helpdesk functions
For more information about how to configure SMS through a firewall, click the following article number to
view the article in the Microsoft Knowledge Base:
200898 (http://support.microsoft.com/kb/200898/ ) How to use Systems Management Server 2.0 through
a firewall
For more information about the ports that are used by SMS 2.0 Remote Tools, click the following article
number to view the article in the Microsoft Knowledge Base:
256884 (http://support.microsoft.com/kb/256884/ ) TCP and UDP ports that are used by Remote Control
have changed in SMS 2.0 Service Pack 2
SQL Server
For more information about how SQL Server 2000 dynamically determines ports for secondary instances,
click the following article number to view the article in the Microsoft Knowledge Base:
286303 (http://support.microsoft.com/kb/286303/ ) Behavior of SQL Server 2000 Network Library during
dynamic port detection
For more information about the ports that are used by SQL Server 7.0 and SQL Server 2000 for OLAP, click
the following article number to view the article in the Microsoft Knowledge Base:
301901 (http://support.microsoft.com/kb/301901/ ) TCP ports used by OLAP services when connecting
through a firewall
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 29 of 30
Terminal Services
For more information about how to configure the port that is used by Terminal Services, click the following
article number to view the article in the Microsoft Knowledge Base:
187623 (http://support.microsoft.com/kb/187623/ ) How to change Terminal Server's listening port
For additional information about how Windows 2000 Service Pack 4 (SP4) communicates over the Internet,
see the "Using Windows 2000 with Service Pack 4 in a Managed Environment" white paper. To do so, visit
the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=b27e5699-d9c9-4573-ae5b-
5904d51a523a (http://www.microsoft.com/downloads/details.aspx?familyid=b27e5699-d9c9-4573-ae5b-5904d51a
523a)
For additional information about how Windows Server 2003 communicates over the Internet, see the "Using
Windows Server 2003 in a Managed Environment" white paper. To do so, visit the following Microsoft Web
site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=D217E2FF-6871-404D-9931-
C13AB669766F (http://www.microsoft.com/downloads/details.aspx?FamilyID=D217E2FF-6871-404D-9931-C13AB6
69766F)
For more information about how Windows Server 2008 communicates over the Internet, see the “Using
Windows Server 2008: Controlling Communication with the Internet” white paper. To do so, visit the
following Microsoft Web site:
http://www.microsoft.com/downloadS/details.aspx?familyid=89DDFD58-C6DB-4BE8-A7F4-
9C326F967D45&displaylang=en (http://www.microsoft.com/downloadS/details.aspx?familyid=89DDFD58-C6DB-
4BE8-A7F4-9C326F967D45&displaylang=en)
APPLIES TO
http://support.microsoft.com/kb/832017 11/28/2009
Service overview and network port requirements for the Windows Server system Page 30 of 30
http://support.microsoft.com/kb/832017 11/28/2009