TCP and UDP Ports (Nodinite LDAP Adapter)
Establish secure, reliable LDAP connectivity with the correct TCP and UDP port configuration. This guide details all firewall requirements for Nodinite LDAP products—whether you use the BizTalk LDAP Adapter or the LDAP Web API.
✅ Achieve seamless connectivity for all LDAP clients and servers
✅ Support hybrid and multi-platform environments (on-premises, cloud, Logic Apps, MuleSoft, WSO2, and more)
✅ Harden your network with clear firewall requirements organized by host
✅ Accelerate troubleshooting and integration success
When you work with LDAP, you connect multiple clients and servers across different operating systems and segmented networks. This guide organizes port requirements by the hosts involved in LDAP communication.
Architecture Overview
The following diagram illustrates the network communication flows between the different hosts:
LDAPS 636| roLDAP end subgraph "Domain Controller" roDC(fal:fa-network-wired Domain Controller) roAPI -.->|Kerberos 88
LDAP 389
RPC 135| roDC roLDAP -.->|Authentication| roDC end subgraph "DNS Server" roDNS(fal:fa-globe DNS) roAPI -.->|DNS 53| roDNS roLDAP -.->|DNS 53| roDNS end
This diagram shows the network communication flows between client applications, LDAP API/Adapter, LDAP catalog servers, domain controllers, and DNS servers.
Three main hosts participate in LDAP integration:
- Client/API Host - Where the LDAP Web API (IIS/Azure App Service) or BizTalk LDAP Adapter (BizTalk Server) is installed
- LDAP Catalog Server - Target LDAP directory services (Active Directory, OpenLDAP, Apache Directory, etc.)
- Domain Controller (DC) - Active Directory server for Kerberos authentication and account lookups
1. Client/API Host Firewall Requirements
The server where the LDAP Web API or BizTalk LDAP Adapter is installed requires the following ports:
Inbound Ports (Client/API Host)
Inbound connections to the Client/API Host:
| Port | Protocol | Source | Purpose | Required For | Notes |
|---|---|---|---|---|---|
| 443 | TCP | Client Applications | HTTPS API access | LDAP Web API | Configurable in IIS/App Service. See HTTPS Hardening |
| Custom | TCP | Client Applications | HTTP API access (non-SSL) | LDAP Web API | Only if SSL not enforced. Not recommended for production |
Tip
For BizTalk LDAP Adapter, inbound ports are managed by BizTalk Server receive locations. Configure these in the BizTalk Administration Console based on your receive adapters (HTTP, WCF, File, etc.).
Outbound Ports (Client/API Host)
Outbound connections from the Client/API Host:
| Port | Protocol | Destination | Purpose | Required For | Notes |
|---|---|---|---|---|---|
| 53 | TCP/UDP | DNS Server | DNS name resolution | All | Required to resolve LDAP server hostnames |
| 88 | TCP/UDP | Domain Controller | Kerberos authentication | All (when using domain credentials) | Required for Windows Authentication |
| 135 | TCP | Domain Controller | RPC Endpoint Mapper | BizTalk LDAP Adapter (with MSDTC) | See MSDTC configuration |
| 389 | TCP | LDAP Catalog Server | Standard LDAP queries | All | Default LDAP port. See section 2 below |
| 636 | TCP | LDAP Catalog Server | LDAPS (LDAP over SSL) | All (when using LDAPS) | See SSL-LDAPS for Active Directory |
| 3268 | TCP | Domain Controller | Global Catalog queries | All (when querying forest-wide) | Multi-domain environments |
| 3269 | TCP | Domain Controller | Global Catalog over SSL | All (when using secure GC) | Multi-domain environments with SSL |
| 445 | TCP | File Server | SMB file access | LDAP Web API (with Serilog File sink) | Only if using Serilog file logging to remote share |
| 1024-5000 49152-65535 |
TCP | Domain Controller | RPC dynamic ports | BizTalk LDAP Adapter (with MSDTC) | Windows dynamic RPC range. See notes below |
Note
Dynamic RPC Ports: Windows Server 2012+ uses the range 49152-65535 for dynamic RPC. Earlier versions used 1024-5000. For MSDTC transactions in BizTalk LDAP Adapter, these ports must be allowed between BizTalk Server and the Domain Controller. See Service overview and network port requirements for additional details.
2. LDAP Catalog Server Firewall Requirements
The LDAP directory service server (Active Directory, OpenLDAP, etc.) requires the following ports:
Inbound Ports (LDAP Catalog Server)
Inbound connections to the LDAP Catalog Server:
| Port | Protocol | Source | Purpose | LDAP Service | Notes |
|---|---|---|---|---|---|
| 389 | TCP | Client/API Host | Standard LDAP queries | Active Directory, OpenLDAP, Fedora, Sun, NIS, etc. | Default LDAP port. Most common |
| 636 | TCP | Client/API Host | LDAPS (LDAP over SSL) | Active Directory, OpenLDAP, etc. | Secure LDAP. See SSL-LDAPS for Active Directory |
| 1389 | TCP | Client/API Host | Standard LDAP queries | OpenDS | Alternative LDAP port |
| 10389 | TCP | Client/API Host | Standard LDAP queries | Apache Directory Server | Alternative LDAP port |
| 3268 | TCP | Client/API Host | Global Catalog queries | Active Directory | Forest-wide queries |
| 3269 | TCP | Client/API Host | Global Catalog over SSL | Active Directory | Secure forest-wide queries |
Important
Port 389 and 636 are the most common LDAP ports. Ensure these are allowed in your firewall for standard LDAP and LDAPS communication.
Outbound Ports (LDAP Catalog Server)
Outbound connections from the LDAP Catalog Server:
| Port | Protocol | Destination | Purpose | Notes |
|---|---|---|---|---|
| 53 | TCP/UDP | DNS Server | DNS name resolution | Required for domain operations |
| 88 | TCP/UDP | Domain Controller | Kerberos authentication | Required if LDAP server participates in domain |
| 389 | TCP | Other Domain Controllers | LDAP replication | Active Directory multi-DC environments |
| 445 | TCP | Domain Controller | SMB/CIFS | Group Policy, Sysvol replication |
3. Domain Controller Firewall Requirements
If using Windows Authentication or Active Directory, the Domain Controller requires:
Inbound Ports (Domain Controller)
Inbound connections to the Domain Controller:
| Port | Protocol | Source | Purpose | Notes |
|---|---|---|---|---|
| 53 | TCP/UDP | Client/API Host, LDAP Catalog Server | DNS queries | Name resolution |
| 88 | TCP/UDP | Client/API Host, LDAP Catalog Server | Kerberos authentication | Windows Authentication |
| 135 | TCP | Client/API Host | RPC Endpoint Mapper | MSDTC for BizTalk LDAP Adapter |
| 389 | TCP | Client/API Host, LDAP Catalog Server | LDAP queries | Account lookups, authentication |
| 636 | TCP | Client/API Host | LDAPS queries | Secure account lookups |
| 445 | TCP | Client/API Host, LDAP Catalog Server | SMB/CIFS | Group Policy, file access |
| 3268 | TCP | Client/API Host | Global Catalog queries | Forest-wide searches |
| 3269 | TCP | Client/API Host | Global Catalog over SSL | Secure forest-wide searches |
| 1024-5000 49152-65535 |
TCP | Client/API Host | RPC dynamic ports | MSDTC transactions. See notes in section 1 |
Additional Protocols
IPsec / NAT-T
If using IPsec for network security:
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 500 | UDP | IPsec ISAKMP | Standard IPsec key exchange |
| 4500 | UDP | NAT-T (NAT Traversal) | Used when NAT is detected between IPsec peers |
NetBIOS (Legacy)
Legacy Windows networking (not recommended for modern deployments):
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 139 | TCP | NetBIOS Session Service | Legacy Windows networking. Use SMB port 445 instead |
Viewing Dynamic Port Ranges
View the current dynamic port range configuration on Windows using these commands:
netsh int ipv4 show dynamicport tcp
netsh int ipv4 show dynamicport udp
netsh int ipv6 show dynamicport tcp
netsh int ipv6 show dynamicport udp
For complete details on Windows service port requirements, see Service overview and network port requirements (KB 832017).
Port Summary by Priority
Essential Ports (Must Allow)
These ports are required for basic LDAP functionality:
- Port 389 (TCP) - Standard LDAP queries to catalog server
- Port 636 (TCP) - LDAPS (LDAP over SSL) for secure communication
- Port 443 (TCP) - HTTPS access to LDAP Web API
- Port 53 (TCP/UDP) - DNS resolution for all hosts
- Port 88 (TCP/UDP) - Kerberos authentication for Windows integrated security
Recommended Ports
These ports are needed for advanced scenarios:
- Port 3268/3269 (TCP) - Global Catalog queries in multi-domain forests
- Port 135 (TCP) - RPC Endpoint Mapper for MSDTC transactions
- Port 445 (TCP) - SMB for Serilog file logging or Group Policy
Optional Ports
These ports may be required depending on your LDAP service:
- Port 1389 (TCP) - OpenDS LDAP service
- Port 10389 (TCP) - Apache Directory Server
- Port 500/4500 (UDP) - IPsec/NAT-T for network security
- Port 139 (TCP) - NetBIOS (legacy, not recommended)
Next Step
- Configure SSL-LDAPS for Active Directory for secure LDAP communication
- Review HTTPS Hardening for securing the LDAP Web API
- Learn about MSDTC configuration for BizTalk LDAP Adapter transactions