混合标识所需的端口和协议Hybrid Identity Required Ports and Protocols

以下文档是用于实现混合标识解决方案所需的端口和协议的技术参考。The following document is a technical reference on the required ports and protocols for implementing a hybrid identity solution. 使用下图并参考相应的表格。Use the following illustration and refer to the corresponding table.

什么是 Azure AD Connect

表 1 - Azure AD Connect 和本地 ADTable 1 - Azure AD Connect and On-premises AD

此表描述了 Azure AD Connect 服务器与本地 AD 之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Azure AD Connect server and on-premises AD.

协议Protocol 端口Ports 说明Description
DNSDNS 53 (TCP/UDP)53 (TCP/UDP) 在目标林中进行 DNS 查找。DNS lookups on the destination forest.
KerberosKerberos 88 (TCP/UDP)88 (TCP/UDP) 对 AD 林进行 Kerberos 身份验证。Kerberos authentication to the AD forest.
MS-RPCMS-RPC 135 (TCP/UDP)135 (TCP/UDP) 该端口绑定到 AD 林后,将在初始配置 Azure AD Connect 向导期间及密码同步期间使用。Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization.
LDAPLDAP 389 (TCP/UDP)389 (TCP/UDP) 用于从 AD 导入数据。Used for data import from AD. 数据将使用 Kerberos 签名和签章加密。Data is encrypted with Kerberos Sign & Seal.
SMBSMB 445 (TCP/UDP)445 (TCP/UDP) 由无缝 SSO 用于在 AD 林中创建计算机帐户。Used by Seamless SSO to create a computer account in the AD forest.
LDAP/SSLLDAP/SSL 636 (TCP/UDP)636 (TCP/UDP) 用于从 AD 导入数据。Used for data import from AD. 数据传输经过签名和加密。The data transfer is signed and encrypted. 仅使用 SSL 时才使用该端口。Only used if you are using SSL.
RPCRPC 49152-65535(随机高 RPC 端口)(TCP/UDP)49152- 65535 (Random high RPC Port)(TCP/UDP) 该端口绑定到 AD 林后,将在初始配置 Azure AD Connect 期间及密码同步期间使用。Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. 有关详细信息,请参阅 KB929851KB832017KB224196See KB929851, KB832017, and KB224196 for more information.

表 2 - Azure AD Connect 和 Azure ADTable 2 - Azure AD Connect and Azure AD

此表描述了 Azure AD Connect 服务器与 Azure AD 之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Azure AD Connect server and Azure AD.

协议Protocol 端口Ports 说明Description
HTTPHTTP 80 (TCP/UDP)80 (TCP/UDP) 用于下载 CRL(证书吊销列表)以验证 SSL 证书。Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用来与 Azure AD 同步。Used to synchronize with Azure AD.

有关需要在防火墙中打开的 URL 和 IP 地址列表,请参阅 Office 365 URLs and IP address ranges(Office 365 URL 和 IP 地址范围)。For a list of URLs and IP addresses you need to open in your firewall, see Office 365 URLs and IP address ranges.

表 3 - Azure AD Connect 和 AD FS 联合身份验证服务器/WAPTable 3 - Azure AD Connect and AD FS Federation Servers/WAP

此表描述了 Azure AD Connect 服务器与 AD FS 联合身份验证服务器/WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Azure AD Connect server and AD FS Federation/WAP servers.

协议Protocol 端口Ports 说明Description
HTTPHTTP 80 (TCP/UDP)80 (TCP/UDP) 用于下载 CRL(证书吊销列表)以验证 SSL 证书。Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用来与 Azure AD 同步。Used to synchronize with Azure AD.
WinRMWinRM 59855985 WinRM 侦听器WinRM Listener

表 4 - WAP 和联合服务器Table 4 - WAP and Federation Servers

此表描述了联合服务器与 WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.

协议Protocol 端口Ports 说明Description
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用于身份验证。Used for authentication.

表 5 - WAP 和用户Table 5 - WAP and Users

此表描述了用户与 WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between users and the WAP servers.

协议Protocol 端口Ports 说明Description
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用于设备身份验证。Used for device authentication.
TCPTCP 49443 (TCP)49443 (TCP) 用于证书身份验证。Used for certificate authentication.