In order for the Keyfactor Windows Enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway to be able to communicate with the local Active Directory, the Keyfactor Gateway Receiver, and the managed instance of Keyfactor Command, appropriate firewall ports need to be open on the gateway server and throughout the environment. These ports may already be open or may need to be opened.
Table 1039: Protocols the Gateway Uses for Communication
|
Type |
Protocols and Ports |
Source/Target |
|---|---|---|
|
Inbound |
RPC (TCP 135) |
The managed instance of Keyfactor Command, for enrollment |
|
Inbound |
DCOM (Random high ports typically in the range TCP 49152 – 65535) |
The managed instance of Keyfactor Command, for enrollment |
|
Outbound |
Active Directory Web Services (TCP 9389) |
Active Directory domain controllers, for account synchronization |
|
Outbound |
HTTP/HTTPS (TCP 80/443) |
The Keyfactor Gateway Receiver |
On the gateway server:
-
Verify that the current ephemeral port range is open by opening an administrative command prompt and running the following command:
netsh interface ipv4 show dynamic protocol=tcpThe output from this command should look like this:
Protocol tcp Dynamic Port Range --------------------------------- Start Port: 49152 Number of Ports: 16384
-
If the range is not open, it needs to be opened to allow RPC
Remote procedure call (RPC) allows one program to call a function from a program located on another computer on a network without specifying network details. In the context of Keyfactor Command, RPC errors often indicate Kerberos authentication or delegation issues. communication via TCP. Keyfactor provides a PowerShell script for this purpose (see Appendix - Firewall Rules Script).Note: No rules are included in this script for HTTP/HTTPS or ADWS traffic, since outbound traffic is generally open on servers in most environments. If this is not the case in your environment, you will need to update the script or manually add a rule. -
After running the firewall script to open the inbound ports, check the firewall rules to confirm that the new Keyfactor rule has been added by opening an administrative command prompt and running the following command:
wf.msc - Click Inbound Rules and verify that the new rule "Keyfactor CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateway RPC-IN" exists and is enabled. Verify that the existing rule COM+ Network Access (DCOM-In) is enabled.
Figure 724: Firewall Rules
Was this page helpful? Provide Feedback