Opening SharePoint Networking Ports Before Creating a Farm

There are a few articles up on TechNet about hardening SharePoint:

Plan security hardening for server roles within a server farm (Office SharePoint Server)
Plan security hardening (SharePoint Server 2010)
Plan security hardening for SharePoint 2013

These guides detail the networking ports SharePoint needs in order to function.  And there are quite a few ports:

  • TCP 80, 443, custom Web applications
  • TCP 16500-16519 Search index component
  • TCP 22233-22236, ICMP AppFabric Caching Service, which is used by the Distributed Cache SharePoint service
  • TCP 808 Windows Communication Foundation used for communication between search components
  • TCP 32843 (HTTP), TCP 32844 (HTTPS), TCP 32845 (net.tcp) SharePoint web services
  • TCP 5725 Forefront Identity Manager (FIM), used by user profile service
  • TCP/UDP 389 (LDAP), TCP/UDP 88 (Kerberos), TCP/UDP 53 (DNS), UDP 464 (Kerberos Change Password) Active Directory queries and integration
  • TCP 1433 SQL Server
  • UDP 1434 SQL Server Browser (if using a non-default SQL instance and you’re not specifying the port in the connection string)
  • TCP 25 Incoming/Outgoing email

Anyway, my advice is to ensure these ports are opened on your farm servers before installing SharePoint. Out of the box Windows Firewall or a Group Policy Object (GPO) may block some of these ports, as well consider any network firewalls and ensure they are not blocking the ports between servers. There’s nothing like running in to issues while setting up a farm and finally figuring out the issue is because one of these ports is blocked!

I’m currently developing a SharePoint 2013 hardening guide which will look at these ports in more detail — why they’re needed, what they do, and on which servers they need to be opened. Stay tuned!

Share Button