Environment
NetIQ Group Policy Administrator 5.0
NetIQ Group Policy Administrator 5.0 SP1
Situation
What are the ports that need to be enabled for GPA?
Resolution
Group Policy Administrator uses the following ports:
From the Console to the Repository:
The Group Policy Administrator (GPA) console communicates directly to the SQL server via ADO libraries. The underlying protocol is configurable but by default it is over Named Pipes, which, by default, uses port 1433.
From Repository to Active Directory:
Communication does not exist between the Repository Server and Active Directory. The client under the credentials of the logged on user, using LDAP over TCP/IP, performs any communication with Active Directory. Active Directory uses port 389 (and/or port 636 for communication via SSL, if configured for such).
From GPA Console To Active Directory:
The client under the credentials of the logged on user, using LDAP over TCP/IP, performs any communication with Active Directory. Active Directory uses port 389 (and/or port 636 for communication via SSL, if configured for such).
From Console to target machine for Remote Diagnostics:
Remote diagnostics utilizes WMI to communicate with the target machine to gather GPO information. WMI utilizes the Distributed Component Object Model (DCOM). DCOM uses remote procedure calls (RPC) on port 135 as well as ports in the range 1024 ? 65535. The ports that are used by DCOM can be restricted as detailed the Microsoft KB article:
- Microsoft Knowledge Base Article 300083 - HOW TO: Restrict TCP/IP Ports on Windows 2000 and Windows XP:
From the Repository to Server:
The Server portion of GPA is implemented utilizing IIS which runs over standard port 80. For GPA 5.0 and later, communication from the Repository to the Server uses TCP port 63847.
For information about the ports and protocols that the Group Policy Administrator Repository MMC snap-in uses, refer to NETIQKB11835.