Firewalls should be configured to allow traffic to and from the Campus Active Directory domain controllers.
The Campus Active directory's production domain is: ad.wisc.edu
The domain controller IP addresses for each domain are:
Active Directory makes use of several ports, so it is easier to allow all traffic from the domain controllers, which should not pose a significant security risk (especially considering that the service can only be accessed via the campus network). However, if you want to restrict communication to specific ports, here is a list of commonly used ports in Active Directory:
|RPC endpoint mapper||135/TCP, 135/UDP|
|RPC dynamic assignment||1024-65535/TCP|
|IKE, Internet Key Exchange||500/UDP|
|IPSec over TCP||4500/TCP|
|IPSec ESP, Encapsulated Security Payload||IP protocol 50|
|SMB over IP (Microsoft-DS)||445/TCP, 445/UDP|
|LDAP over SSL||636/TCP|
|Global catalog LDAP over SSL||3269/TCP|
|Domain Name Service (DNS)||53/TCP, 53/UDP|
|AD Web Service||9389/TCP|
The Campus Active Directory service can only be accessed within the campus network or the WiscVPN service. Exceptions to this rule cannot be made.