Академический Документы
Профессиональный Документы
Культура Документы
Server Products
On This Page
Introduction
Term Usage
Microsoft Server Product Ports
Ports and Protocols
For More Information
Related Topics
Introduction
This document discusses the network ports and protocols that are used by server products and their
subcomponents in the Microsoft Windows Server System.
The Windows Server System includes a comprehensive and integrated infrastructure that is designed to meet the
requirements of developers and information technology (IT) professionals. This system is designed to run
programs that information workers can use to obtain, analyze, and share information quickly and easily. These
Microsoft server products use a variety of network ports and protocols to communicate with client and server
systems. While dedicated firewalls, host-based firewalls, and Internet Protocol Security (IPSec) filters can be used
to help secure your network, if these technologies are configured to block ports and protocols that are used by
the Windows Server System, a server may not be able to respond to legitimate client requests. If a server is
unable to respond to legitimate client requests, it may not function properly or at all.
Top Of Page
Term Usage
The following list provides an overview of the information contained in this document:
• The "Microsoft Server Product Ports" section of this document contains a brief description of each service,
displays the logical name of that service, and indicates the ports and protocols required by each service
for correct operation. Use this section to help identify the ports and protocols that a particular service
uses.
• The "Ports and Protocols Table" section of this document includes a table that summarizes the
information from the "System Services Ports" section. The table is sorted by port number instead of by the
service name. Use this section to quickly determine which services listen on a particular port.
This document uses certain terms in specific ways. To help avoid confusion, make sure that you understand how
this document uses these terms. The following list describes these terms:
• System services: The Windows Server System includes many products, such as the Microsoft Windows
Server 2003 family, Microsoft Exchange 2000 Server, and Microsoft SQL Server 2000. Each of these
products includes many components; system services is one of those components. System services that
are required by a computer are either started automatically by the operating system during startup or are
started as required during typical operations. For example, some system services that are available on
computers running Windows Server 2003, Enterprise Edition, include the Server service, the Print Spooler
service, and the World Wide Web Publishing Service. Each system service has a friendly service name and
a service name. The friendly service name is the name that appears in graphical management tools, such
as the Services Microsoft Management Console (MMC) snap-in. The service name is the name that is used
with command-line tools and with many scripting languages. Each system service may provide one or
more network services.
• Application protocol: In the context of this document, an application protocol is a high-level network
protocol that uses one or more TCP/IP protocols and ports. Examples of application protocols include
HTTP, server message blocks (SMBs), and Simple Mail Transfer Protocol (SMTP).
• Protocol: Operating at a lower level than the application protocols, TCP/IP protocols are standard formats
for communicating between devices on a network.
The TCP/IP suite of protocols includes TCP, User Datagram Protocol (UDP), and Internet Control Message
Protocol (ICMP).
• Port: This is the network port that the system service listens on for incoming network traffic.
This document does not specify which services rely on other services for network communication. For example,
many services rely on the remote procedure call (RPC) or DCOM features in Microsoft Windows to assign them
dynamic TCP ports. The Remote Procedure Call service coordinates requests by other system services that use
RPC or DCOM to communicate with client computers. Many other services rely on network basic input/output
system (NetBIOS) or SMB, protocols that are actually provided by the Server service. Others rely on HTTP or
HTTPS. These protocols are provided by Internet Information Services (IIS). A full discussion of the architecture of
the Windows operating systems is beyond the scope of this document. However, detailed documentation on this
subject is available on Microsoft TechNet and on the Microsoft Developer Network (MSDN). While many services
may rely on a particular TCP or UDP port, only a single service or process can be actively listening on that port at
any one time.
When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically
assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used. These
are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the RPC endpoint
mapper to tell them which dynamic ports were assigned to the server. For some RPC-based services, you can
configure a port instead of letting RPC assign one dynamically. You can also restrict the range of ports that RPC
dynamically assigns to a small range, regardless of the service. For more information, see "Related Topics" later in
this document.
This document includes information about the system services roles and the server roles for the Microsoft
products that are listed in the "For More Information" section of this document. Although this information may
also apply to Microsoft Windows XP and Microsoft Windows 2000 Professional, this document is intended to
focus on server-class operating systems. Therefore, this document describes the ports that a service listens on
instead of the ports that client programs use to connect to a remote system.
Top Of Page
Microsoft Server Product Ports
This section provides a description of each system service, includes the logical name that corresponds to the
system service, and displays the ports and the protocols required by each service.
Certificate Services
Certificate Services is part of the core operating system that enables a business to act as its own certification
authority (CA). In this way, the business can issue and manage digital certificates for applications and protocols
such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File
System (EFS), IPSec, and smart card log on. Certificate Services relies on RPC and DCOM to communicate with
clients using random TCP ports greater than 1024.
Cluster Service
The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection
of independent computers that is as easy to use as a single computer. Managers, programmers, and users see
the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails, other
nodes provide the services and data formerly provided by the missing node. When a node is added or repaired,
the cluster software migrates some data to that node.
Computer Browser
The Computer Browser system service maintains an up-to-date list of computers on your network and supplies
the list to programs that request it. The Computer Browser service is used by Windows-based computers enabled
to view network domains and resources. Computers designated as browsers maintain browse lists, which contain
all shared resources used on the network. Earlier versions of Windows applications, such as My Network Places,
the NET VIEW command, and Microsoft Windows NT Explorer, all require browsing capability. For example,
opening My Network Places on a computer running Windows XP displays a list of domains and computers, which
is accomplished by the computer obtaining a copy of the browse list from a computer designated as a browser.
DHCP Server
Using the Dynamic Host Configuration Protocol (DHCP), the DHCP Server service automatically allocates IP
addresses and enables advanced configuration of network settings, such as Domain Name System (DNS) servers
and Windows Internet Name Service (WINS) servers to DHCP clients. The network administrator establishes one
or more DHCP servers that maintain TCP/IP configuration information and provide it to clients.
DNS Server
The DNS Server system service enables DNS name resolution by answering queries and update requests for DNS
names. The presence of DNS servers is crucial for locating devices and services identified using DNS names and
domain controllers in the Active Directory directory service.
DNS UDP 53
DNS TCP 53
Event Log
This system service logs event messages issued by programs and the Windows operating system. Event Log
reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. The
Event Log service writes events sent by applications, services, and the operating system to log files. The events
contain diagnostic information in addition to errors specific to the source application, service, or component. The
logs can be viewed programmatically through the Event Log application programming interfaces (APIs) or
through the Event Viewer in an MMC (Microsoft Management Console) snap-in.
Exchange Server
Microsoft Exchange Server includes several system services. When a MAPI client such as Microsoft Outlook
connects to an Exchange server, the client first connects to the RPC endpoint mapper (the RPC Locator Service)
on TCP port 135. The RPC endpoint mapper tells the client which ports to use to connect to the Exchange Server
service, which are dynamically assigned. Exchange Server 5.5 uses two ports, one each for the information store
and the directory. Microsoft Exchange 2000 Server and Exchange Server 2003 use three ports, one for the
information store and two for the system attendant, respectively. Alternatively, Microsoft Outlook 2003 can use
RPC over HTTP to connect to servers running Exchange Server 2003. Exchange can also provide support for other
protocols, such as SMTP, POP3, and IMAP.
SMTP TCP 25
SMTP UDP 25
Fax Service
The Fax service, a Telephony Application Programming Interface (TAPI)-compliant system service, provides fax
capabilities from your computer. The Fax service allows users to send and receive faxes from their desktop
applications using either a local fax device or a shared network fax device.
File Replication
The File Replication system service allows files to be automatically copied and maintained simultaneously on
multiple servers. File Replication service (FRS) is the automatic file replication service in Windows 2000 and the
Microsoft Windows Server 2003 family. Its function is to replicate the Sysvol on all domain controllers. In
addition, FRS can be configured to replicate files among alternate targets associated with the fault-tolerant DFS.
HTTP SSL
The HTTP SSL system service enables IIS to perform SSL functions. SSL is an open standard for establishing a
secure communications channel to prevent the interception of critical information, such as credit card numbers.
Primarily, this service enables secure electronic financial transactions on the Web, although it is designed to work
on other Internet services as well. You can configure the ports for this service through IIS Manager.
ICF/ICS
This system service provides NAT, addressing and name resolution services for all computers on your home or
small-office network. When ICS is enabled, your computer becomes an "Internet gateway" on the network,
enabling other client computers to share one connection to the Internet; such as a dial-up or broadband
connection. This service provides basic DHCP and DNS services, but will work with the full-featured Windows
DHCP or DNS services.
When ICF/ICS is acting as a gateway for the rest of the computers on your network, it provides DHCP and DNS
services to the private network on the internal network interface. It does not provide these services on the
externally-facing interface.
DNS UDP 53
DNS TCP 53
Kerberos TCP 88
Kerberos UDP 88
License Logging Service
License Logging Service (LLS) is a tool that was originally designed to help customers manage licenses for
Microsoft server products that are licensed in the Server Client Access License (CAL) model. LLS was introduced
with Windows NT Server 3.51. By default, LLS is disabled in Windows Server 2003. Because of original design
constraints and evolving license terms and conditions, LLS cannot provide an accurate view of the total number
of CALs that are purchased as compared to the total number of CALs that are used on a single server or across
the enterprise. The CALs that are reported by LLS may conflict with the interpretation of the End User License
Agreement (EULA) and with Product Usage Rights (PUR). LLS will not be included in future versions of the
Windows operating system. (Only users of Small Business Server should enable this service on their servers.)
Although LSASS can use all of the following protocols, it may only use a subset of them. For example, if you are
configuring a VPN gateway that lies behind a filtering router, you might use L2TP with IPSec. If so, then you must
allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec ISAKMP (TCP on port 500) through the
router. Although IPSec ESP is required for L2TP, it is actually monitored by the Routing and Remote Access
service.
Message Queuing
The Message Queuing system service is a messaging infrastructure and development tool for creating distributed
messaging applications for Windows. Such applications can communicate across heterogeneous networks and
send messages between computers that may be temporarily unable to connect to each other. Message Queuing
provides guaranteed message delivery, efficient routing, security, support for sending messages within
transactions, and priority-based messaging.
Messenger
The Messenger system service sends messages to or receives messages from users and computers,
administrators, and the Alerter service. This service is not related to Microsoft Windows Messenger or MSN
Messenger. When this service is disabled, the NET SEND and NET NAME shell commands will no longer function.
Messenger notifications sent to computers or users currently logged on the network will not be received.
MSSQL$UDDI
This system service installs during the installation of the Universal Description, Discovery, and Integration (UDDI)
feature of the Windows Server 2003 family of operating systems, which provides UDDI capabilities within an
enterprise. The SQL Server database engine is the core component of this feature.
Net Logon
The Net Logon system service maintains a secure channel between your computer and the domain controller to
authenticate users and services. It passes the user's credentials through a secure channel to a domain controller
and returns the domain security identifiers and user rights for the user. This is commonly referred to as pass-
through authentication. Net Logon starts automatically when the computer is a member of a domain. In the
Windows 2000 Server and Windows 2003 Server families, the Net Logon service publishes service resource
records in the DNS. Net Logon service is enabled only on computers that belong to a domain. When it is running,
it relies on the Server and Local Security Authority services to listen for incoming requests. On domain member
computers, it uses RPC over named pipes; on domain controllers, it uses RPC over named pipes, RPC over TCP/IP,
mailslots, and LDAP.
Print Spooler
The Print Spooler system service manages all local and network print queues and controls all print jobs. The print
spooler is the center of the Windows printing subsystem and controls all printing jobs. It manages the print
queues on the system and communicates with printer drivers and input/output (I/O) components, for example,
the USB port and the TCP/IP protocol suite.
Although RRAS can use all of the following protocols, typically it will only use a subset of them. For example, if
you are configuring a VPN gateway that lies behind a filtering router, you will probably only use one technology.
If you use L2TP with IPSec, then you must allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec
ISAKMP (TCP on port 500) through the router. Although NAT-T and IPSec ISAKMP are required for L2TP, these
ports are actually monitored by the Local Security Authority. For more information, see "Related Topics" later in
this document.
HTTP TCP 80
SMTP TCP 25
SMTP UDP 25
Simple TCP/IP Services
Simple TCP/IP Services implements support for the following protocols:
Chargen TCP 19
Chargen UDP 19
Daytime TCP 13
Daytime UDP 13
Discard TCP 9
Discard UDP 9
Echo UDP 7
Echo TCP 7
Quotd UDP 17
Quotd TCP 17
SNMP Service
The SNMP Service system service allows incoming Simple Network Management Protocol (SNMP) requests to be
serviced by the local computer. The SNMP service includes agents that monitor activity in network devices and
report to the network console workstation. SNMP service provides a method of managing network hosts, such as
workstation or server computers, routers, bridges, and hubs from a centrally-located computer running network
management software. SNMP performs management services by using a distributed architecture of management
systems and agents.
Currently, the SSDP event notification service uses TCP port 5000. In Windows XP Service Pack 2, it relies on TCP
port 2869.
Telnet
The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. Telnet Server supports
two types of authentication and supports four types of terminals: American National Standards Institute (ANSI),
VT-100, VT-52, and VTNT.
Telnet TCP 23
Terminal Services
Terminal Services provides a multisession environment that allows client devices to access a virtual Windows
desktop session and Windows-based programs running on the server. Terminal Services allows multiple users to
be connected interactively to a computer.
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP
port 69, but respond from a randomly allocated high port. Therefore, enabling this port will allow the TFTP
service to receive incoming TFTP requests, but will not allow the selected server to respond to those requests.
Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP
server is configured to respond from port 69.
TFTP UDP 69
The Windows Media Service system service is now a single service that runs on Windows Server 2003, Standard
Edition, Enterprise Edition, and Datacenter Edition. Its core components were developed using COM, creating a
flexible architecture that is easily customized for specific applications. It supports a greater variety of control
protocols, including Real Time Streaming Protocol (RTSP), Microsoft Media Server (MMS) protocol, and HTTP.
Windows Time
For computers running Windows XP and Windows Server 2003, the Windows Time system service maintains date
and time synchronization on all computers running on a Microsoft Windows network. The service uses the
Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, is
assigned for network validation and resource access requests.
The implementation of NTP and the integration of time providers make Windows Time a reliable and scalable
time service for enterprise administrators. For computers not joined to a domain, you can configure Windows
Time to synchronize time with an external time source. If this service is turned off, the time setting for local
computers will not be synchronized with any time service in the Windows domain, or an externally configured
time service.
Windows Server 2003 uses NTP, which runs on UDP port 123. The Windows 2000 version of this service uses the
Simple Network Time Protocol (SNTP), which also runs on UDP port 123.
If the administrative Web site is enabled, a virtual Web site will be created that uses HTTP traffic on TCP port
8098.
HTTP TCP 80
Top Of Page
Ports and Protocols
The following table summarizes the information from the previous section, but it is sorted by port number rather
than service name.
n/a GRE GRE (IP protocol 47) Routing and Remote Access
n/a ESP IPSec ESP (IP protocol 50) Routing and Remote Access
548 TCP File Server for Macintosh File Server for Macintosh
2393 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support
2394 TCP OLAP Services 7.0 SQL Server: Downlevel OLAP Client Support
2704 TCP SMS Remote File Transfer SMS Remote Control Agent
2704 UDP SMS Remote File Transfer SMS Remote Control Agent
A spreadsheet with the information in this table is available in Microsoft Excel 2003 format from the Microsoft
Web site at http://go.microsoft.com/fwlink/?linkid=21179.
Top Of Page
For More Information
The information in this document applies to these Microsoft products:
Top Of Page
Related Topics
The help files for each of the Microsoft products contain detailed information that you may find helpful. Those
included with Windows Server 2003 are particularly thorough, and contain step-by-step instructions for
configuring specific technologies and server roles.
General Information
For more information about system services in Windows Server 2003 and Windows XP, see "System Services for
the Windows Server 2003 Family and Windows XP Operating Systems" on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=22567.
For more information about securing Windows Server 2003 and some sample IPSec filters for specific server
roles, see the Windows Server 2003 Security Guide on the TechNet Web site at http://go.microsoft.com/fwlink/?
LinkId=14845.
For more information about system services, security settings, and IPSec filtering, see Threats and
Countermeasures Guide on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=15159.
For more information about port assignments for well known ports, see "Information about TCP/IP Port
Assignments" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22568, and Appendix B - Port
Reference for MS TCP/IP from the Windows NT 4 Resource Kit at http://go.microsoft.com/fwlink/?LinkId=22569,
and TCP and UDP Port Assignments in the Windows 2000 Server Resource Kit at http://go.microsoft.com/fwlink/?
LinkId=22571.
The Internet Assigned Numbers Authority is an organization that coordinates the use of well known ports. For a
list of TCP/IP port assignments, see "Well Known Port Numbers" at http://go.microsoft.com/fwlink/?
LinkId=22570.
For a detailed explanation of RPC, see "Remote Procedure Call (RPC)" on MSDN at
http://go.microsoft.com/fwlink/?LinkId=22574.
For more information about configuring RPC to work with a firewall, see Microsoft Knowledge Base article
154596, "How to Configure RPC Dynamic Port Allocation to Work with Firewall," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22575.
For more information about the RPC protocol and how systems running Windows 2000 initialize, see "Windows
2000 Startup and Logon Traffic Analysis" on the TechNet Web site at http://go.microsoft.com/fwlink/?
LinkId=22576.
For more information about restricting Active Directory, see "Restricting Active Directory Replication Traffic to a
Specific Port" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22578.
For an explanation about how the Directory System Agent, LDAP, and the local system authority are related, see
"Directory System Agent" on MSDN at http://go.microsoft.com/fwlink/?LinkId=22747.
For more information about how LDAP and the Global Catalog work in Windows 2000, see Chapter 10 - Active
Directory Diagnostics, Troubleshooting, and Recovery in the Distributed Systems Guide from the Windows 2000
Server Resource Kit at http://go.microsoft.com/fwlink/?LinkId=22581.
Commerce Server
For detailed information about configuring secure applications built on top of Commerce Server, see "Deploying
a Secure Commerce Server 2002 Site" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22582.
Exchange
For more information about restricting Exchange 2000 and Exchange 2003 MAPI traffic, see Microsoft Knowledge
Base article 270836, "Exchange 2000 and Exchange 2003 Static Port Mappings," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22583.
For an exhaustive list of network ports and protocols supported by Exchange 2000, see Microsoft Knowledge
Base article 278339, "XGEN: TCP/UDP Ports Used By Exchange 2000 Server," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22584.
For information about configuring Exchange 5.5 and 5.0 to use an alternate port for LDAP, see Microsoft
Knowledge Base article 224447, "XADM: How to Change LDAP Port Assignments in Exchange Server," on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22587.
For more information about restricting Exchange 5.5 MAPI traffic, see Microsoft Knowledge Base Article 148732,
"XADM: Setting TCP/IP Port Numbers for Internet Firewalls," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22588.
For information about ports used by Exchange 5.5 and older versions of Exchange, see Microsoft Knowledge
Base article 176466, "XGEN: TCP Ports and Microsoft Exchange: In-depth Discussion," on the Microsoft Web site
at http://go.microsoft.com/fwlink/?LinkId=22589.
For detailed information about how FTP works, see "Modes and Data Transmission" on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=22592.
For more information about which ports and protocols are used by IPSec, see Microsoft Knowledge Base article
233256, "How to Enable IPSec Traffic Through a Firewall," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22594.
For more information about new and updated features in L2TP and IPSec, see Microsoft Knowledge Base article
818043, "L2TP/IPSec NAT-T Update for Windows XP and Windows 2000," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22595.
MADCAP
For more information about MADCAP, see "Planning MADCAP Servers" on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=22596.
For more information about the ports used by SMS 2.0, see Microsoft Knowledge Base article 167128, "SMS:
Network Ports Used by Remote Helpdesk Functions," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22601.
For more information about ports used by SMS, see Microsoft Knowledge Base article 200898, "SMS: How to Use
Systems Management Server Through a Firewall," on the Microsoft Web site at http://go.microsoft.com/fwlink/?
LinkId=22602.
For information about ports used by SMS, see Microsoft Knowledge Base article 256884, "SMS: TCP and UDP
Ports Used by Remote Control Have Changed in SP2," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22603.
SQL Server
For information about how SQL Server 2000 dynamically determines ports for secondary instances, see Microsoft
Knowledge Base article 286303, "INF: Behavior of SQL Server 2000 Network Library During Dynamic Port
Detection," on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22604.
For information about ports used by SQL Server 7.0 and SQL Server 2000 for OLAP Services, see Microsoft
Knowledge Base article 301901, "TCP Ports Used by OLAP Services when Connecting Through a Firewall," on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22605.
Terminal Services
For information about how to configure the port used by Terminal Services, see Microsoft Knowledge Base article
187623, "How to Change Terminal Server's Listening Port," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=22606.
For a client-side perspective about how Windows 2000 with Service Pack 4 communicates on the Internet, see
"Using Windows 2000 with Service Pack 4 in a Managed Environment" on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=22608.
For a client-side perspective about how Windows Server 2003 communicates on the Internet, see "Using
Windows Server 2003 in a Managed Environment" on the TechNet Web site at http://go.microsoft.com/fwlink/?
LinkId=22609.
Top Of Page
© 2018 Microsoft