Communication Ports Used by ClearPass

By Shyam_Moolayilkalarikkal posted Jul 02, 2014 07:45 PM

  
2 comments
4 views

Comments

Sep 25, 2017 11:43 AM

Clearpass 6.6.7 with SMBv2 / SMBv3 patch requires additional ports that need to be opened through the firewall due to changes in DCE/RPC within MSCHAPv2. This new implementation seems to supports NTLMv2 by default. 

 

135/tcp

49152-65535/tcp

 

If the high end RPC prots arn't permitted in firewall, you will see a common error in access tracker stating the following. 

 

* AD Status: Reading winbind reply failed! (0xc0000001)
* AD Status: {Device Timeout} The Specified I?O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

Dec 17, 2015 01:05 PM

The ports listed for CPPM to AD for file replication services appear to be necessary - In our design the firewall is blocking Samba / SMB traffic coming from the Clearpass severs with these rules omitted.