Adaxes network usage

Adaxes performs a variety of operations over the network. For example, it sends LDAP queries to your domain controllers and HTTPS requests to Microsoft Entra servers. This article will help you better understand what network activity to expect from Adaxes components and what ports must be open for those components to function without issues.

Active Directory management

Adaxes uses the following ports to communicate with your domain controllers and manage registered Active Directory domains.
For every domain registered in Adaxes, these ports must be open between:

  • Domain controllers – local ports for inbound traffic.
  • Computer where Adaxes service is installed – remote ports for outbound traffic.

  • Port

  • Protocol

  • Details

  • 88

  • TCP/UDP

  • Kerberos authentication.

  • 389

  • TCP/UDP

  • LDAP queries and modifications.

  • 636

  • TCP

  • Security-sensitive operations in Active Directory using LDAP over SSL.

  • 3268

  • TCP

  • Queries against the Global Catalog.

  • 3269

  • TCP

  • Queries against the Global Catalog using SSL.

  • 135

  • TCP

  • Access to the RPC Endpoint Mapper service to locate available dynamic RPC ports.

  • 49152-65535

  • TCP

  • Dynamic RPC ports to access services such as Netlogon, SAM, and LSA for account validation and security context retrieval.

In addition, ICMP Echo Requests from the computer with the Adaxes service to domain controllers must be allowed. Adaxes uses ICMP ping when an LDAP request to a domain controller is pending for extended time, to verify the domain controller is still available.

Restricting dynamic RPC ports

It is strongly recommended to allow communication between Adaxes service and domain controllers over the full dynamic RPC port range. In practice, this range can be reduced. The absolute minimum that doesn't break Adaxes functionality is opening only the 49668 port where the Netlogon service typically listens.

That being said, reducing the number of available dynamic RPC ports has a direct and noticeable impact on performance. A more practical range is having at least 500 available RPC ports, including port 49668. Anything fewer, and you start aggressively trading stability and performance for little to no real security benefit. Reducing the range to one or just a few ports should be reserved for restricted network environments where it is non-negotiable.

The RPC port range should never be reduced with firewall rules alone.

For details, see the How to configure RPC dynamic port allocation to work with firewalls article from Microsoft.

Restricting allowed domain controllers

By default, Adaxes relies on the Domain Controller (DC) locator algorithm to discover domain controllers in a managed domain. As a result, it may connect to any available DC, which may not be desirable. Restricting this behavior with firewall rules alone is not recommended. Firewall rules block the connection itself but do not prevent connection attempts, which can lead to timeouts and performance degradation.

Instead, you can configure Adaxes to only use specific domain controllers. In environments with multiple Adaxes services sharing common configuration, each service can be configured to use different domain controllers.

Enabling SSL for all traffic

In some scenarios, unencrypted LDAP traffic over port 389 between Adaxes and domain controllers may not be acceptable. For example, managed service providers (MSPs) may need to connect to customer domain controllers from an internal Adaxes server over the Internet. In such cases, you can enforce SSL for a managed domain, and avoid exposing the 389 port.

This option should be used with care, and only when strictly required by network security policies. Active Directory is designed to operate over LDAP. Forcing all communication over LDAP with SSL introduces additional computational overhead and will result in performance degradation.

Entra ID management

To manage an Entra domain or a Microsoft 365 tenant, Adaxes must be able to communicate with Microsoft servers. The computer where Adaxes service is installed must allow outbound TCP traffic over port 443 to the URLs of the national cloud where your tenant resides.

  • National cloud

  • URLs

  • Global

  • https://graph.microsoft.com
    https://login.microsoftonline.com
    https://outlook.office365.com

  • Germany

  • https://login.microsoftonline.de
    https://graph.microsoft.de
    https://outlook.office.de/PowerShell-LiveID
    https://outlook.office.de

  • China

  • https://login.chinacloudapi.cn
    https://microsoftgraph.chinacloudapi.cn
    https://partner.outlook.cn/PowerShell
    https://partner.outlook.cn

  • US government L4 (GCC High)

  • https://login.microsoftonline.us
    https://graph.microsoft.us
    https://outlook.office365.us/powershell-liveid
    https://outlook.office365.us

  • US government L5 (DOD)

  • https://login.microsoftonline.us
    https://dod-graph.microsoft.us
    https://webmail.apps.mil/powershell-liveid
    https://outlook-dod.office365.us

Exchange management

If any of the domains registered in Adaxes have on-premises Exchange, the following ports must be open between the computer where Adaxes service is installed and your Exchange servers. Traffic is outbound from the Adaxes service and inbound on the Exchange servers.

  • Port

  • Protocol

  • Details

  • 80

  • TCP

  • Exchange recipient management when Adaxes service and Exchange are in the same forest.

  • 443

  • TCP

  • Exchange recipient management when Adaxes service and Exchange are in different forests.

By default, Adaxes may connect to any Exchange server in any managed domain. You can change the default behavior and configure Adaxes to only connect to specific Exchange servers.

Adaxes components

Adaxes supports distributed deployment scenarios – its components can be installed on separate servers. In such scenarios, every client component must be able to communicate with at least one Adaxes service.

Client components include:

  • Web interface
  • Administration console
  • REST API
  • SPML provider

Adaxes clients to Adaxes services

Adaxes services listen for client communication on a specific port.

  • Port

  • Protocol

  • Details

  • 54782

  • TCP

  • Default client connection port.

This port must be open between:

  • Computers with an Adaxes service instance – local port for inbound connections.
  • Computers with Adaxes client components – remote port for outbound connections.
 How to change the client connection port

  1. Open the folder where Adaxes service is installed. By default, it is C:\Program Files\Softerra\Adaxes 3\Service.

  2. Open the Softerra.Adaxes.Service.dll.config file with a text editor.

  3. Locate the configuration\system.runtime.remoting\application\channels\channel XML element.

  4. Change the value of the port parameter.

    <configuration>
    ...
    <system.runtime.remoting>
        <customErrors mode="Off" />
        <application>
            <channels>
                <channel ref="tcp" port="54782" priority="2" secure="true">

  5. Save the file.

  6. Restart the Softerra Adaxes Service Windows service.

Adaxes clients to domain controllers

Adaxes clients perform all directory operations via the Adaxes service. However, the computer where a client component is installed must still be able to communicate with a domain controller over the default LDAP ports, like any other domain-joined computer.

  • Port

  • Protocol

  • Details

  • 389

  • TCP/UDP

  • LDAP connection.

  • 636

  • TCP

  • LDAP connection over SSL.

Additionally, every Adaxes client must be able to communicate with the AD Global Catalog over TCP port 3268 if:

  • The client is deployed in a domain not managed by the Adaxes service, and
  • The client and the Adaxes service are deployed in different domains.

Administration console object lookup

Adaxes administration console allows you to look up and validate domain objects. For example, this feature can be used when selecting credentials for a managed domain, or specifying Run As credentials for a script.

Object lookup is performed through a direct connection between the administration console and a domain controller. The administration console must be able to connect to a domain controller over the following ports to look up objects in that domain.

  • Port

  • Protocol

  • Details

  • 389

  • TCP/UDP

  • LDAP directory queries to locate accounts.

  • 636

  • TCP

  • LDAP directory queries over SSL to validate accounts.

  • 135

  • TCP

  • Access to the RPC Endpoint Mapper service.

  • 49968

  • TCP

  • Access to the Netlogon service.

This is not mandatory. All credentials can be entered manually, without object lookup and validation.

Adaxes services sharing configuration

You can install multiple Adaxes services sharing configuration. Each service stores the configuration replica in a dedicated AD LDS instance on the computer where it is installed. The configuration is replicated between instances using native AD LDS mechanisms.

The following ports must be open between all computers hosting Adaxes services that share configuration.

  • Port

  • Protocol

  • Details

  • AD LDS backend port (see below)

  • TCP/UDP

  • AD LDS instance connection and authentication.

  • 135

  • TCP

  • Access to the RPC Endpoint Mapper service to locate available dynamic RPC ports.

  • 49152-65535

  • TCP

  • Dynamic RPC ports for AD LDS replication.

AD LDS backend port

This port is used by AD LDS for communication between instances within the same configuration set. Each Adaxes service also uses this port when connecting to its local AD LDS instance to read and modify configuration data.

 How to view the backend port of an AD LDS instance

  1. Launch Adaxes administration console.

  2. In the Console Tree, right-click the service node, and then click Properties in the context menu.

  3. The backend port will be displayed next to the Backend port label on the General tab.

By default, the AD LDS backend port is randomly selected from the 1025-65535 range during the installation of an Adaxes service. Typically, this results in every AD LDS instance having a unique backend port. If a service instance is reinstalled (for example, during an upgrade), a new random port will be assigned, which may not fit into your existing firewall rules.

Using a predictable backend port simplifies firewall configuration and avoids issues caused by random port changes after reinstallation.

 How to install Adaxes service with a specific backend port

Launch the installation package from the command prompt and specify the desired AD LDS backend port in the ADLDSPORT parameter.

msiexec /i "<path_to_package>\adaxes.msi" ADLDSPORT="<port>"

For more details about installing Adaxes from the command line, see the Installation Guide.

 How to change the backend port after the installation

You need to change the backend port value in two places. In the Adaxes service settings and in the registry.

  1. Launch Registry Editor.

  2. Locate the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_AdaxesBackend\Parameters].

  3. Right-click the Port LDAP entry and select Modify.

  4. Select Decimal, specify the desired port, and click OK.

  5. Open the folder where Adaxes service is installed. By default, it is C:\Program Files\Softerra\Adaxes 3\Service.

  6. Open the Softerra.Adaxes.Service.dll.config file with a text editor.

  7. Locate the configuration\softerra.adaxes\backendInfo XML element.

  8. Change the value of the server parameter to localhost: followed by the port number you set in the registry.

<configuration>
    ...
    <softerra.adaxes>
        <!-- Backend -->
        <backendInfo server="localhost:44444" xmlns="http://softerra.com/adaxes/config">
        ...
        </backendInfo>

  1. Save the file.

  2. Restart the computer.

AD LDS replication ports

AD LDS replicates over dynamic RPC ports. It is strongly recommended to allow communication between the computers where Adaxes services that share configuration are installed over the full dynamic RPC port range.

You can restrict AD LDS replication to a single predefined port, but this approach comes with drawbacks. It should be reserved for restricted network environments where it is non-negotiable.

  • Replication ports can be restricted only after the installation. During the installation, all dynamic RPC ports must be open between the computer where you are installing a new Adaxes service instance, and all computers where Adaxes services from the same configuration set are hosted.

  • AD LDS does not reserve the selected port. It is your responsibility to ensure that the port is never occupied by other applications. If the port is unavailable when replication is attempted, replication will fail.

  • Expect performance degradation, as AD LDS will not be able to replicate high volumes of data by establishing multiple connections over several ports simultaneously.

 How to restrict AD LDS replication to a single port

  1. Launch Registry Editor.

  2. Locate the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_AdaxesBackend\Parameters].

  3. Create a DWORD (32-bit) Value entry named TCP/IP Port if it doesn't exist.

  4. Set the decimal value of the entry to the desired port number.

  5. Restart the computer.

Other

Adaxes can automatically check for product updates. To do this, the Adaxes service and the administration console must be able to reach the following URL.

https://adaxes.com/update/adaxes.xml
© Softerra 2022. All rights reserved.
Contact us