Firewall ports and K2
This topic is intended as a quick reference to the ports commonly used in a K2 implementation. If firewalls exist between the servers in a K2 environment, between K2 and the systems it integrates with, or between K2 servers and client machines that connect to K2, you may need to open ports in Firewalls to allow network traffic to flow between these machines. You can use the guide below as reference.
Category | Port Number/Port Ranges1 | Direction (as viewed from K2 Server)2 | Protocol/Traffic Type | Component/Usage and notes |
---|---|---|---|---|
Infrastructure | 25 | Outbound | TCP | SMTP, used for workflow emails and notifications. |
Infrastructure | 53 | Outbound | TCP + UDP | DNS and DNS-UDP. User and Computer Authentication, Name Resolution, Trusts |
Infrastructure | 88 | Outbound | TCP + UDP | Kerberos and Kerberos-UDP (Authentication), User and Computer Authentication, Forest Level Trusts |
Infrastructure | 123 | Outbound | UDP | WinTime (Windows Time Service) |
Infrastructure | 135 | Outbound | TCP | RP, EPM. Replication |
Infrastructure | 137 | Outbound | UDP | NetLogon-UDP. AD User and Computer Authentication. NetLogon, NetBIOS Name Resolution |
Infrastructure | 138 | Outbound | UDP | DFSN, Group Policy. DFSN, NetLogon, NetBIOS Datagram Service |
Infrastructure | 139 | Outbound | TCP | NetLogon-TCP. User and Computer Authentication, Replication. DFSN, NetBIOS Session Service, NetLogon |
Infrastructure | 389 | Inbound + Outbound | TCP + UDP | LDAP and LDAP-UDP (Active Directory). Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 445 | Outbound | TCP + UDP | SMB (File Transfer),CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc. Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 464 | Outbound | TCP + UDP | PWChange, PWChange-UDP (Password Change) |
Infrastructure | 587 | Outbound | TCP | MSA Microsoft Secured Email, used for workflow emails and notifications. |
Infrastructure | 636 | Inbound + Outbound | TCP + UDP | LDAP-SSL (Active Directory). Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 3268 | Outbound | TCP | LDAP-GC (Active Directory). Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 3269 | Outbound | TCP | LDAP-GC-SSL (Active Directory). Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 5722 | Outbound | TCP | RPC, DFSR, File Replication |
Infrastructure | 5725 | Outbound | TCP + UDP | Active Directory |
Infrastructure | 9389 | Outbound | TCP | AD-WEB-SERVICES (Active Directory) |
Infrastructure | 1025-5000 | Outbound | TCP + UDP | Active Directory and AD-Dyn-UDP1 dynamic range: RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS, AD-Dyn-TCP1 Replication, User and Computer Authentication, Group Policy, Trusts |
Infrastructure | 49152-65535 | Outbound | TCP + UDP | Active Directory and AD-Dyn-UDP2 dynamic range: RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS. AD-Dyn-TCP2.Replication, User and Computer Authentication, Group Policy, Trusts |
Integration | 80 | Outbound | HTTP | Integration with any HTTP services in customer environment, including Exchange Web Services (EWS), Microsoft Dynamics CRM, SharePoint and others. Port number may be different depending on the configuration of the target system. |
Integration | 443 | Outbound | HTTPS | Integration with any HTTPS services in customer environment, including Exchange Web Services, Microsoft Dynamics CRM, SharePoint and others. Port number m ay be different depending on the configuration of the target system. |
Integration | 1433 | Outbound | TCP | Default port for SQL Server. (Note: port number may be different for a specific SQL instance, it depends on the SQL instance's configuration)From an integration perspective, this port is only required when the SQL Service Broker is used to connect to a SQL Server. See https://support.microsoft.com/en-us/kb/287932. |
Integration | 1521 | Outbound | TCP | Only required if Oracle Service Broker is used. Allow access to the TNS listener port (Typically 1521) |
Integration | (Others…) | (Depends on behavior) | (Depends on behavior) | For custom Service Brokers, ports will depend on the communication mechanism and protocol used. Custom Service Brokers are typically described during the onboarding process. If these brokers require specific ports to be opened, those ports should be opened as well. |
Integration | 32xx 33xx |
Outbound | TCP | Integration with SAP when K2 Connect is installed. xx is the SAP system number, for example for SAP System number 00, the required ports would be 3200 and 3300. |
Integration | 443 (WinRM 1.1) 5986 (WinRM 2.0) |
Inbound + Outbound | HTTPS | Exchange Mailbox events (HTTPS). See https://msdn.microsoft.com/en-us/library/ee309369(v=vs.85).aspx for information on Windows Remote Management |
Integration | 80 (WinRM1.1) 5985(WinRM2.0) |
Inbound + Outbound | HTTP | Exchange Mailbox events (HTTP). See https://msdn.microsoft.com/en-us/library/ee309369(v=vs.85).aspx for information on Windows Remote Management |
K2 Platform | 80 | Inbound | HTTP | K2 Web Sites and Services (Note: port number may be different if the K2 web sites are configured with another port number) |
K2 Platform | 443 | Inbound | HTTPS | K2 Web Sites and Services, when secured via HTTPS. (Note: port number may be different if the K2 web sites are configured with another port number) |
K2 Platform | 1433 | Inbound + Outbound | TCP | Default port for SQL Server. (Note: port number may be different for a specific SQL instance, it depends on the SQL instance's configuration) From an K2 platform perspective, this port is required to allow the K2 server to interact with he K2 database on a SQL instance. See https://support.microsoft.com/en-us/kb/287932. |
K2 Platform | 5022 | Inbound + Outbound | TCP | AlwaysOn Endpoint. (Note: port number may be different for a specific SQL instance, it depends on the SQL instance's configuration)From an K2 platform perspective, this port is only required when AlwaysOn is enabled on the K2 Database SQL instance. |
K2 Platform | 5252 | Inbound + Outbound | RPC + TCP | K2 workflow client connections (outgoing if K2 server is connecting to other K2 servers via client), as well as connections from K2 thick-client design tools. |
K2 Platform | 5555 | Inbound + Outbound | RPC + TCP | K2 Host Server connections from client assemblies (outgoing if K2 server is connecting to other K2 servers via client), as well as connections from K2 thick-client design tools. |
K2 Platform | 5560 | Inbound + Outbound | HTTPS | K2 Configuration Service connections. Incoming connections from the product or setup manager to update feature and service states, changes to install variables and shard configuration. Outgoing connections to provide requested configuration information on services, features, shards and K2 variables. |
K2 Platform | 8085 | Inbound | TCP | K2 connect service (only required of K2 connect is installed) |
K2 Platform | 8888 | Inbound | HTTP | WCF and REST SmartObject services endpoints |
K2 Platform | 49599 | Inbound + Outbound | TCP | Discovery Service for standalone servers The Discovery Service port is used in legacy versions of K2, but is not used in K2 Five. |
K2 Platform | 49600 | Inbound + Outbound | TCP | Discovery Service for K2 server farm The Discovery Service port is used in legacy versions of K2, but is not used in K2 Five. |
K2 Platform | 1024-65535 | Inbound | RPC/UDP | Distributed Transaction Coordinator is only needed when K2 4.7 is upgraded to K2 Five (Dynamic Ports). Used when developer workstations running K2 Studio/K2 for Visual Studio deploy SmartObjects to K2. (Note: The Dynamic range is configurable, see https://simpleverse.wordpress.com/2012/08/23/how-to-configure-ms-dtc-through-a-firewall/). DTC must be enabled through the entire stack, from the client workstations through to the SQL Server |
Table Notes
1The port numbers listed are the Default Port numbers. It is possible that certain port numbers may be different in your environment 2Direction is defined from the viewpoint of the K2 server, i.e. the K2 server sends Outgoing traffic of type TCP on Port 636 for LDAP-SSL operations. |
You may also want to refer to the following resources for further configuration information and troubleshooting resources: