Your network contains an Active Directory forest named contoso.com. The forest contains a
member server named Server1 that runs Windows Server 2016 Server1 is located in the perimeter
network. You install the Active Directory Federation Services server role on Server1. You create
an Active Directory Federation Services (ADFS) farm by using a certificate that has a subject name
of sts.contoso.com. You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part
of the solution?
A.
389
B.
443
C.
3389
D.
8531
E.
49443
Not much information on this topic….
However 443 is obviouse because we neet HTTPS traffic inbound….. but the seconed one?
We can rule out 389 as this is AD/LDAP And this server is not a Domain Controller
We can rule out 8531 as this is the common used port for HTTPS to a WSUS Server
3389 is the RDP port, and could come in handy, so depending on the use of 49443 this is a valid option….
So 49443? If Client User Certificate Authentication is Used this needs to be opened on the firewall between the WAP and the Clients The question states this so therefore this is also correct.
ref:
“In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).”
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/design/ad-fs-requirements#BKMK_7
It’s right.
https://technet.microsoft.com/en-us/library/dn486819.aspx?f=255&MSPPError=-2147217396