You can run Identity Synchronization for Windows in a firewall environment. The following sections list the server ports that you must expose through the firewall.
By default, Message Queue uses dynamic ports for all services except for its port mapper. To access the Message Queue broker through a firewall, the broker should use fixed ports for all services.
After installing the core, you must set the imq.<service_name>.<protocol_type>.port broker configuration properties. Specifically, you must set the imq.ssljms.tls.port option. Refer to the Message Queue documentation for more information.
The Identity Synchronization for Windows installer must be able to communicate with the Directory Server acting as the configuration directory.
If you are installing an Active Directory connector, the installer must be able to contact Active Directory’s LDAP port, 389.
If you are installing a Directory Server connector or a Directory Server plug-in (subcomponent), the installer must be able to contact the Directory Server LDAP port, default 389.
The Message Queue, system manager, and command line interface must be able to reach the Directory Server where the Identity Synchronization for Windows configuration is stored.
The Identity Synchronization for Windows console must be able to reach the following:
Active Directory over LDAP, port 389, or LDAPS, port 636
Active Directory Global Catalog over LDAP, port 3268, or LDAPS, port 3269
Each Directory Server over LDAP or LDAPS
Administration Server
Message Queue
All connectors must be able to communicate with Message Queue.
In addition, the following connector requirements must be met.
The Active Directory connector must be able to access the Active Directory Domain Controller over LDAP, port 389, or LDAPS, port 636.
The Directory Server connector must be able to access Directory Server instances over LDAP, default port 389, or LDAPS, default port 636.
Each Directory Server plug-in must be able to reach the Directory Server connector’s server port, which was chosen when the connector was installed. Plug-ins that run in Directory Server Master replicas must be able to connect to Active Directory’s LDAP, port 389, or LDAPS, port 636. The plug-ins that run in other Directory Server replicas must be able to reach the master Directory Server LDAP and LDAPS ports.