Compartilhar via

SharePoint 2013 Ports, Proxies and Protocols - An Overview of Farm Communications

  • Artigo

In locked down environments, understanding communications paths of a server product is essential. Some time ago, Martin Kearn and Pete Reid published a great post describing farm communications in Microsoft Office SharePoint Server 2007 (MOSS). SharePoint 2013 isn’t that much different from MOSS 2007 with regard to network communication and protocols. It is still a web-based application based on the .NET Framework with dependencies on SQL Server, Active Directory and DNS. Most of the information in that article are therefore valid in SharePoint 2013 as well. I would recommend you to get familiar with those core concepts.

Whilst the fundamentals remain the same, there were changes in the product over time that have affected the inter and extra-server communications paths. SharePoint 2010 introduced the Service Application model with Windows Communication Foundation proxies and endpoints. SharePoint 2013 brings additional core-building blocks to the product such as Distributed Cache or optional components such as Office Web Apps Server and Workflow Manager with an underlying Service Bus. These components publish some sort of endpoint to communicate with SharePoint 2013 on different ports. You should not forget to secure communication with these external endpoints with a SSL certificate. SharePoint 2013 uses oAuth for Server to Server (S2S) communication and you absolutely don't want oAuth bearer tokens flying over your network in clear text. They contain sensitive information and any party in possession of a bearer token can use it to get access to the associated resource. You can find more information in The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 document. Yes, this means you should have SSL certificates deployed on your SharePoint sites as well.

Below is an updated communication diagram for SharePoint 2013. I have combined both inter and extra server communications into a single diagram. I hope you will find it easy to navigate. A large version of this image can be found here.

 

 

 

References

Plan security hardening for SharePoint 2013

Using Windows Internet Explorer Developer Tools Network Capture

 

Marek Samaj
Senior Consultant
Microsoft Consulting Services UK
marek.samaj@microsoft.com
Click here to see my bio page

Comments

  • Anonymous
    January 21, 2013
    Thanks

  • Anonymous
    January 22, 2013
    Thanks for this, it will come in handy.

  • Anonymous
    January 23, 2013
    On the diagram at present, you have in section 9 for NetBIOS propagation as being 127,138,139.  I believe there's a typo and it should be 137 instead of 127. Great content! Thanks for sharing!

  • Anonymous
    January 23, 2013
    Thank you, really helpful!

  • Anonymous
    January 28, 2013
    @Dan, well spotted, thank you. I posted an updated diagram.

  • Anonymous
    February 06, 2013
    Nice work Marek! :)

  • Anonymous
    February 09, 2013
    The comment has been removed

  • Anonymous
    February 11, 2013
    Thanks For sharing this information ... Is this Office Web App Farm missing as its should be external farm...

  • Anonymous
    February 14, 2013
    For cross-farm services, what ports are needed?  Understood 32843 and 32844 to the nodes hosting the service apps of interest.  But want to confirm that only inbound connections to the publishing farm nodes are required (that nooutbound ports to child farms are needed). Also, what ports are required from child farms to parent farms for Content Type hub?  Is it 80/443 to the web application, or does MMS connectivity (32843, 32844) suffice?

  • Anonymous
    February 20, 2013
    What about SPS3: and SPS3C: for profile crawling?

  • Anonymous
    February 24, 2013
    @Great Post - thanks! Yes, Office Web Apps farm needs to run on dedicated HW. You need 80 or 443 (strongly recommended) inbound open on the Office Web Apps farm. @LC, 32843 or 32844 (recommended) inbound are needed on the parent farm. CT Hub Subscribers need to be able to reach CT Gallery Site Collection. SPS3 / SPS3S protocol handler calls are transformed to HTTP/HTTPS Web Service calls. If you have the chance LC, get it working first and than lock it down rather than the other way around - it is easier to troubleshoot this way. Thanks for all your comments folks!

  • Anonymous
    February 27, 2013
    This is an awesome pic! Thanks!

  • Anonymous
    March 26, 2013
    Thanks for sharing. useful info

  • Anonymous
    August 04, 2013
    Thank you for this great poster: Helpful, accurate and very clear :)

  • Anonymous
    October 02, 2013
    Great post. Love the diagram; it's informative and still very easy to read. Any change you can post or send the Visio version? I'd like to incorporate some other applications into it. Thanks.

  • Anonymous
    October 09, 2013
    For People Picker when using the AD Claims Provider, what is the connectivity required?  (10) "User List"?  So just 389?  It does not use a GC? Also, why is (11) needed from Search nodes to AD?

  • Anonymous
    January 15, 2014
    Could you please let know which are inbound/outbound ports

  • Anonymous
    February 26, 2014
    @Sam the direction of arrows would indicate inbound or outbound.

  • Anonymous
    April 04, 2014
    Hi Marek - Regarding OWA servers, you mentioned port 80/433 inbound. Is this for client browser to the OWA servers? What about communication from OWA to SharePoint web servers? Thanks

  • Anonymous
    May 06, 2014
    When using backup-spfarm, and restore-spfarm, there is traffic to the backup location from SQL Server.  I'd label is as (9) as well. nice diagram.

  • Anonymous
    August 17, 2014
    May I know why there is a direct communicate between the search server and AD using port 5725?  People Search only searches the user profile store, which should be through the WFE, right?  Correct me if I am wrong.  Really appreciate your help.

  • Anonymous
    December 23, 2014
    Thanks for putting this together Marek!

  • Anonymous
    February 09, 2015
    great one :)

  • Anonymous
    March 23, 2015
    Great post.  Any thoughts on the connections for outgoing email with Exchange?  Trying to properly document architecture and communication paths for our Exchange Team.  Thanks!

  • Anonymous
    May 06, 2015
    @TBC: For inbound email, you need to use an SMTP service inside your farm. Mail will be routed to it via TCP 25 or 587 by default. For standard outgoing email, you can route directly to a local SMTP relay first or route directly to another SMTP relay using 25 for standard. Secure SMTP usually uses 465 instead of 25. @Marek: Great and useful post even still. I'm building a diagram for a customer and this style of labeling connections is perfect. AND you filled some nice gaps for me.