SharePoint 2013 Ports, Proxies and Protocols – An Overview of Farm Communications


In locked down environments, understanding communications paths of a server product is essential. Some time ago, Martin Kearn and Pete Reid published a great post describing farm communications in Microsoft Office SharePoint Server 2007 (MOSS). SharePoint 2013 isn’t that much different from MOSS 2007 with regard to network communication and protocols. It is still a web-based application based on the .NET Framework with dependencies on SQL Server, Active Directory and DNS. Most of the information in that article are therefore valid in SharePoint 2013 as well. I would recommend you to get familiar with those core concepts.

Whilst the fundamentals remain the same, there were changes in the product over time that have affected the inter and extra-server communications paths. SharePoint 2010 introduced the Service Application model with Windows Communication Foundation proxies and endpoints. SharePoint 2013 brings additional core-building blocks to the product such as Distributed Cache or optional components such as Office Web Apps Server and Workflow Manager with an underlying Service Bus. These components publish some sort of endpoint to communicate with SharePoint 2013 on different ports. You should not forget to secure communication with these external endpoints with a SSL certificate. SharePoint 2013 uses oAuth for Server to Server (S2S) communication and you absolutely don’t want oAuth bearer tokens flying over your network in clear text. They contain sensitive information and any party in possession of a bearer token can use it to get access to the associated resource. You can find more information in The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 document. Yes, this means you should have SSL certificates deployed on your SharePoint sites as well.

Below is an updated communication diagram for SharePoint 2013. I have combined both inter and extra server communications into a single diagram. I hope you will find it easy to navigate. A large version of this image can be found here.

 

 

 

References

Plan security hardening for SharePoint 2013

Using Windows Internet Explorer Developer Tools Network Capture

 

Marek Samaj
Senior Consultant
Microsoft Consulting Services UK
marek.samaj@microsoft.com
Click here to see my bio page

Comments (25)

  1. Thanks for this, it will come in handy.

  2. Dan Usher says:

    On the diagram at present, you have in section 9 for NetBIOS propagation as being 127,138,139.  I believe there's a typo and it should be 137 instead of 127.

    Great content! Thanks for sharing!

  3. C. Marius says:

    Thank you, really helpful!

  4. @Dan, well spotted, thank you. I posted an updated diagram.

  5. Martin Kearn says:

    Nice work Marek! 🙂

  6. moontear says:

    Great diagram! Would be great to have another slide deck like MS had for the TechEd 2008:

    http://www.google.de/url

  7. Great Post says:

    Thanks For sharing this information … Is this Office Web App Farm missing as its should be external farm…

  8. LC says:

    For cross-farm services, what ports are needed?  Understood 32843 and 32844 to the nodes hosting the service apps of interest.  But want to confirm that only inbound connections to the publishing farm nodes are required (that nooutbound ports to child farms are needed).

    Also, what ports are required from child farms to parent farms for Content Type hub?  Is it 80/443 to the web application, or does MMS connectivity (32843, 32844) suffice?

  9. LC says:

    What about SPS3: and SPS3C: for profile crawling?

  10. @Great Post – thanks! Yes, Office Web Apps farm needs to run on dedicated HW. You need 80 or 443 (strongly recommended) inbound open on the Office Web Apps farm.

    @LC, 32843 or 32844 (recommended) inbound are needed on the parent farm. CT Hub Subscribers need to be able to reach CT Gallery Site Collection. SPS3 / SPS3S protocol handler calls are transformed to HTTP/HTTPS Web Service calls. If you have the chance LC, get it working first and than lock it down rather than the other way around – it is easier to troubleshoot this way.

    Thanks for all your comments folks!

  11. Hilton Giesenow says:

    This is an awesome pic! Thanks!

  12. Thanks for sharing. useful info

  13. Charles Borcke says:

    Thank you for this great poster: Helpful, accurate and very clear 🙂

  14. erosen03 says:

    Great post. Love the diagram; it's informative and still very easy to read. Any change you can post or send the Visio version? I'd like to incorporate some other applications into it. Thanks.

  15. LC says:

    For People Picker when using the AD Claims Provider, what is the connectivity required?  (10) "User List"?  So just 389?  It does not use a GC?

    Also, why is (11) needed from Search nodes to AD?

  16. Sam says:

    Could you please let know which are inbound/outbound ports

  17. Jim Cosser says:

    @Sam the direction of arrows would indicate inbound or outbound.

  18. Shawn says:

    Hi Marek – Regarding OWA servers, you mentioned port 80/433 inbound. Is this for client browser to the OWA servers? What about communication from OWA to SharePoint web servers?

    Thanks

  19. Chad says:

    When using backup-spfarm, and restore-spfarm, there is traffic to the backup location from SQL Server.  I'd label is as (9) as well.

    nice diagram.

  20. Tom says:

    May I know why there is a direct communicate between the search server and AD using port 5725?  People Search only searches the user profile store, which should be through the WFE, right?  Correct me if I am wrong.  Really appreciate your help.

  21. BlueSky2010 says:

    Thanks for putting this together Marek!

  22. Karim El Zarka says:

    great one 🙂

  23. TBC says:

    Great post.  Any thoughts on the connections for outgoing email with Exchange?  Trying to properly document architecture and communication paths for our Exchange Team.  Thanks!

  24. Jason Fertig says:

    @TBC: For inbound email, you need to use an SMTP service inside your farm. Mail will be routed to it via TCP 25 or 587 by default. For standard outgoing email, you can route directly to a local SMTP relay first or route directly to another SMTP relay using 25 for standard. Secure SMTP usually uses 465 instead of 25.

    @Marek: Great and useful post even still. I'm building a diagram for a customer and this style of labeling connections is perfect. AND you filled some nice gaps for me.