![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 51%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,743 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 9%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Hello Padmagopal, Madhav,
Thank you for posting your question in the Microsoft Q&A forum.
Integrating SailPoint IdentityIQ (IIQ) with Azure DMZ requires careful consideration of network port configurations to ensure seamless communication between IIQ components and Active Directory (AD) services. While the IQ Service port (5050) is mandatory for internal IIQ communication, additional ports must be opened to support LDAP queries, Kerberos authentication, Global Catalog lookups, and AD replication.
- LDAP & Secure LDAP (Ports 389 & 636) – Required
- Port 389 (TCP/UDP) is essential for standard LDAP queries when IIQ fetches user/group data from AD.
- Port 636 (TCP) is required for LDAPS (LDAP over SSL/TLS), ensuring encrypted communication for compliance (e.g., GDPR, HIPAA). Without these, IIQ cannot retrieve or modify AD objects (users, groups, OUs).
- Kerberos Authentication (Ports 88 & 464) – Required for SSO & Password Sync
- Port 88 (TCP/UDP) is critical for Kerberos ticket-granting service (TGT) exchanges, enabling SSO and AD-integrated authentication.
- Port 464 (TCP/UDP) is used for Kerberos password changes (e.g., self-service password reset in IIQ). If Kerberos is blocked, IIQ cannot validate user credentials or enforce password policies.
- Active Directory Web Services (Port 9389) – Conditionally Required
- Port 9389 (TCP) is used for AD Web Services (ADWS), which modern PowerShell-based AD modules rely on.
Required only if IIQ uses PowerShell scripts for AD automation. If using pure LDAP, this port may be optional.
- Global Catalog Ports (3268 & 3269) – Required for Multi-Domain Forests
- Ports 3268 (TCP) and 3269 (TCP) are needed when IIQ queries the Global Catalog in multi-domain AD forests.
- DNS (Port 53) – Required for AD-Integrated DNS
- Port 53 (TCP/UDP) ensures IIQ can resolve AD domain controller hostnames.
- NetLogon & SMB (Ports 445, 137, 139) – Conditionally Required
- Port 445 (TCP) is critical for SMB-based AD functions (Group Policy, sysvol replication).
- Ports 137 (UDP) & 139 (TCP) are legacy NetBIOS ports, rarely needed unless IIQ interacts with older AD systems.
Some security recommendation you may want to review:
- Least Privilege Access – Only allow these ports between IIQ servers and AD controllers, not publicly.
- Private Link / Service Endpoints – Use Azure Private Link to securely connect IIQ to AD without exposing ports to the internet.
- Logging & Monitoring – Enable Azure Network Watcher to detect unauthorized access attempts.
- Just-in-Time (JIT) Access – Restrict port access to specific IPs/time windows via Azure Security Center.
If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.