TuffGong-8526 avatar image
TuffGong-8526 asked ·

Change ADFS and WAP default port

I am set up ADFS and WAP in test environment, I can reach the ADFS server when i am in the LAN but not externally. My ISP is blocking port 443. S i would like to know if there is a way to change the default port 443 on ADFS and WAP server to something else.


10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
piaudonn answered ·

It is very odd to block the port 443. It is usually the only one open even on public kiosk machine or airport WiFi...

In theory you can change the HTTPS port on the ADFS server with Set-AdfsProperties. But it will require to re-configure all applications as in a passive flow, it is the application redirecting the users to the ADFS farm. Also if you change the port to something different than the 443, you might prevent many users to access the application externally for the same reason as you invoke. It is very possible that they might only connect to specific ports and usually the 443 is the one universally white listed.

7 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the answer. It is a test environment i just want to make sure i familiar myself with how the configuration works. So can you be more specific about how to change the ports theoretically? Do i have to use the set-adfsproperties command on only the adfs server to change the port ? How do i change it on the WAP server also so that they can still communicate?

0 Votes 0 · ·

Thanks, this is a test environment so its not that important if all users cant access it external. Can you be specific with the commands going to be used? Do i have to change the port on the WAP also ?

0 Votes 0 · ·

If you have ADFS 2012 R2 or lower, you can use Set-ADFSProperties -httpsport.
Starting ADFS 2016, the port has to be 443 for HTTPS on the farm. This is a requirement for Device Registration Service.

Since this is for test purposes, you can workaround this by using a portproxy. Run the following on your ADFS server and WAP:

 netsh interface portproxy add v4tov4 listenport=444 connectaddress=<localIP> connectport=443 protocol=tcp

This will redirect all the incoming traffic on the port 444 to the local port 443 (replace LocalIP by the actual IP of the ADFS server when you run it on the ADFS server and of the WAP when running on the WAP). As long as the port is not already in used and that the incoming port port is open (you need an inbound rule to allow it). The WAP will still talk to the ADFS server on port 443 but in your scenario, since the limitation is at the ISP level, you don't really have a problem using the port 443 in between your own servers.

0 Votes 0 · ·

Thanks again. I tried the solution and entered the command on both WAP och the ADFS server and now i cannot even access the ADFS locally in my network. When i go to https://adf.domain/adfs/ls/idpinitiatedsignon.aspx:444 i get the warning bcs of self-signed cert och when i click on continue anyway i get &#34;401 Authorization Required&#34;. So now i cant access the ADFS either internally or externally after using the command on both WAP and ADFS server. I have a port forwarding in my router that forwards incoming traffic on port 444 to the WAP ip address and i open inbound rule firewall on both servers.

0 Votes 0 · ·
Show more comments