ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 227 discussion

Actual exam question from Microsoft's 70-742
Question #: 227
Topic #: 1
[All 70-742 Questions]

Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016.
Server1 is located in the perimeter network.
You install the Active Directory Federation Services server role on Server1. You create an Active Directory Federation Services (AD FS) farm by using a certificate that has a subject name of sts.contoso.com.
You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the solution.

  • A. 389
  • B. 443
  • C. 3389
  • D. 8531
  • E. 49443
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by paprda at Aug. 5, 2019, 8:25 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
coleman
Highly Voted 5 years, 6 months ago
the answer is correct. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication On many networks the local firewall policies might not allow traffic through non-standard ports like 49443. This became an issue when trying to accomplish certificate authentication with AD FS prior to AD FS in Windows Server 2016. This is because you could not have different bindings for device authentication and user certificate authentication on the same host The default port 443 is bound to receive device certificates and cannot be altered to support multiple binding in the same channel. The results were that smart card authentication would not work and users were unaware of what happened since there is no indication of what really happened. In AD FS on Windows Server 2016 this has changed. Now we support two modes, the first uses the same host (i.e. adfs.contoso.com) with different ports (443, 49443). The second used different hosts (adfs.contoso.com and certauth.adfs.contoso.com) with the same port (443). This will require an SSL certificate to support "certauth." as an alternate subject name. This can be done at the time of the farm creation or later via PowerShell.
upvoted 10 times
ve22
5 years, 1 month ago
Thanks!
upvoted 2 times
...
lbs
5 years ago
Basically, port 443 for device authentication and port 49443 for user certificate authentication. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
upvoted 6 times
...
...
panda
Highly Voted 5 years, 8 months ago
I have understood that Ports 443 and 49443 are needed between WAP server and Users. Because 443 is used for device authentication, 49443 is used for certificate authentication. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
upvoted 7 times
...
lofzee
Most Recent 4 years, 5 months ago
port 443 for device auth port 49443 for cert auth
upvoted 1 times
...
yesboet
4 years, 7 months ago
B and E correct 443 and 49443
upvoted 1 times
...
Kamikazekiller
4 years, 11 months ago
Answer is: B. 443, E. 49443
upvoted 2 times
...
paprda
5 years, 10 months ago
correct
upvoted 3 times
minajahan
5 years, 8 months ago
"When a TCP connection is initiated to the AD FS or Web Application Proxy (WAP) server, the connection uses port 49443 instead of 443." https://www.itprotoday.com/windows-78/certificate-authentication-windows-server-2012-r2
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel