Your network contains an Active Directory forest named contoso.com. The

forest contains a member server named Server1 that runs Windows Server 2016. Server1 is located in the perimeter network.

You install the Active Directory Federation Services server role on Server1. You create an Active Directory Federation Services (AD F

S) farm by using a certificate that has a subject name of sts.contoso.com.

You need to enable certificate authentication from the Internet on Server1.

Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the so

lution.

A. 389

B. 443

C. 3389

D. 8531

E. 49443

Explanation:

Configuring the following network services appropriately is critical for successful deployment of AD FS in your organization:

Configuring Corporate Firewall

Both the firewall

located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.

In addition, if client user certificate authentication (client TLS authentic

ation using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Applicat

ion Proxy and the federation servers).

References: https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx