Configure TAC Server Infrastructure

Configuring TAC Server Network Settings.

The following network settings are required for a standalone server deployment.  All IP addresses are configured using the change adapter settings in the Network and Sharing center utility.

TAC in public facing topology

  • Two Network Interface cards are recommended.
  • At least 1 static public IP on public facing interface
  • At least 1 static private IP for internal facing network

The recommended network configuration for dual NIC environment is as follows:

Network Properties Public Interface Private Interface
Static IP address Yes Yes
Gateway Yes No
DNS No Yes

In a 2 NIC topology scenario, it is advisable to do initial TAC server preparation by configure Internal NIC first and add the server to domain before add secondary NIC. (public facing NIC).

Some of our customer network scenarios are not falling to proper network profiles (domain for internal NIC & public for external NIC) that may cause communication issues when TAC is in array.

TAC behind Firewall /NAT device

  • 1 Network Interface card connected to the private network.
  • At least 1 static private IP address
  • An Internal DNS infrastructure with forwarders can be used for public name resolution.

Configure server domain settings.

Running TAC in workgroup mode.

Note - Portsys does not recommend using TAC in workgroup mode.  It works best when joined to a domain.

TAC will work as an independent server in the network. When it is in the DMZ, it is possible to leave it as a workgroup computer.  Here are some limitations when using TAC is in the workgroup:

  • Not able to do NTLM authentication for external clients
  • No VPN application
  • No FileAccess

TAC in Domain mode

A Domain joined TAC server supports all of the TAC operations.

Use system properties to join the TAC server to the domain. The TAC server name must set before applying the TAC license as changing server name will require the request of new license key from PortSys.

Configuring Internal/ External Firewalls between TAC Servers and back-end application servers.

When the TAC server is behind a firewall or placed in a internal/external DMZ, the following firewall ports are required to be to open

Workgroup Mode

Source Destination Port Description
Internet TAC Server 443 Outside Access to Portal
Internet TAC Server 80 Outside Access to Portal
TAC Server Internal subnet TCP & UDP 389 TAC to AD server lookups
TAC Server Internal subnet TCP & UDP 53 TAC DNS lookups
TAC Server Internal Subnet TCP 3268 LDAP GC
TAC Server Internal Subnet TCP and UDP 88 Kerberos

Domain Joined

Source Destination Protocol / Port Description
Internet TAC Server External IP 443 Outside Access to Portal
Internet TAC Server External IP 80 Outside Access to Portal
TAC Server AD Server IP TCP & UDP 389 TAC to AD server lookups
TAC Server DNS Server IP TCP & UDP 53 TAC DNS lookups
TAC Server AD/GC Server IP TCP 3268 LDAP GC
TAC Server AD/GC Server IP TCP 636 Secure LDAP
TAC Server
AD/GC Server IP
TCP 3269 Secure LDAP GC

TAC Server

AD/DC Server IP
TCP & UDP 445 SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

TAC Server

AD/DC Server  IP
TCP 135 RPC, EPM

TAC Server

AD/DC Server  IP
TCP Dynamic RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS

TAC Server

AD/DC Server IP
TCP 5722 RPC, DFSR (SYSVOL)

TAC Server

AD/Time Server IP
UDP 123 Windows Time

TAC Server

AD/DC Server IP
TCP & UDP 464 Kerberos change/set password
TAC Server

AD/DC Server IP
UDP Dynamic DCOM, RPC, EPM

TAC Server

AD/DC Server IP
UDP 138 DFSN, NetLogon, NetBIOS Datagram Service

TAC Server

AD/DC Server IP
UDP 9389 SOAP

TAC Server

DHCP Server IP
UDP 67 & UDP 2535 DHCP, MADCAP
TAC Server AD/DC Server IP TCP and UDP 88 Kerberos

More information can be found here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Additional Ports may need to open based on the application published needs.

TAC in Array 

* If TAC array nodes are placed behind firewalls following additional ports needs to open apart to above ports in domain joined

Source Destination Protocol /Port Description
TAC manager internal IP and TAC member internal IP TAC member internal IP and TAC manager internal IP TCP 2070 -2080  TAC server Communication
TAC manager internal IP and TAC member internal IP TAC member internal IP and TAC manager internal IP TCP / 1025 - 5000
TCP / 49152 - 65535
 RPC Dynamic ports range for service communication
TAC manager internal IP and TAC member internal IP TAC member internal IP and TAC manager internal IP  TCP 135 RPC endpoint mapper service

The above ports and ranges should be opened between all servers in the array in both directions.

Configuring Certificate

TAC requires a publicly resolvable certificate to be installed on the TAC server for secure communication.

A SSL certificate is required on the TAC server. The certificate must be issued by public certification authority (CA).

You may need to add multiple certificates for different applications that have alternate public host names.

Further, you may need to install certificates on endpoints to trust the connectivity between endpoints and TAC Gateway. If you publish generic client server application or VPN or RDP application where the TAC client component is involved, you will need to install trusted system certificate on endpoints.

If you use a self-signed certificate (issued by a custom CA) for the TAC site, the CA that issued cert has to be added to Trusted Root Certificate Authority under Local Computer on the end-point in order for the the TAC Client Services to work properly.

Configuring DNS

The Administrator has to register the TAC Site’s public host name(s) in their public DNS authority to access the TAC Portal from the internet. If TAC has multiple sites configured, those sites need to register in the DNS with the respective IPs.