Zero Trust Port Range

Is there a way to add a port range on the Zero Trust WebUI policy editor? Case in point, I have private network services which include Windows domain controllers. Microsoft’s documentation includes the following:

If your computer network environment uses only Windows Server 2012 or a later version of Windows, you must enable connectivity over the high port range of 49152 through 65535.

How do I enter a destination port range of 49152-65535? I continuously see “blocked” in the Gateway>Network logs because I have only added a handful of ports above 49152 as I see them blocked.

I have tried the following in the policy editor (just as examples):

49152-65535 (one hyphen, won’t save)
49152…65535 (two periods, won’t save)
49152–65535 (two dashes, won’t save)
49152 65535 (one space, won’t save)
49152.65535 (one period, saves, but reloading shows only 49152).

The WebUI editor doesn’t permit regex for destination port.

Following up with what I received from support (edited for clarity):

If you’re using a Private Network Application, create the application first (Access>Application>Private Network). This will create Gateway Network Policies (Gateway → Policies → Network). Use the greater than or equal to and less than or equal to fields in multiple rules to cover multiple ranges.

As an example, the first rule would look like this:

image1488×830 39.6 KB

Then 2nd would be another allow policy, but with different ports.

You would have to create 3 separate Allow rules for Active Directory based off the MS documentation:
Service overview and network port requirements - Windows Server | Microsoft Learn

Rule 1: Destination port In 135,389,445,500,636,3268,4500,9389
Rule 2: Destination Port is greater than or equal to 1024 And less than or equal to 5000
Rule 3: Destination Port is greater than or equal to 49152 And less than or equal to 65535
Rule 4: Block the rest

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.