# Ports and traffic flows The following diagram details the traffic flows and port requirements for a typical Access Manager environment. ![](https://1500666603-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzPrDxVWpXXpSNTpkDVnR%2Fuploads%2Fgit-blob-a775c74cf4242ea4846f750589a78d00f77550b4%2Fams-port-map.png?alt=media) | Source | Destination | Destination ports | Description | | ---------------------------- | --------------------------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AMS server | packages.lithnet.io | TCP 443 | Allows the AMS server to check and notify when updates are available (optional) | | AMS server | graph.microsoft.com | TCP 443 | Used to access the graph API when authenticating Microsoft Entra joined devices | | AMS server | login.microsoftonline.com | TCP 443 | Used to authenticate to the graph API when authenticating Microsoft Entra joined devices | | AMS server | The hostname specified in the issuer/authority field of the OIDC setup page | TCP 443 | Required for claims validation when using OpenID Connect | | AMS server | Active Directory Domain Controllers | LDAP TCP 389, CLDAP UDP 389 | Directory lookups, site lookups, BitLocker Password lookups, LAPS password lookups, JIT group membership modifications | | AMS server | Active Directory Domain Controller Global Catalog Servers | Global Catalog TCP 3268 | Computer name lookups | | AMS server | Active Directory Domain Controllers | RPC Endpoint Mapper TCP 135, RPC dynamic port range 49152-65535 | Authorization queries and ACL evaluation | | AMS server | Active Directory DNS servers | DNS UDP 53 | DNS lookups | | AMS server | SQL Database | TSQL TCP 1433 | Connectivity to the AMS database (when not using SQL Express) | | AMS server | JIT target computers | RPC over SMB 445 | Used to query a computer when performing a JIT request to determine what DC and site it is in. This is optional, and AMS will fall back to using sites and services to try and find the closest DC to the target computer | | Access Manager Agent | AMS Server | HTTPS TCP 443 | Agent registration, check in, and password management | | Access Manager web-app users | AMS Server | HTTP TCP 80, HTTPS TCP 443 | Access to the web app | | Access Manager web-app users | OpenID Connect Identity Provider | HTTPS TCP 443 | OpenID Connect authentication | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.lithnet.io/ams/help-and-support/advanced-help-topics/ports-and-traffic-flows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.