When hardening SharePoint servers by blocking unnecessary ports, you will need to deal with the port 5725 which is used by user profile synchronization. Two questions emerge:

1. If we enable Windows Firewall on the servers, on which server do we open the port?
2. On the hardware firewall, how do we specify the firewall rules, essentially from which server to which server?

On the dedicated TechNet Article for SharePoint Security hardening, you will find the statement below:

“TCP 5725 must be open on the server that runs the Forefront Identity Management agent and is set up to crawl a directory store.”

Obviously, the first question is answered. But what about the second question? If we need to specify the source server, which are the ones? All SharePoint Servers, or just a few?

The answer is:

• the Application servers that host the User Profile Service Application and
• the servers that host the Central administration web site.

When these roles are one the same server or on server in the same network zone and the same segment, you don’t have to worry about the rules. But if they communicate through the surveillance of a Firewall, you need to make sure the rules are allowing the traffic. For example, the Central Administration website is hosted on the WFEs which is in a separate network zone from the Application server that hosts the User Profile Synchronization instance. You need to allow traffic from the WFEs to the App server through port 5725. If not, you will even have a problem creating a User Profile Synchronization Connection!

This is the error message you will see:

Of course, if the Central Admin site is hosted on an App server, you will not encounter the issue above.