Verify Privilege Vault Cloud Customer Example Architectures

If you are a current customer with support hours for IBM Security Professional Services, you can discuss any of these diagrams in detail with one of our Professional Services support architects.

Multi-site with ASR Agents Example Architecture

Figure: Multi-site with ASR Agents Example Architecture

image-20210405162451314

This design is fully supported by IBM Security.

Arrows indicate the direction of initial connection.

Reference architecture requirements:
  • Ports for accessing, managing and discovering end-points must have the required ports opened between the site Distributed Engines and the appropriate devices. Please see Ports Used by Verify Privilege Vault.
  • All Distributed Engines servers must run on Windows Server 2016 or higher. Windows Server 2022 is supported by Secret Server 11.0 or later. It may work with earlier versions, but that has not been officially confirmed.
  • Distributed Engines servers must have 4 cores and 4 GB RAM. We encourage increasing CPUs before RAM to improve DE efficiency.
Your first distributed engines will likely be located in the primary data center and will serve as the management zone for all other locations and domains. This includes:
  • AD synchronization
  • Account discovery
  • Password changing and heartbeats
  • SSH and RDP proxy
  • Session recording

Details for All Architectures

1: Service Buses

IP Address allow-listing is not necessary unless outbound firewall rules are in place. If IP allow-listing is necessary, please contact IBM Security Support to obtain the shared engine response service bus and your dedicated customer service bus hostnames. The TCP port requirement is based on the transport type configured in the distributed engine settings. The default is Web sockets, which requires TCP 443. If the AMQP option is selected within the application, TCP 5671/5672 ports are also required.

2: Web Application Firewall (WAF)

IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.

All regions:

  • 45.60.32.37
  • 45.60.34.37
  • 45.60.36.37
  • 45.60.38.37
  • 45.60.40.37
  • 45.60.104.37

3: RADIUS

Inbound allow-listing is necessary if RADIUS authentication is configured. IP addresses for RADIUS authentication configuration:

For convenience, the new additional ranges (as of October 2024) are consolidated into a single CIDR (Classless Inter-Domain Routing) block per region.

secretservercloud.com

  • 20.65.118.12 (Primary)
  • 23.102.107.104 (Primary)
  • 23.102.107.220 (Primary)
  • 23.102.106.185 (Primary)
  • 23.102.108.55 (Primary)
  • 52.224.253.7 (Primary)
  • 52.224.253.4 (Primary)
  • 52.151.206.73 (Primary)
  • 52.151.206.77 (Primary)
  • 52.151.206.35 (Primary)
  • 20.228.138.112/29 (Primary)
  • 52.160.67.39 (DR)
  • 52.160.67.38 (DR)
  • 104.40.25.170 (DR)
  • 138.91.163.99 (DR)
  • 137.135.51.234 (DR)
  • 52.190.184.16/29 (DR)

secretservercloud.co.uk

  • 20.0.46.111 (Primary)
  • 51.142.243.172 (Primary)
  • 20.0.46.112 (Primary)
  • 20.0.46.123 (Primary)
  • 20.0.46.124 (Primary)
  • 20.162.162.64/29 (Primary)
  • 51.104.62.220 (Secondary)
  • 51.104.62.213 (Secondary)
  • 51.104.63.38 (Secondary)
  • 51.104.62.185 (Secondary)
  • 51.104.62.252 (Secondary)
  • 20.117.16.40/29 (Secondary)

secretservercloud.ca

  • 52.228.117.246 (Primary)
  • 52.228.113.119 (Primary)
  • 52.139.7.40 (Primary)
  • 52.139.7.137 (Primary)
  • 52.139.7.197 (Primary)
  • 40.85.220.216/29 (Primary)
  • 52.229.119.193 (DR)
  • 52.229.119.89 (DR)
  • 52.235.39.79 (DR)
  • 52.235.39.125 (DR)
  • 52.235.39.5 (DR)
  • 20.220.90.80/29 (DR)

secretservercloud.eu

  • 20.79.64.213 (Primary)
  • 20.79.65.3 (Primary)
  • 20.79.226.78 (Primary)
  • 20.79.226.180 (Primary)
  • 20.79.226.116 (Primary)
  • 51.116.178.152/29 (Primary)
  • 20.50.180.242 (DR)
  • 20.50.180.187 (DR)
  • 20.50.154.28 (DR)
  • 20.50.176.86 (DR)
  • 20.50.156.219 (DR)
  • 20.16.113.88.144/29 (DR)

secretservercloud.com.sg

  • 20.195.97.220 (Primary)
  • 20.195.98.154 (Primary)
  • 20.212.128.73 (Primary)
  • 20.212.128.75 (Primary)
  • 20.212.128.74 (Primary)
  • 52.237.113.56/29 (Primary)
  • 65.52.165.108 (DR)
  • 65.52.160.251 (DR)
  • 52.184.100.188 (DR)
  • 52.184.101.189 (DR)
  • 52.184.101.213 (DR)
  • 23.100.88.144/29 (DR)

secretservercloud.com.au

  • 20.37.251.37 (Primary)
  • 20.37.251.120 (Primary)
  • 20.37.5.233 (Primary)
  • 20.37.5.227 (Primary)
  • 20.37.5.48 (Primary)
  • 20.37.1.16/29 (Primary)
  • 20.53.142.34 (DR)
  • 20.53.142.37 (DR)
  • 20.53.80.77 (DR)
  • 20.53.81.216 (DR)
  • 20.53.82.77 (DR)
  • 23.101.211.80/29 (DR)

4: Distributed Engine (DE)

If external clients must be able to connect to internal SSH or RDP endpoints, an SSH proxy can be configured on the DE. Additionally, TCP port 22 needs to be open for inbound connections on the DE server, as well as have an appropriate configuration to allow inbound connections from the public Internet.

5: Certificate CRLs

Allow-listing is not necessary unless outbound firewall rules are in place. If it is necessary, access to CRLs or OSCP endpoints may be required. CRL and OSCP endpoints may differ from customer to customer. To determine the endpoints, review the certificates presented by the:

  • Web application firewall
  • Customer service bus
  • Engine response service bus
  • CDN for DE updates
Obtaining and reviewing certificates is not within the scope of this document, but you can find resources online, such as OCSP & CRL and Revoked SSL Certificates, which is not owned or maintained by IBM Security.
As of October 2024, we switched from one-year-validity Sectigo certificates to 90-day-validity Let's Encrypt certificates. Let's Encrypt certificates are widely trusted and have effectively become the standard for cloud-native operations. See About Let's Encrypt for more information.