Verify Privilege Vault Cloud Customer Example Architectures
If you are a current customer with support hours for IBM Security Professional Services, you can discuss any of these diagrams in detail with one of our Professional Services support architects.
Multi-site with ASR Agents Example Architecture
Figure: Multi-site with ASR Agents Example Architecture
This design is fully supported by IBM Security.
Arrows indicate the direction of initial connection.
- Ports for accessing, managing and discovering end-points must have the required ports opened between the site Distributed Engines and the appropriate devices. Please see Ports Used by Verify Privilege Vault.
- All Distributed Engines servers must run on Windows Server 2016 or higher. Windows Server 2022 is supported by Secret Server 11.0 or later. It may work with earlier versions, but that has not been officially confirmed.
- Distributed Engines servers must have 4 cores and 4 GB RAM. We encourage increasing CPUs before RAM to improve DE efficiency.
- AD synchronization
- Account discovery
- Password changing and heartbeats
- SSH and RDP proxy
- Session recording
Details for All Architectures
1: Service Buses
IP Address allow-listing is not necessary unless outbound firewall rules are in place. If IP allow-listing is necessary, please contact IBM Security Support to obtain the shared engine response service bus and your dedicated customer service bus hostnames. The TCP port requirement is based on the transport type configured in the distributed engine settings. The default is Web sockets, which requires TCP 443. If the AMQP option is selected within the application, TCP 5671/5672 ports are also required.
2: Web Application Firewall (WAF)
IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.
All regions:
- 45.60.32.37
- 45.60.34.37
- 45.60.36.37
- 45.60.38.37
- 45.60.40.37
- 45.60.104.37
3: RADIUS
Inbound allow-listing is necessary if RADIUS authentication is configured. IP addresses for RADIUS authentication configuration:
secretservercloud.com
- 20.65.118.12 (Primary)
- 23.102.107.104 (Primary)
- 23.102.107.220 (Primary)
- 23.102.106.185 (Primary)
- 23.102.108.55 (Primary)
- 52.224.253.7 (Primary)
- 52.224.253.4 (Primary)
- 52.151.206.73 (Primary)
- 52.151.206.77 (Primary)
- 52.151.206.35 (Primary)
- 20.228.138.112/29 (Primary)
- 52.160.67.39 (DR)
- 52.160.67.38 (DR)
- 104.40.25.170 (DR)
- 138.91.163.99 (DR)
- 137.135.51.234 (DR)
- 52.190.184.16/29 (DR)
secretservercloud.co.uk
- 20.0.46.111 (Primary)
- 51.142.243.172 (Primary)
- 20.0.46.112 (Primary)
- 20.0.46.123 (Primary)
- 20.0.46.124 (Primary)
- 20.162.162.64/29 (Primary)
- 51.104.62.220 (Secondary)
- 51.104.62.213 (Secondary)
- 51.104.63.38 (Secondary)
- 51.104.62.185 (Secondary)
- 51.104.62.252 (Secondary)
- 20.117.16.40/29 (Secondary)
secretservercloud.ca
- 52.228.117.246 (Primary)
- 52.228.113.119 (Primary)
- 52.139.7.40 (Primary)
- 52.139.7.137 (Primary)
- 52.139.7.197 (Primary)
- 40.85.220.216/29 (Primary)
- 52.229.119.193 (DR)
- 52.229.119.89 (DR)
- 52.235.39.79 (DR)
- 52.235.39.125 (DR)
- 52.235.39.5 (DR)
- 20.220.90.80/29 (DR)
secretservercloud.eu
- 20.79.64.213 (Primary)
- 20.79.65.3 (Primary)
- 20.79.226.78 (Primary)
- 20.79.226.180 (Primary)
- 20.79.226.116 (Primary)
- 51.116.178.152/29 (Primary)
- 20.50.180.242 (DR)
- 20.50.180.187 (DR)
- 20.50.154.28 (DR)
- 20.50.176.86 (DR)
- 20.50.156.219 (DR)
- 20.16.113.88.144/29 (DR)
secretservercloud.com.sg
- 20.195.97.220 (Primary)
- 20.195.98.154 (Primary)
- 20.212.128.73 (Primary)
- 20.212.128.75 (Primary)
- 20.212.128.74 (Primary)
- 52.237.113.56/29 (Primary)
- 65.52.165.108 (DR)
- 65.52.160.251 (DR)
- 52.184.100.188 (DR)
- 52.184.101.189 (DR)
- 52.184.101.213 (DR)
- 23.100.88.144/29 (DR)
secretservercloud.com.au
- 20.37.251.37 (Primary)
- 20.37.251.120 (Primary)
- 20.37.5.233 (Primary)
- 20.37.5.227 (Primary)
- 20.37.5.48 (Primary)
- 20.37.1.16/29 (Primary)
- 20.53.142.34 (DR)
- 20.53.142.37 (DR)
- 20.53.80.77 (DR)
- 20.53.81.216 (DR)
- 20.53.82.77 (DR)
- 23.101.211.80/29 (DR)
4: Distributed Engine (DE)
If external clients must be able to connect to internal SSH or RDP endpoints, an SSH proxy can be configured on the DE. Additionally, TCP port 22 needs to be open for inbound connections on the DE server, as well as have an appropriate configuration to allow inbound connections from the public Internet.
5: Certificate CRLs
Allow-listing is not necessary unless outbound firewall rules are in place. If it is necessary, access to CRLs or OSCP endpoints may be required. CRL and OSCP endpoints may differ from customer to customer. To determine the endpoints, review the certificates presented by the:
- Web application firewall
- Customer service bus
- Engine response service bus
- CDN for DE updates