Verify Privilege Vault Hybrid Multi-Tenant Cloud Architecture

If you are a current customer with support hours for Delinea Professional Services, you can discuss any of these diagrams in detail with one of our Professional Services support architects.

This, the standard Secret Server Cloud architecture, is "hybrid multi-tenant" because only the front-end is multi-tenant, it is shared with other customers. The databases, service busses, and storage accounts are single-tenant (dedicated to you).

Diagram

Figure: Verify Privilege Vault Cloud Architecture

Secret Server Cloud Architecture

Arrows indicate the direction of initial connection.

Details

1: Service Buses

IP Address allowlisting is not necessary unless outbound firewall rules are in place. If IP allowlisting is necessary, you can find your customer-specific service bus IP addresses by navigating to customer.secretservercloud.com/AdminDiagnostics.aspx. The TCP port requirement is based on the transport type configured in the distributed engine settings. The default is Web sockets, which requires TCP 443. If the AMQP option is selected within the application, TCP 5671/5672 ports are also required.

The shared engine-response-bus hostnames are:

  • thycotic-ssc-eu-er-sb-01-prod-g.servicebus.windows.net

  • thycotic-ssc-eu-er-sb-01-prod-b.servicebus.windows.net (Active)

2: Web Application Firewall (WAF)

IP Address allowlisting is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allowlisted to ensure uninterrupted connectivity.

All regions:

  • 45.60.32.37
  • 45.60.34.37
  • 45.60.36.37
  • 45.60.38.37
  • 45.60.40.37
  • 45.60.104.37

3: RADIUS

Inbound allowlisting is necessary if RADIUS authentication is configured. IP addresses:

secretservercloud.com

  • 20.65.118.12 (Primary)
  • 23.102.107.104 (Primary)
  • 23.102.107.220 (Primary)
  • 23.102.106.185 (Primary)
  • 23.102.108.55 (Primary)
  • 52.224.253.7 (Primary)
  • 52.224.253.4 (Primary)
  • 52.151.206.73 (Primary)
  • 52.151.206.77 (Primary)
  • 52.151.206.35 (Primary)
  • 52.160.67.39 (DR)
  • 52.160.67.38 (DR)
  • 104.40.25.170 (DR)
  • 138.91.163.99 (DR)
  • 137.135.51.234 (DR)

secretservercloud.co.uk

  • 20.0.46.111 (Primary)
  • 51.142.243.172 (Primary)
  • 20.0.46.112 (Primary)
  • 20.0.46.123 (Primary)
  • 20.0.46.124 (Primary)
  • 51.104.62.220 (Secondary)
  • 51.104.62.213 (Secondary)
  • 51.104.63.38 (Secondary)
  • 51.104.62.185 (Secondary)
  • 51.104.62.252 (Secondary)

secretservercloud.ca

  • 52.228.117.246 (Primary)
  • 52.228.113.119 (Primary)
  • 52.139.7.40 (Primary)
  • 52.139.7.137 (Primary)
  • 52.139.7.197 (Primary)
  • 52.229.119.193 (DR)
  • 52.229.119.89 (DR)
  • 52.235.39.79 (DR)
  • 52.235.39.125 (DR)
  • 52.235.39.5 (DR)

secretservercloud.eu

  • 20.79.64.213 (Primary)
  • 20.79.65.3 (Primary)
  • 20.79.226.78 (Primary)
  • 20.79.226.180 (Primary)
  • 20.79.226.116 (Primary)
  • 20.50.180.242 (DR)
  • 20.50.180.187 (DR)
  • 20.50.154.28 (DR)
  • 20.50.176.86 (DR)
  • 20.50.156.219 (DR)

secretservercloud.com.sg

  • 20.195.97.220 (Primary)
  • 20.195.98.154 (Primary)
  • 20.212.128.73 (Primary)
  • 20.212.128.75 (Primary)
  • 20.212.128.74 (Primary)
  • 65.52.165.108 (DR)
  • 65.52.160.251 (DR)
  • 52.184.100.188 (DR)
  • 52.184.101.189 (DR)
  • 52.184.101.213 (DR)

secretservercloud.com.au

  • 20.37.251.37 (Primary)
  • 20.37.251.120 (Primary)
  • 20.37.5.233 (Primary)
  • 20.37.5.227 (Primary)
  • 20.37.5.48 (Primary)
  • 20.53.142.34 (DR)
  • 20.53.142.37 (DR)
  • 20.53.80.77 (DR)
  • 20.53.81.216 (DR)
  • 20.53.82.77 (DR)

4: Distributed Engine (DE)

If external clients must be able to connect to internal SSH or RDP endpoints, an SSH proxy can be configured on the DE. Additionally, TCP port 22 needs to be open for inbound connections on the DE server, as well as have an appropriate configuration to allow inbound connections from the public Internet.

5: Certificate CRLs

Allowlisting is not necessary unless outbound firewall rules are in place. If it is necessary, access to CRLs or OSCP endpoints may be required. CRL and OSCP endpoints may differ from customer to customer. To determine the endpoints, review the certificates presented by the:

  • Web application firewall
  • Customer service bus
  • Engine response service bus
  • CDN for DE updates
Obtaining and reviewing certificates is not within the scope of this document, but you can find resources online, such as OCSP & CRL and Revoked SSL Certificates, which is not owned or maintained by IBM Security.