Review the Firewall Rules
The following shows you how to configure the firewall rules for inbound communication and domain traffic for a Privileged Access Service deployment—including the ports and protocols used between different components—depend on several factors. For example, different ports might be required to support specific features—such as network discovery and auditing—or for different system types.
For information on network firewall requirements, see Verify Privilege Cloud Suite and Connector Outbound Network Firewall Requirements.
Depending on the characteristics of your environment, you might want to review all or part of the port requirements:
- System Discovery Prerequisites
- Basic Port Requirements
- Port Requirements for IIS Applications Pools
- Connection between All Systems and AD Domain Controllers
- Connection between the Audit Management Server and Audit Store
- Connection between All Audited systems and Audit Collectors
- Connection between All Systems and AD Domain Controllers
- Connection between Connector and Privileged Access Service
- Connection between All Connectors to Linux Systems
- Connection between All Connectors to Windows Systems
- Connection between All AD Domain Controllers to Windows Systems
- Connection between the Connector and the Session Auditing Collector
- Connection between the Connector and Remote Sessions
For additional details see the diagram in Management port for password operations. Additionally, for connector firewall details see Firewall and External IP Address Requirements
Basic Port Requirements
Be sure the following ports are open for basic Privileged Access Service operation:
- Port 53 (TCP/UDP) for communication between any service instance and the DNS server.
- Port 443 or 555 (TCP) for secure HTTPS communication between any service instance and the connector.
Port Requirements for IIS Applications Pools
Be sure the following ports are open on the IIS server to allow discovery of IIS application pools and related accounts:
- Port 135 (TCP) for inbound communication with the RPC endpoint mapper program.
- A custom inbound firewall rule to allow communication for the DllHost.exe process on all RPC Dynamic Ports.
- Port 139 (TCP) for file and printer sharing (NB-Session-In) inbound communication if the operating system is Windows Server 2016.
For more information about configuring firewall rules for discovery, see System discovery prerequisites.
Connection between All Systems and AD Domain Controllers
Below, the port requirements for communication towards AD. These rules should be set up inbound to every domain controller and in any firewall existing in between the IBM Security Audit Management Server and every UNIX and Linux systems that will be joined to AD using IBM Security.
| Port | Traffic Direction |
|---|---|
| LDAP, Port 389 (TCP/UDP) | Inbound communication to every domain controller from all systems. |
| Global Catalog, Port 3268 (TCP) | Inbound communication to every domain controller from all systems |
| DNS, Port 53 (TCP/UDP) | Inbound communication to every domain controller from all systems. |
| Kerberos, Port 88 (TCP) | Inbound communication to every domain controller from all systems. |
| Kerberos, Port Password 464 (TCP) | Inbound to every domain controller from all systems. |
| SMB/CIFS, Port 445 (TCP) | Inbound communication to every domain controller from all systems. |
| Time Service, Port 123 (TCP) | Inbound communication to every domain controller from all systems. |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every domain controller from all systems. |
Connection between the Audit Management Server and Audit Store
Below, the port requirements for communication towards the audit store. These rules should be set up inbound to this system to allow SQL communication from the audit management server and audit collectors:
SQL, Port 1433 (TCP) -- Inbound to the Audit Store
Connection between All Audited systems and Audit Collectors
Below, the port requirements for communication towards Audit Collector servers. These rules should be set up inbound to Audit Collector servers to allow audited data transaction collection from every audited systems (Windows, UNIX, and Linux):
Direct Audit, Port 5063 (TCP) -- Inbound to Audit Collector
Connection between All Connectors to AD Domain Controllers
Below, the port requirements for communication towards Active Directory (AD). These rules should be set up inbound to every domain controller and all firewalls that exist in between the IBM Security Connectors and AD domain controllers. Be sure the following ports are open:
| Port | Traffic Direction |
|---|---|
| Global Catalog, Port 3268 (TCP) | Inbound communication to every domain controller from the IBM Security Connector |
| LDAP, Port 389 (TCP/UDP) | Inbound communication to every domain controller from the IBM Security Connector |
| Kerberos, Port 88 (TCP) | Inbound communication to every domain controller from the IBM Security Connector |
| Kerberos Password, Port 464 | Inbound communication to every domain controller from the IBM Security Connector |
| SMB/CIFS , Port 445 (TCP) | Inbound communication to every domain controller from the IBM Security Connector |
| Time Service, Port 123 | Inbound communication to every domain controller from the IBM Security Connector |
| DNS, Port 53 (TCP/UDP) | Inbound communication to every domain controller from the IBM Security Connector |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every domain controller from IBM Security Connector |
If DNS is not AD-integrated, that rule should be relevant to the alternative DNS service.
To support network discovery, auditing, and domain account management, be sure the following ports are open between the connector and the domain controller:
- Port 135 for inbound RPC endpoint mapper connections to enable a connector to join an Active Directory domain.
- Port 49152-65535 (TCP) for inbound RPC endpoint (“TCP Dynamic”) connections to enable a connector to join an Active Directory domain.
Connection between Connector and Privileged Access Service
Below, the port requirements for communication towards Privileged Access Service. These rules should be set up outbound to the cloud tenant or the on-premise Privileged Access Service.
- HTTPS 443 TCP Inbound from IBM Security Connector to Privileged Access Service.
- Internal "DirectTcp" 30001 TCP Outbound to IBM Security Connector from Privileged Access Service.
Each additional connector must have its own IP address.
Connection between All Connectors to Linux Systems
Below, the port requirements for communication between the connector and Linux or UNIX systems:
| Port | Traffic direction |
|---|---|
| SSH, Port 22 (TCP) | Inbound communication to every UNIX and Linux system from IBM Security Connector |
| HTTPS, Port 443 (TCP) | Outbound communication from every UNIX and Linux system to IBM Security Connector |
| API Proxy, Port 8080 (TCP) | Outbound communication from every UNIX and Linux systems to IBM Security Connector |
Connection between All Connectors to Windows Systems
Below, the port requirements for communication between the connector and Windows systems:
| Port | Traffic direction |
|---|---|
| RDP, Port 3389 or a custom port (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| RPC Endpoint "TCP Dynamic", Port 49152-65535 (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| SMB/CIFS, Port 445 (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| WinRM over HTTP, Port 5985 (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| WinRM over HTTPS, Port 5986 (TCP) | Inbound communication to every Windows system from IBM Security Connector |
| API Proxy, Port 8080 (TCP) | Outbound communication from every Windows systems to IBM Security Connector |
For more information about port requirements, see Port Requirements.
Connection between All AD Domain Controllers to Windows Systems
Below, the port requirements for communication between the domain controller and Windows systems:
- Port 135 (TCP) for inbound RPC endpoint mapper connections to enable the computer to join the Active Directory domain.
- Port 49152-65535 (TCP) for inbound RPC endpoint connections (“TCP Dynamic”) to enable the computer to join the Active Directory domain.
Connection between the Connector and the Session Auditing Collector
Below are the port requirements for communication between the connector and collector auditing service running on Windows:
Port 5063 (TCP) for inbound collector connections.
There are additional ports used by the collector service that are not required to be open for the Privileged Access Service. For more information about port requirements for auditing components, see the Auditing Administrator’s Guide.
Connection between the Connector and Remote Sessions
Below are the port requirements for communication between the connector and native local client sessions running on Windows:
- Port 22 (TCP) for inbound connector connections when using a native secure shell (SSH) client for remote access.
- Port 5555 (TCP) for inbound connector connections when using a native remote desktop protocol (RDP) client for remote access.
For more information about using a native local client for remote access, see Selecting user preferences.
Managing Firewall and External IP Address Requirements
All connections to the internet made by Privileged Access Service (including IBM Security Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made by way of TCP to either port 80 or 443 and should not have any restrictions.
To provide the redundancy and availability of an always available Privileged Access Service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.
Deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Privileged Access Service. To allow for normal service operation, exclude the ports and addresses discussed below from packet inspection.
Option 1: Whitelist Source
Given the variability of connection targets, the simplest whitelist configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the IBM Security Connector and for outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.
Option 2: Whitelist Source Ports
You can also use a whitelist configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the IBM Security Connector, as well as outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.
Option 3: Whitelist Destination
If destination whitelisting is required, you can whitelist outbound ports or TCP Relay IP ranges.
| Port numbers | Resource |
|---|---|
| 443 | \*.my.centrify.net (if you need to whitelist your tenant URL) |
| 80 | privacy-policy.truste.com
|
| 80 | ocsp.digicert.com
|
If whitelisting an entire domain (*.centrify.com) is not acceptable per security policy, then you need to whitelist the TCP Relay IP ranges for your relevant Privileged Access Service tenant region. Refer to https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519 for a list of Microsoft Azure data center IP ranges by region.
Tenants
If your tenant is on third-party servers, then you need to whitelist the IP ranges for your relevant Privileged Access Service tenant region. Download the relevant file that contains the IP address ranges information. For AWS you can download them from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.
Use the table below to find the TCPRelay IP address ranges for each tenant's region:
| Region | IP Address Range |
|---|---|
| US East | 3.14.30.0/27 (adding 4 May 2019) 13.58.135.200/29 18.216.13.0/26 34.236.32.192/26 34.236.241.0/29 |
| US West | 13.56.112.160/29 13.56.112.192/26 34.215.186.192/26 34.214.243.200/29 35.89.238.96/28 35.89.238.128/27 |
| Canada | 35.183.13.0/26 35.182.14.200/29 |
| Europe | 18.194.95.128/26 18.194.95.32/29 34.245.82.128/26 34.245.82.72/29 |
| Brazil | 18.231.105.192/26 18.231.194.0/29 |
| Australia | 13.211.166.128/26 13.211.12.240/29 |
| Singapore | 13.250.186.64/26 13.250.186.24/29 |
| London | 3.10.127.0/27 3.10.127.64/26 35.176.92.128/26 35.176.92.72/29 |
For additional information about whitelisting a tenant for use with web proxies and firewalls, see KB-13446.