Review the Firewall Rules

The following shows you how to configure the firewall rules for inbound communication and domain traffic for a Privileged Access Service deployment—including the ports and protocols used between different components—depend on several factors. For example, different ports might be required to support specific features—such as network discovery and auditing—or for different system types.

For information on network firewall requirements, see Verify Privilege Cloud Suite and Connector Outbound Network Firewall Requirements.

Depending on the characteristics of your environment, you might want to review all or part of the port requirements:

For additional details see the diagram in Management port for password operations. Additionally, for connector firewall details see Firewall and External IP Address Requirements

Basic Port Requirements

Be sure the following ports are open for basic Privileged Access Service operation:

  • Port 53 (TCP/UDP) for communication between any service instance and the DNS server.
  • Port 443 or 555 (TCP) for secure HTTPS communication between any service instance and the connector.

Port Requirements for IIS Applications Pools

Be sure the following ports are open on the IIS server to allow discovery of IIS application pools and related accounts:

  • Port 135 (TCP) for inbound communication with the RPC endpoint mapper program.
  • A custom inbound firewall rule to allow communication for the DllHost.exe process on all RPC Dynamic Ports.
  • Port 139 (TCP) for file and printer sharing (NB-Session-In) inbound communication if the operating system is Windows Server 2016.

For more information about configuring firewall rules for discovery, see System discovery prerequisites.

Connection between All Systems and AD Domain Controllers

Below, the port requirements for communication towards AD. These rules should be set up inbound to every domain controller and in any firewall existing in between the IBM Security Audit Management Server and every UNIX and Linux systems that will be joined to AD using IBM Security.

Port Traffic Direction
LDAP, Port 389 (TCP/UDP) Inbound communication to every domain controller from all systems.
Global Catalog, Port 3268 (TCP) Inbound communication to every domain controller from all systems
DNS, Port 53 (TCP/UDP) Inbound communication to every domain controller from all systems.
Kerberos, Port 88 (TCP) Inbound communication to every domain controller from all systems.
Kerberos, Port Password 464 (TCP) Inbound to every domain controller from all systems.
SMB/CIFS, Port 445 (TCP) Inbound communication to every domain controller from all systems.
Time Service, Port 123 (TCP) Inbound communication to every domain controller from all systems.
RPC Endpoint Mapper, Port 135 (TCP) Inbound communication to every domain controller from all systems.

Connection between the Audit Management Server and Audit Store

Below, the port requirements for communication towards the audit store. These rules should be set up inbound to this system to allow SQL communication from the audit management server and audit collectors:

SQL, Port 1433 (TCP) -- Inbound to the Audit Store

Connection between All Audited systems and Audit Collectors

Below, the port requirements for communication towards Audit Collector servers. These rules should be set up inbound to Audit Collector servers to allow audited data transaction collection from every audited systems (Windows, UNIX, and Linux):

Direct Audit, Port 5063 (TCP) -- Inbound to Audit Collector

Connection between All Connectors to AD Domain Controllers

Below, the port requirements for communication towards Active Directory (AD). These rules should be set up inbound to every domain controller and all firewalls that exist in between the IBM Security Connectors and AD domain controllers. Be sure the following ports are open:

Port Traffic Direction
Global Catalog, Port 3268 (TCP) Inbound communication to every domain controller from the IBM Security Connector
LDAP, Port 389 (TCP/UDP) Inbound communication to every domain controller from the IBM Security Connector
Kerberos, Port 88 (TCP) Inbound communication to every domain controller from the IBM Security Connector
Kerberos Password, Port 464 Inbound communication to every domain controller from the IBM Security Connector
SMB/CIFS , Port 445 (TCP) Inbound communication to every domain controller from the IBM Security Connector
Time Service, Port 123 Inbound communication to every domain controller from the IBM Security Connector
DNS, Port 53 (TCP/UDP) Inbound communication to every domain controller from the IBM Security Connector
RPC Endpoint Mapper, Port 135 (TCP) Inbound communication to every domain controller from IBM Security Connector

If DNS is not AD-integrated, that rule should be relevant to the alternative DNS service.

To support network discovery, auditing, and domain account management, be sure the following ports are open between the connector and the domain controller:

  • Port 135 for inbound RPC endpoint mapper connections to enable a connector to join an Active Directory domain.
  • Port 49152-65535 (TCP) for inbound RPC endpoint (“TCP Dynamic”) connections to enable a connector to join an Active Directory domain.

Connection between Connector and Privileged Access Service

Below, the port requirements for communication towards Privileged Access Service. These rules should be set up outbound to the cloud tenant or the on-premise Privileged Access Service.

  • HTTPS 443 TCP Inbound from IBM Security Connector to Privileged Access Service.
  • Internal "DirectTcp" 30001 TCP Outbound to IBM Security Connector from Privileged Access Service.

Each additional connector must have its own IP address.

Connection between All Connectors to Linux Systems

Below, the port requirements for communication between the connector and Linux or UNIX systems:

Port Traffic direction
SSH, Port 22 (TCP) Inbound communication to every UNIX and Linux system from IBM Security Connector
HTTPS, Port 443 (TCP) Outbound communication from every UNIX and Linux system to IBM Security Connector
API Proxy, Port 8080 (TCP) Outbound communication from every UNIX and Linux systems to IBM Security Connector

Connection between All Connectors to Windows Systems

Below, the port requirements for communication between the connector and Windows systems:

Port Traffic direction
RDP, Port 3389 or a custom port (TCP) Inbound communication to every Windows system from IBM Security Connector
RPC Endpoint Mapper, Port 135 (TCP) Inbound communication to every Windows system from IBM Security Connector
RPC Endpoint "TCP Dynamic", Port 49152-65535 (TCP) Inbound communication to every Windows system from IBM Security Connector
SMB/CIFS, Port 445 (TCP) Inbound communication to every Windows system from IBM Security Connector
WinRM over HTTP, Port 5985 (TCP) Inbound communication to every Windows system from IBM Security Connector
WinRM over HTTPS, Port 5986 (TCP) Inbound communication to every Windows system from IBM Security Connector
API Proxy, Port 8080 (TCP) Outbound communication from every Windows systems to IBM Security Connector

For more information about port requirements, see Port Requirements.

Connection between All AD Domain Controllers to Windows Systems

Below, the port requirements for communication between the domain controller and Windows systems:

  • Port 135 (TCP) for inbound RPC endpoint mapper connections to enable the computer to join the Active Directory domain.
  • Port 49152-65535 (TCP) for inbound RPC endpoint connections (“TCP Dynamic”) to enable the computer to join the Active Directory domain.

Connection between the Connector and the Session Auditing Collector

Below are the port requirements for communication between the connector and collector auditing service running on Windows:

Port 5063 (TCP) for inbound collector connections.

There are additional ports used by the collector service that are not required to be open for the Privileged Access Service. For more information about port requirements for auditing components, see the Auditing Administrator’s Guide.

Connection between the Connector and Remote Sessions

Below are the port requirements for communication between the connector and native local client sessions running on Windows:

  • Port 22 (TCP) for inbound connector connections when using a native secure shell (SSH) client for remote access.
  • Port 5555 (TCP) for inbound connector connections when using a native remote desktop protocol (RDP) client for remote access.

For more information about using a native local client for remote access, see Selecting user preferences.

Managing Firewall and External IP Address Requirements

All connections to the internet made by Privileged Access Service (including IBM Security Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made by way of TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available Privileged Access Service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.

Deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Privileged Access Service. To allow for normal service operation, exclude the ports and addresses discussed below from packet inspection.

Option 1: Whitelist Source

Given the variability of connection targets, the simplest whitelist configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the IBM Security Connector and for outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 2: Whitelist Source Ports

You can also use a whitelist configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the IBM Security Connector, as well as outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 3: Whitelist Destination

If destination whitelisting is required, you can whitelist outbound ports or TCP Relay IP ranges.

Port numbers Resource
443 \*.my.centrify.net (if you need to whitelist your tenant URL)
80 privacy-policy.truste.com
80 ocsp.digicert.com

If whitelisting an entire domain (*.centrify.com) is not acceptable per security policy, then you need to whitelist the TCP Relay IP ranges for your relevant Privileged Access Service tenant region. Refer to https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519 for a list of Microsoft Azure data center IP ranges by region.

Tenants

If your tenant is on third-party servers, then you need to whitelist the IP ranges for your relevant Privileged Access Service tenant region. Download the relevant file that contains the IP address ranges information. For AWS you can download them from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

Use the table below to find the TCPRelay IP address ranges for each tenant's region:

Region IP Address Range
US East 3.14.30.0/27 (adding 4 May 2019)
13.58.135.200/29
18.216.13.0/26
34.236.32.192/26
34.236.241.0/29
US West 13.56.112.160/29
13.56.112.192/26
34.215.186.192/26
34.214.243.200/29
35.89.238.96/28
35.89.238.128/27
Canada 35.183.13.0/26 35.182.14.200/29
Europe 18.194.95.128/26
18.194.95.32/29
34.245.82.128/26
34.245.82.72/29
Brazil 18.231.105.192/26
18.231.194.0/29
Australia 13.211.166.128/26
13.211.12.240/29
Singapore 13.250.186.64/26
13.250.186.24/29
London 3.10.127.0/27
3.10.127.64/26
35.176.92.128/26
35.176.92.72/29

For additional information about whitelisting a tenant for use with web proxies and firewalls, see KB-13446.