Ports Used by Verify Privilege Vault
Overview
This article lists ports typically used in Verify Privilege Vault. Please note the following:
- The RPC Dynamic Port ranges are a range of ports utilized by Microsoft's Remote Procedure Call (RPC) functionality. This port range varies by operating system. For Windows Server 2008 or greater, this port range is 49152 to 65535 and this entire port range must be open for RPC technology to work. The RPC range is needed to perform Remote Password Changing since Verify Privilege Vault will need to connect to the computer using DCOM protocol.
- The range can vary separately for Exchange servers. For more information about changing the RPC port range, see the related Microsoft's Knowledge Base article on how to configure RPC dynamic port allocation to work with firewalls.
- To see your ipv4 dynamic range on a given machine, type
netsh int ipv4 show dynamicport tcpin the command line. - To specify a specific port on your environment that Verify Privilege Vault will communicate to, see the related article on enabling WMI ports on Windows client machines.
Port Listing
Table: Active Directory Sync Ports
| Type of Traffic | Port Number |
|---|---|
| Kerberos | TCP/88, UDP/88 |
| LDAP | TCP/389, UDP/389 |
| LDAPS | TCP/636, UDP/636 |
| SMB/Microsoft-DS | TCP445, UDP/445 |
Table: Discovery Ports
| Type of Traffic | Port Number |
|---|---|
| RPC Dynamic Port Range | TCP/49152-65535, UDP/49152-65535 |
| SMB/Microsoft-DS | TCP/445, UDP/445 |
| RPC Endpoint Mapper | TCP/135 |
| SSH | TCP/22 |
Table: Distributed Engines and Application Servers
| Type of Traffic | Port Number |
|---|---|
| RDP Proxy | TCP/3390 |
| RDP Proxy Outbound | TCP/3389 |
| SSH Proxy | TCP/22 |
| SSH Terminal | TCP/22 |
Table: Remote Password Changing Ports
| Type of Traffic | Port Number |
|---|---|
| RPC Dynamic Port Range | TCP/49152-65535, UDP/49152-65535 |
| SSH | TCP/22 |
| Telnet | TCP/23 |
| Microsoft SQL | TCP/1433, UDP/1434 |
| SMB/Microsoft-DS | TCP/445, UDP/445 |
| LDAP | TCP/389, UDP/389 |
| LDAPS | TCP/636, UDP/636 |
| Sybase | TCP/2638, TCP/5000 |
| Oracle Listener | TCP/1521 |
| Kerberos Password Change | TCP/464, UDP/464 |
| Windows Privileged Account (WinNT ADSI Service Provider) | TCP/139 |
| RPC Endpoint Mapper | TCP/135 |
| Entra ID Microsoft Graph API | TCP/443 |
Table: Web Server Incoming Ports
| Type of Traffic | Port Number |
|---|---|
| HTTP | TCP/80 |
| HTTPS | TCP/443 |
Table: Database Server Incoming Ports
| Type of Traffic | Port Number |
|---|---|
| SQL Connection | TCP/1433, UDP/1434 |
Table: Email Ports
| Type of Traffic | Port Number |
|---|---|
| SMTP | TCP/25 |
Table: RADIUS Server Ports
| Type of Traffic | Port Number |
|---|---|
| RADIUS Authentication | UDP/1812 |
Table: Syslog Ports
| Type of Traffic | Port Number |
|---|---|
| Syslog | TCP/514, UDP/514 |
Table: Internal Site Connector Ports
| Type of Traffic | Port Number |
|---|---|
| RabbitMQ | TCP/5672 (non-SSL), TCP/5671 (SSL) |
| MemoryMQ | TCP/8672 (non-SSL), TCP/8671 (SSL) |
Table: RabbitMQ Clustering Ports
| Type of Traffic | Port Number |
|---|---|
| EPMD | TCP/4369 |
| Inter-node Communication | TCP/25672 |
Web Application Firewall (WAF)
IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.
All regions:
-
45.60.32.37
-
45.60.34.37
-
45.60.36.37
-
45.60.38.37
-
45.60.40.37
-
45.60.104.37