Firewall and external IP address requirements
All connections to the internet made by Privileged Access Service (including Centrify Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.
To provide the redundancy and availability of an always available Privileged Access Service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.
Note: Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Privileged Access Service. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.
Option 1: Whitelist Source
Given the variability of connection targets, the simplest whitelist configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the Centrify Connector and for outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.
Option 2: Whitelist Source Ports
You can also use a whitelist configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the Centrify Connector, as well as outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.
Option 3: Whitelist Destination
If destination whitelisting is required, you can whitelist outbound ports or TCP Relay IP ranges.
Port numbers | Resource |
443 |
*..centrify.com or |
80 |
www.public-trust.com |
80 |
privacy-policy.truste.com |
80 |
ocsp.digicert.com |
Port numbers | Resource |
443 |
*https://cloud.centrify.com/ |
80 |
www.public.trust.com |
80 |
privacy-policy.truste.com |
80 |
ocsp.verisign.com |
If whitelisting an entire domain
AWS Tenants
If your tenant is on Amazon Web Services (AWS) servers, then you need to whitelist the IP ranges for your relevant Privileged Access Service tenant region. Download the relevant file that contains the IP address ranges information from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.
Use the table below to find the AWS TCPRelay IP address ranges for each tenant's region:
Region | IP Address Range | ||||
US East |
3.14.30.0/27 (adding 4 May 2019) 13.58.135.200/29 18.216.13.0/26 34.236.32.192/26 34.236.241.0/29 |
||||
US West |
13.56.112.160/29 13.56.112.192/26 34.215.186.192/26 34.214.243.200/29 |
||||
Canada |
35.183.13.0/26 35.182.14.200/29 |
||||
Europe |
18.194.95.128/26 18.194.95.32/29 34.245.82.128/26 34.245.82.72/29 |
||||
Brazil |
18.231.105.192/26 18.231.194.0/29 |
||||
Australia |
13.211.166.128/26 13.211.12.240/29 |
||||
Japan |
13.231.6.128/26 13.231.6.96/26 |
||||
Singapore |
13.250.186.64/26 13.250.186.24/29 |
||||
London |
|
For additional information about whitelisting a tenant for use with web proxies and firewalls, see KB-13446.