Firewall and external IP address requirements

All connections to the internet made by Privileged Access Service (including Centrify Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available Privileged Access Service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.

Note:   Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Privileged Access Service. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.

Option 1: Whitelist Source

Given the variability of connection targets, the simplest whitelist configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the Centrify Connector and for outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 2: Whitelist Source Ports

You can also use a whitelist configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the Centrify Connector, as well as outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 3: Whitelist Destination

If destination whitelisting is required, you can whitelist outbound ports or TCP Relay IP ranges.

Port numbers Resource

443

*.centrify.com or
*.my.centrify.net (if you need to whitelist your tenant URL)

80

www.public-trust.com

80

privacy-policy.truste.com

80

ocsp.verisign.com

Port numbers Resource

443

*https://cloud.centrify.com/

80

www.public.trust.com

80

privacy-policy.truste.com

80

ocsp.verisign.com

If whitelisting an entire domain (*.centrify.com) is not acceptable per security policy, then you need to whitelist the TCP Relay IP ranges for your relevant Privileged Access Service tenant region. Refer to https://www.microsoft.com/en-us/download/details.aspx?id=41653 for a list of Microsoft Azure datacenter IP ranges by region.

AWS Tenants

If your tenant is on Amazon Web Services (AWS) servers, then you need to whitelist the IP ranges for your relevant Privileged Access Service tenant region. Download the relevant file that contains the IP address ranges information from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

Use the table below to find the AWS TCPRelay IP address ranges for each tenant's region:

Region IP Address Range
US East

3.14.30.0/27 (adding 4 May 2019)

18.216.13.0/26

34.236.32.192/26

34.236.241.0/29

34.214.243.200/29

US West

13.56.112.160/29

13.56.112.192/26

34.215.186.192/26

34.214.243.200/29

Canada

35.183.13.0/26

35.182.14.200/29

Europe

18.194.95.128/26

18.194.95.32/29

34.245.82.128/26

34.245.82.72/29

35.176.92.72/29

35.176.92.128/26

Brazil

18.231.105.192/26

18.231.194.0/29

Australia

13.211.166.128/26

13.211.12.240/29

Japan

13.231.6.128/26

13.231.6.96/26

Singapore

13.250.186.64/26

13.250.186.24/29

For additional information about whitelisting a tenant for use with web proxies and firewalls, see KB-13446.