Review the firewall rules

The following shows you how to configure the firewall rules for inbound communication and domain traffic for a Privileged Access Service deployment—including the ports and protocols used between different components—depend on several factors. For example, different ports might be required to support specific features—such as network discovery and auditing—or for different system types.

Depending on the characteristics of your environment, you might want to review all or part of the port requirements:

For additional details see the diagram in Management port for password operations. Additionally, for connector firewall details see Connector firewall and external IP address requirements.

Basic port requirements

Be sure the following ports are open for basic Privileged Access Service operation:

  • Port 53 (TCP/UDP) for communication between any service instance and the DNS server.
  • Port 443 or 555 (TCP) for secure HTTPS communication between any service instance and the connector.

Port requirements for IIS applications pools

Be sure the following ports are open on the IIS server to allow discovery of IIS application pools and related accounts:

  • Port 135 (TCP) for inbound communication with the RPC endpoint mapper program.
  • A custom inbound firewall rule to allow communication for the DllHost.exe process on all RPC Dynamic Ports.
  • Port 139 (TCP) for file and printer sharing (NB-Session-In) inbound communication if the operating system is Windows Server 2016.

For more information about configuring firewall rules for discovery, see System discovery pre-requisites.

Connection between all systems and Active Directory Domain Controllers

Below, the port requirements for communication towards AD. These rules should be set up inbound to every Domain Controller and in any firewall existing in between the CentrifyAudit Management Server and every UNIX and Linux systems that will be joined to AD using Centrify.

Port Traffic direction
LDAP, Port 389 (TCP/UDP) Inbound communication to every Domain Controller from all systems.
Global Catalog, Port 3268 (TCP) Inbound communication to every Domain Controller from all systems
DNS, Port 53 (TCP/UDP) Inbound communication to every Domain Controller from all systems.
Kerberos, Port 88 (TCP) Inbound communication to every Domain Controller from all systems.
Kerberos, Port Password 464 (TCP) Inbound to every Domain Controller from all systems.
SMB/CIFS, Port 445 (TCP) Inbound communication to every Domain Controller from all systems.
Time Service, Port 123 (TCP) Inbound communication to every Domain Controller from all systems.
RPC Endpoint Mapper, Port 135 (TCP) Inbound communication to every Domain Controller from all systems.

Connection between Centrify Audit Management Server and Centrify Audit Store

Below, the port requirements for communication towards the Centrify Audit Store. These rules should be set up inbound to this system to allow SQL communication from the Centrify Audit Management Server and Centrify Audit Collectors:

SQL, Port 1433 (TCP) -- Inbound to Centrify Audit Store

Connection between all audited systems and Centrify Audit Collectors

Below, the port requirements for communication towards Centrify Audit Collector servers. These rules should be set up inbound to Centrify Audit Collector servers to allow audited data transaction collection from every audited systems (Windows, UNIX, and Linux):

Direct Audit, Port 5063 (TCP) -- Inbound to Centrify Audit Collector

Connection between all connectors to Active Directory Domain Controllers

Below, the port requirements for communication towards Active Directory (AD). These rules should be set up inbound to every Domain Controller and all firewalls that exist in between the Centrify Connectors and AD Domain Controllers. Be sure the following ports are open:

Port Traffic direction
Global Catalog, Port 3268 (TCP) Inbound communication to every Domain Controller from the Centrify Connector.
LDAP, Port 389 (TCP/UDP) Inbound communication to every Domain Controller from the Centrify Connector.
Kerberos, Port 88 (TCP) Inbound communication to every Domain Controller from the Centrify Connector.
Kerberos Password, Port 464 Inbound communication to every Domain Controller from the Centrify Connector.
SMB/CIFS , Port 445 (TCP) Inbound communication to every Domain Controller from the Centrify Connector.
Time Service, Port 123 Inbound communication to every Domain Controller from the Centrify Connector.
DNS, Port 53 (TCP/UDP) Inbound communication to every Domain Controller from the Centrify Connector.

RPC Endpoint Mapper, Port 135 (TCP)

Inbound communication to every Domain Controller from Centrify Connector.

Note:   If DNS is not AD-integrated, that Rule should be relevant to the alternative DNS service.

To support network discovery, auditing, and domain account management, be sure the following ports are open between the connector and the domain controller:

  • Port 135 for inbound RPC endpoint mapper connections to enable a connector to join an Active Directory domain.
  • Port 49152-65535 (TCP) for inbound RPC endpoint (“TCP Dynamic”) connections to enable a connector to join an Active Directory domain.

Connection between Centrify Connector and Privileged Access Service

Below, the port requirements for communication towards Privileged Access Service. These rules should be set up outbound to the Cloud Tenant or the on-premise Privileged Access Service.

  • HTTPS 443 TCP Inbound from Connector to Centrify Cloud or Privileged Access Service.
  • Internal "DirectTcp" 30001 TCP Outbound to Connector from Privileged Access Service.

Note:   Each additional connector must have its own IP address.

Connection between all connectors to Linux systems

Below, the port requirements for communication between the connector and Linux or UNIX systems:

Port Traffic direction
SSH, Port 22 (TCP) Inbound communication to every UNIX and Linux system from Centrify Connector.
HTTPS, Port 443 (TCP) Outbound communication from every UNIX and Linux system to Centrify Connector.
API Proxy, Port 8080 (TCP) Outbound communication from every UNIX and Linux systems to Centrify Connector

Connection between all connectors to Windows systems

Below, the port requirements for communication between the connector and Windows systems:

Port Traffic direction
RDP, Port 3389 or a custom port (TCP) Inbound communication to every Windows system from Centrify Connector.
RPC Endpoint Mapper, Port 135 (TCP) Inbound communication to every Windows system from Centrify Connector.
RPC Endpoint "TCP Dynamic", Port 49152-65535 (TCP) Inbound communication to every Windows system from Centrify Connector.
SMB/CIFS, Port 445 (TCP) Inbound communication to every Windows system from Centrify Connector.
WinRM over HTTP, Port 5985 (TCP) Inbound communication to every Windows system from Centrify Connector.
WinRM over HTTP, Port 5986 (TCP) Inbound communication to every Windows system from Centrify Connector.

API Proxy, Port 8080 (TCP)

Outbound communication from every Windows systems to Centrify Connector.

Connection between all Active Directory Domain Controllers to Windows systems

Below, the port requirements for communication between the domain controller and Windows systems:

  • Port 135 (TCP) for inbound RPC endpoint mapper connections to enable the computer to join the Active Directory domain.
  • Port 49152-65535 (TCP) for inbound RPC endpoint connections (“TCP Dynamic”) to enable the computer to join the Active Directory domain.

Connection between the connector and the session auditing collector

Below, the port requirements for communication between the connector and collector auditing service running on Windows:

Port 5063 (TCP) for inbound collector connections.

Note:   There are additional ports used by the collector service that are not required to be open for the Privileged Access Service. For more information about port requirements for auditing components, see the Auditing Administrator’s Guide.

Connection between the connector and remote sessions

Below, the port requirements for communication between the connector and native local client sessions running on Windows:

  • Port 22 (TCP) for inbound connector connections when using a native secure shell (SSH) client for remote access.
  • Port 5555 (TCP) for inbound connector connections when using a native remote desktop protocol (RDP) client for remote access.

For more information about using a native local client for remote access, see Selecting user preferences.