Review the Firewall Rules
The following shows you how to configure the firewall rules for inbound communication and domain traffic for a Privileged Access Service deployment—including the ports and protocols used between different components—depend on several factors. For example, different ports might be required to support specific features—such as network discovery and auditing—or for different system types.
Depending on the characteristics of your environment, you might want to review all or part of the port requirements:
- System Discovery Pre-Requisites
- Basic Port Requirements
- Port Requirements for IIS Applications Pools
- Connection between All Systems and AD Domain Controllers
- Connection between the Audit Management Server and Audit Store
- Connection between All Audited systems and Audit Collectors
- Connection between All Systems and AD Domain Controllers
- Connection between Connector and Privileged Access Service
- Connection between All Connectors to Linux Systems
- Connection between All Connectors to Windows Systems
- Connection between All AD Domain Controllers to Windows Systems
- Connection between the Connector and the Session Auditing Collector
- Connection between the Connector and Remote Sessions
8 For additional details see the diagram in Management port for password operations. Additionally, for connector firewall details see Firewall and External IP Address Requirements
Basic Port Requirements
Be sure the following ports are open for basic Privileged Access Service operation:
- Port 53 (TCP/UDP) for communication between any service instance and the DNS server.
- Port 443 or 555 (TCP) for secure HTTPS communication between any service instance and the connector.
Port Requirements for IIS Applications Pools
Be sure the following ports are open on the IIS server to allow discovery of IIS application pools and related accounts:
- Port 135 (TCP) for inbound communication with the RPC endpoint mapper program.
- A custom inbound firewall rule to allow communication for the DllHost.exe process on all RPC Dynamic Ports.
- Port 139 (TCP) for file and printer sharing (NB-Session-In) inbound communication if the operating system is Windows Server 2016.
For more information about configuring firewall rules for discovery, see System discovery pre-requisites.
Connection between All Systems and AD Domain Controllers
Below, the port requirements for communication towards AD. These rules should be set up inbound to every domain controller and in any firewall existing in between the DelineaAudit Management Server and every UNIX and Linux systems that will be joined to AD using Delinea.
| Port | Traffic Direction |
|---|---|
| LDAP, Port 389 (TCP/UDP) | Inbound communication to every domain controller from all systems. |
| Global Catalog, Port 3268 (TCP) | Inbound communication to every domain controller from all systems |
| DNS, Port 53 (TCP/UDP) | Inbound communication to every domain controller from all systems. |
| Kerberos, Port 88 (TCP) | Inbound communication to every domain controller from all systems. |
| Kerberos, Port Password 464 (TCP) | Inbound to every domain controller from all systems. |
| SMB/CIFS, Port 445 (TCP) | Inbound communication to every domain controller from all systems. |
| Time Service, Port 123 (TCP) | Inbound communication to every domain controller from all systems. |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every domain controller from all systems. |
Connection between the Audit Management Server and Audit Store
Below, the port requirements for communication towards the audit store. These rules should be set up inbound to this system to allow SQL communication from the audit management server and audit collectors:
SQL, Port 1433 (TCP) -- Inbound to the Audit Store
Connection between All Audited systems and Audit Collectors
Below, the port requirements for communication towards Audit Collector servers. These rules should be set up inbound to Audit Collector servers to allow audited data transaction collection from every audited systems (Windows, UNIX, and Linux):
Direct Audit, Port 5063 (TCP) -- Inbound to Audit Collector
Connection between All Connectors to AD Domain Controllers
Below, the port requirements for communication towards Active Directory (AD). These rules should be set up inbound to every domain controller and all firewalls that exist in between the Delinea Connectors and AD domain controllers. Be sure the following ports are open:
| Port | Traffic Direction |
|---|---|
| Global Catalog, Port 3268 (TCP) | Inbound communication to every domain controller from the Delinea Connector |
| LDAP, Port 389 (TCP/UDP) | Inbound communication to every domain controller from the Delinea Connector |
| Kerberos, Port 88 (TCP) | Inbound communication to every domain controller from the Delinea Connector |
| Kerberos Password, Port 464 | Inbound communication to every domain controller from the Delinea Connector |
| SMB/CIFS , Port 445 (TCP) | Inbound communication to every domain controller from the Delinea Connector |
| Time Service, Port 123 | Inbound communication to every domain controller from the Delinea Connector |
| DNS, Port 53 (TCP/UDP) | Inbound communication to every domain controller from the Delinea Connector |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every domain controller from Delinea Connector |
To support network discovery, auditing, and domain account management, be sure the following ports are open between the connector and the domain controller:
- Port 135 for inbound RPC endpoint mapper connections to enable a connector to join an Active Directory domain.
- Port 49152-65535 (TCP) for inbound RPC endpoint (“TCP Dynamic”) connections to enable a connector to join an Active Directory domain.
Connection between Connector and Privileged Access Service
Below, the port requirements for communication towards Privileged Access Service. These rules should be set up outbound to the cloud tenant or the on-premise Privileged Access Service.
- HTTPS 443 TCP Inbound from Delinea Connector to Privileged Access Service.
- Internal "DirectTcp" 30001 TCP Outbound to Delinea Connector from Privileged Access Service.
Connection between All Connectors to Linux Systems
Below, the port requirements for communication between the connector and Linux or UNIX systems:
| Port | Traffic direction |
|---|---|
| SSH, Port 22 (TCP) | Inbound communication to every UNIX and Linux system from Delinea Connector |
| HTTPS, Port 443 (TCP) | Outbound communication from every UNIX and Linux system to Delinea Connector |
| API Proxy, Port 8080 (TCP) | Outbound communication from every UNIX and Linux systems to Delinea Connector |
Connection between All Connectors to Windows Systems
Below, the port requirements for communication between the connector and Windows systems:
| Port | Traffic direction |
|---|---|
| RDP, Port 3389 or a custom port (TCP) | Inbound communication to every Windows system from Delinea Connector |
| RPC Endpoint Mapper, Port 135 (TCP) | Inbound communication to every Windows system from Delinea Connector |
| RPC Endpoint "TCP Dynamic", Port 49152-65535 (TCP) | Inbound communication to every Windows system from Delinea Connector |
| SMB/CIFS, Port 445 (TCP) | Inbound communication to every Windows system from Delinea Connector |
| WinRM over HTTP, Port 5985 (TCP) | Inbound communication to every Windows system from Delinea Connector |
| WinRM over HTTPS, Port 5986 (TCP) | Inbound communication to every Windows system from Delinea Connector |
| API Proxy, Port 8080 (TCP) | Outbound communication from every Windows systems to Delinea Connector |
For more information about port requirements, see Port Requirements.
Connection between All AD Domain Controllers to Windows Systems
Below, the port requirements for communication between the domain controller and Windows systems:
- Port 135 (TCP) for inbound RPC endpoint mapper connections to enable the computer to join the Active Directory domain.
- Port 49152-65535 (TCP) for inbound RPC endpoint connections (“TCP Dynamic”) to enable the computer to join the Active Directory domain.
Connection between the Connector and the Session Auditing Collector
Below are the port requirements for communication between the connector and collector auditing service running on Windows:
Port 5063 (TCP) for inbound collector connections.
Connection between the Connector and Remote Sessions
Below are the port requirements for communication between the connector and native local client sessions running on Windows:
- Port 22 (TCP) for inbound connector connections when using a native secure shell (SSH) client for remote access.
- Port 5555 (TCP) for inbound connector connections when using a native remote desktop protocol (RDP) client for remote access.
For more information about using a native local client for remote access, see Selecting user preferences.
