Ports for communication between components

As discussed in Review the firewall rules, there are ports required for connections between components. The following summarizes the ports that must be open for inbound communication to manage privileged access services.

Connector to Active Directory ports (inbound)

Global Catalog: 3268

LDAP: 389

Kerberos: 88

Kerberos Password: 464

SMB/CIFS: 445 for password management

Time Service: 123

RPC Endpoint Mapper: 135 (allows the connector to join to an Active Directory domain)

RPC Endpoint (TCP Dynamic): 49152-65535

Server to the connector (inbound)

The server—sometimes referred to as the cloud or application server— handles routing of requests and starting the processes used for management operations.

HTTPS default port 443

DirectTCP port 30001

Ports on the target Windows server (inbound)

RDP 3389

RPC Endpoint Mapper 135

RPC Endpoint (“TCP Dynamic”) 49152-65535

Ports for discovery, testing connectivity, and password management mode


WinRM over HTTP 5985

WinRM over HTTPS 5986

RPC over TCP

Ports on the connector for the target Windows server (inbound)

RDP 3389

RPC Endpoint Mapper 135

RDP 5555 (TCP) Connector (inbound) For native RDP

Ports on the target Linux server (inbound)

SSH 22


Ports on the connector for the Linux server (inbound)

API Proxy (HTTP proxy) 8080

PAS firewall rules and domain settings for external integrations

When PAS interacts with your external system there may be additional port requirements.

Note:   The outbound 443 port is very likely, with a possibly of other ports, including inbound ports.

Example port recommendations:

Example Port Recommendations Protocol
Partner federation / External IDP Outbound / Inbound 443 for external IDP HTTPS
SAML app Outbound / Inbound 443 the application HTTPS
Customer SMTP server Port 22 HTTPS