Plan for network traffic and default ports

You should minimize the distance network packets have to travel between an agent and its collector. You should also minimize the distance between collectors and their audit stores. If possible, you should not have more than one gateway or router hop between an agent and its collector.

To help you plan for network traffic, the following ports are used in the initial set of network transactions:

  • Directory Service - Global Catalog lookup request on port 3268.
  • Authentication Services - LDAP sealed request on port 389.
  • Kerberos – Ticket Granting Ticket (TGT) request on port 88.
  • Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
  • Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.

Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for Centrify software.

This port Is used for Centrify software component

23

TCP communication for Telnet connections

Centrify authentication service, privilege elevation service, and audit and monitoring service.

By default, telnet connections are not allowed because passwords are transferred over the network as plain text.

53

TCP/UDP communication

Clients use the Active Directory DNS server for DNS lookup requests.

88

Encrypted UDP communication

Kerberos ticket validation and authentication, agents, Centrify PuTTY

123

UDP communication for simple network time protocol (NTP)

Keeps time synchronized between clients and Active Directory for Kerberos ticketing.

389

Encrypted TCP/UDP communication

Active Directory authentication and client LDAP service.

443

Centrify Connector communication with Privileged Access Service

Centrify Connector

445

Encrypted TCP/UDP communication for delivery of group policies

The adclient and adgpupdate use Samba (SMB) and Windows file sharing to download and update group policies, if applicable.

464

Encrypted TCP/UDP communication for Kerberos password changes

Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd.

500

Internet Key Exchange (IKE) for UDP

Centrify Isolation and Encryption Service to protect data‑in‑motion

1433

Encrypted TCP communication for the collector connection to Microsoft SQL Server

The collector service sends audited activity to the database

3268

Encrypted TCP communication

Active Directory authentication and LDAP global catalog updates.

4500

Internet Key Exchange (IKE) for NAT-T

Centrify Isolation and Encryption Service to protect data‑in‑motion

5063

Encrypted TCP/RPC communication for the agent connection to collectors

The auditing service records user activity on an audited computer.

5064

Encrypted SSL/TLS communication for the agent connection to collectors for systems that are not joined to Active Directory.

The auditing service records user activity on an audited computer outside of Active Directory.

none

ICMP (ping) connections

To determine whether if a remote computer is reachable.