Plan for network traffic and default ports

You should minimize the distance network packets have to travel between an agent and its collector. You should also minimize the distance between collectors and their audit stores. If possible, you should not have more than one gateway or router hop between an agent and its collector.

To help you plan for network traffic, the following ports are used in the initial set of network transactions:

  • Directory Service - Global Catalog lookup request on port 3268.
  • Authentication Services - LDAP sealed request on port 389.
  • Kerberos – Ticket Granting Ticket (TGT) request on port 88.
  • Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
  • Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.

Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for Centrify software.

This port Is used for Centrify software component


TCP communication for Telnet connections

Centrify authentication service, privilege elevation service, and audit and monitoring service.

By default, telnet connections are not allowed because passwords are transferred over the network as plain text.


TCP/UDP communication

Clients use the Active Directory DNS server for DNS lookup requests.


Encrypted UDP communication

Kerberos ticket validation and authentication, agents, Centrify PuTTY


UDP communication for simple network time protocol (NTP)

Keeps time synchronized between clients and Active Directory for Kerberos ticketing.


Encrypted TCP/UDP communication

Active Directory authentication and client LDAP service.


Centrify Connector communication with Privileged Access Service

Centrify Connector


Encrypted TCP/UDP communication for delivery of group policies

The adclient and adgpupdate use Samba (SMB) and Windows file sharing to download and update group policies, if applicable.


Encrypted TCP/UDP communication for Kerberos password changes

Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd.


Encrypted TCP communication for the collector connection to Microsoft SQL Server

The collector service sends audited activity to the database


Encrypted TCP communication

Active Directory authentication and LDAP global catalog updates.


Encrypted TCP/RPC communication for the agent connection to collectors

The auditing service records user activity on an audited computer.


Encrypted SSL/TLS communication for the agent connection to collectors for systems that are not joined to Active Directory.

The auditing service records user activity on an audited computer outside of Active Directory.


ICMP (ping) connections

To determine whether if a remote computer is reachable.