Plan for network traffic and default ports
To help you plan for network traffic, the following ports are used in the initial set of network transactions:
- Directory Service - Global Catalog lookup request on port 3268.
- Authentication Services - LDAP sealed request on port 389.
- Kerberos – Ticket Granting Ticket (TGT) request on port 88.
- Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
- Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.
Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for Centrify software.
This port | Is used for | Centrify software component |
23 |
TCP communication for Telnet connections |
Centrify authentication service, privilege elevation service, and audit and monitoring service. By default, |
53 |
TCP/UDP communication |
Clients use the Active Directory DNS server for DNS lookup requests. |
88 |
Encrypted UDP communication |
Kerberos ticket validation and authentication, agents, Centrify PuTTY |
123 |
UDP communication for simple network time protocol (NTP) |
Keeps time synchronized between clients and Active Directory for Kerberos ticketing. |
389 |
Encrypted TCP/UDP communication |
Active Directory authentication and client LDAP service. |
443 |
Centrify Connector communication with Privileged Access Service |
Centrify Connector |
445 |
Encrypted TCP/UDP communication for delivery of group policies |
The adclient and adgpupdate use Samba (SMB) and Windows file sharing to download and update group policies, if applicable. |
464 |
Encrypted TCP/UDP communication for Kerberos password changes |
Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd. |
1433 |
Encrypted TCP communication for the collector connection to Microsoft SQL Server |
The collector service sends audited activity to the database |
3268 |
Encrypted TCP communication |
Active Directory authentication and LDAP global catalog updates. |
5063 |
Encrypted TCP/RPC communication for the agent connection to collectors |
The auditing service records user activity on an audited computer. |
5064 |
Encrypted SSL/TLS communication for the agent connection to collectors for systems that are not joined to Active Directory. |
The auditing service records user activity on an audited computer outside of Active Directory. |
none |
ICMP (ping) connections |
To determine whether if a remote computer is reachable. |