Plan for network traffic and data storage
You should minimize the distance network packets have to travel between an agent and its collector. You should also minimize the distance between collectors and their audit stores. If possible, you should not have more than one gateway or router hop between an agent and its collector.
Default ports for network traffic and communication
To help you plan for network traffic, the following provides an overview of the network communications and ports used when a user logs on and the ports used in the initial set of network transactions.
When a user logs on, the Centrify agent for Windows connects to Active Directory to begin the lookup process, then the agent and the domain controller exchange messages as follows:
- Directory Service - Global Catalog lookup request on port 3268.
- Authentication Services - LDAP sealed request on port 389.
- Kerberos – Ticket Granting Ticket (TGT) request on port 88.
- Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
- Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.
- RPC over TCP - For inbound RPC endpoint mapper connections to support network discovery or if password management and validation uses RPC over TCP on port 135.
Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for different editions of Centrify software.
This port | Is used for | Centrify software and operation requiring this port |
22 |
Encrypted TCP communication for OpenSSH connections |
Centrify authentication service and privilege elevation service for secure shell connections on remote clients. |
23 |
TCP communication for Telnet connections |
Centrify authentication service, privilege elevation service, and audit and monitoring service. By default, |
53 |
TCP/UDP communication |
Centrify authentication service and privilege elevation service, clients use the Active Directory DNS server for DNS lookup requests. |
88 |
Encrypted UDP communication |
Centrify authentication service and privilege elevation service, Kerberos ticket validation and authentication, agents, Centrify PuTTY |
123 |
UDP communication for simple network time protocol (NTP) |
Centrify authentication service and privilege elevation service, keeps time synchronized between clients and Active Directory for Kerberos ticketing. |
389 |
Encrypted TCP/UDP communication |
authentication service and privilege elevation service, Active Directory authentication and client LDAP service. |
443 |
Cloud proxy server to Centrify cloud service |
Centrify for mobile device management. |
445 |
Encrypted TCP/UDP communication for delivery of group policies |
Centrify authentication service and privilege elevation service, adclient and adgpupdate use Samba (SMB) and Windows file sharing to download and update group policies, if applicable. |
464 |
Encrypted TCP/UDP communication for Kerberos password changes |
Centrify authentication service and privilege elevation service, Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd. |
500 |
Internet Key Exchange (IKE) for UDP |
Centrify authentication service, privilege elevation service, and audit and monitoring service; isolation and encryption service to protect data‑in‑motion. |
1433 |
Encrypted TCP communication for the collector connection to Microsoft SQL Server |
Centrify authentication service, privilege elevation service, and audit and monitoring service; collector service sends audited activity to the database. |
3268 |
Encrypted TCP communication |
Centrify authentication service and privilege elevation service, Active Directory authentication and LDAP global catalog updates. |
4500 |
Internet Key Exchange (IKE) for NAT-T |
Centrify authentication service, privilege elevation service, and audit and monitoring service; isolation and encryption service to protect data‑in‑motion. |
5063 |
Encrypted TCP/RPC communication for the agent connection to collectors |
Centrify authentication service, privilege elevation service, and audit and monitoring service; auditing service records user activity on an audited computer. |
none |
ICMP (ping) connections |
Centrify authentication service and privilege elevation service, to determine whether if a remote computer is reachable. |
Auditing requires database management
If you are planning a deployment with just audit and monitoring service or with identity management, privilege management, and auditing, you must plan how you will create and manage the databases that receive and store audit data. You should also consider your data archiving and retention policies, who should be given auditor permissions, and other details because these decisions affect your storage and maintenance requirements. For more information about managing an installation for auditing, see Managing auditing for an installation.
For audit and monitoring service, you should plan a pilot deployment of 20 to 25 agents to determine how much audit data your organization would generate and how fast the database can increase in size as you add agents. For more information about monitoring a pilot deployment for audit and monitoring service and guidelines for sizing the database, see Estimating database requirements based on the data you collect.