Plan for network traffic and data storage

You should minimize the distance network packets have to travel between an agent and its collector. You should also minimize the distance between collectors and their audit stores. If possible, you should not have more than one gateway or router hop between an agent and its collector.

Default ports for network traffic and communication

To help you plan for network traffic, the following provides an overview of the network communications and ports used when a user logs on and the ports used in the initial set of network transactions.

When a user logs on, the Centrify agent for Windows connects to Active Directory to begin the lookup process, then the agent and the domain controller exchange messages as follows:

  • Directory Service - Global Catalog lookup request on port 3268.
  • Authentication Services - LDAP sealed request on port 389.
  • Kerberos – Ticket Granting Ticket (TGT) request on port 88.
  • Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
  • Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.
  • RPC over TCP - For inbound RPC endpoint mapper connections to support network discovery or if password management and validation uses RPC over TCP on port 135.

Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for different editions of Centrify software.

This port Is used for Centrify software and operation requiring this port

22

Encrypted TCP communication for OpenSSH connections

Centrify authentication service and privilege elevation service for secure shell connections on remote clients.

23

TCP communication for Telnet connections

Centrify authentication service, privilege elevation service, and audit and monitoring service.

By default, telnet connections are not allowed because passwords are transferred over the network as plain text.

53

TCP/UDP communication

Centrify authentication service and privilege elevation service, clients use the Active Directory DNS server for DNS lookup requests.

88

Encrypted UDP communication

Centrify authentication service and privilege elevation service, Kerberos ticket validation and authentication, agents, Centrify PuTTY

123

UDP communication for simple network time protocol (NTP)

Centrify authentication service and privilege elevation service, keeps time synchronized between clients and Active Directory for Kerberos ticketing.

389

Encrypted TCP/UDP communication

authentication service and privilege elevation service, Active Directory authentication and client LDAP service.

443

Cloud proxy server to Centrify cloud service

Centrify for mobile device management.

445

Encrypted TCP/UDP communication for delivery of group policies

Centrify authentication service and privilege elevation service, adclient and adgpupdate use Samba (SMB) and Windows file sharing to download and update group policies, if applicable.

464

Encrypted TCP/UDP communication for Kerberos password changes

Centrify authentication service and privilege elevation service, Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd.

500

Internet Key Exchange (IKE) for UDP

Centrify authentication service, privilege elevation service, and audit and monitoring service; isolation and encryption service to protect data‑in‑motion.

1433

Encrypted TCP communication for the collector connection to Microsoft SQL Server

Centrify authentication service, privilege elevation service, and audit and monitoring service; collector service sends audited activity to the database.

3268

Encrypted TCP communication

Centrify authentication service and privilege elevation service, Active Directory authentication and LDAP global catalog updates.

4500

Internet Key Exchange (IKE) for NAT-T

Centrify authentication service, privilege elevation service, and audit and monitoring service; isolation and encryption service to protect data‑in‑motion.

5063

Encrypted TCP/RPC communication for the agent connection to collectors

Centrify authentication service, privilege elevation service, and audit and monitoring service; auditing service records user activity on an audited computer.

none

ICMP (ping) connections

Centrify authentication service and privilege elevation service, to determine whether if a remote computer is reachable.

Auditing requires database management

If you are planning a deployment with just audit and monitoring service or with identity management, privilege management, and auditing, you must plan how you will create and manage the databases that receive and store audit data. You should also consider your data archiving and retention policies, who should be given auditor permissions, and other details because these decisions affect your storage and maintenance requirements. For more information about managing an installation for auditing, see Managing auditing for an installation.

For audit and monitoring service, you should plan a pilot deployment of 20 to 25 agents to determine how much audit data your organization would generate and how fast the database can increase in size as you add agents. For more information about monitoring a pilot deployment for audit and monitoring service and guidelines for sizing the database, see Estimating database requirements based on the data you collect.