Plan

During the first phase of the deployment, you should collect and analyze details about your organization’s requirements and goals. You can then make preliminary decisions about sizing, network communication, and what your zone structure should look like.

Here are the key steps involved:

  • Assemble a deployment team with Active Directory and UNIX expertise.

    The team might also include specialists, such as database administrators, network architects, or application owners. For more information about assembling a deployment team, see Preparing a deployment team.

  • Provide basic training so that members of the deployment team are familiar with Centrify concepts and terminology and know where to go for more information.
  • Analyze the existing environment to determine your goals and requirements and identify target computers on which you plan to install Centrify components.

    This step is essential for designing the zone structure if you are migrating any local accounts or legacy profiles. It is also critical if you are deploying the auditing infrastructure. For more information about the questions to answer and factors that affect deployment, see Defining goals for the deployment.

  • Design a basic zone structure that suits your organization.

    The zone structure depends primarily on how you want to use zones. For more information about deciding how to use zones, see Why use zones?.

  • Identify a target set of computers for deployment and check that required ports are open.

Default ports for network traffic and communication

To help you plan for network traffic, the following ports are used in the initial set of network transactions when a user logs on and the agent connects to Active Directory:

  • Directory Service - Global Catalog lookup request on port 3268.
  • Authentication Services - LDAP sealed request on port 389.
  • Kerberos – Ticket Granting Ticket (TGT) request on port 88.
  • Network Time Protocol (NTP) Server – Time synchronized for Kerberos on port 123.
  • Domain Name Service (DNS) – Host (A), Pointer (PTR), Service Location (SRV) records on port 53.

Depending on the specific components you deploy and operations performed, you might need to open additional ports. The following table summarizes the ports used for different editions of Centrify software.

This port Is used for Where it is required

389

Encrypted TCP/UDP communication

Centrify authentication service and privilege elevation service for Active Directory authentication and client LDAP service.

3268

Encrypted TCP communication

Centrify authentication service and privilege elevation service for Active Directory authentication and LDAP global catalog updates.

88

Encrypted UDP communication

Centrify authentication service and privilege elevation service for Kerberos ticket validation and authentication for agents and Centrify PuTTY.

464

Encrypted TCP/UDP communication for Kerberos password changes

Centrify authentication service and privilege elevation service for Kerberos ticket validation and authentication for agents, Centrify PuTTY, adpasswd, and passwd.

53

TCP/UDP communication

Centrify authentication service and privilege elevation service for clients using the Active Directory DNS server role for DNS lookup requests.

445

Encrypted TCP/UDP communication for delivery of group policies

Centrify authentication service and privilege elevation service for adclient and adgpupdate using Samba (SMB) and Windows file sharing to download and update group policies, if applicable.

123

UDP communication for simple network time protocol (NTP)

Centrify authentication service and privilege elevation service to keep time synchronized between clients and Active Directory for Kerberos ticketing.

22

Encrypted TCP communication for OpenSSH connections

Centrify authentication service and privilege elevation service to support secure shell connections on remote clients.

23

TCP communication for Telnet connections

Centrify authentication service and privilege elevation service to support telnet connections on remote clients if you cannot use secure shell (ssh).

By default, telnet connections are not allowed because passwords are transferred over the network as plain text.

none

ICMP (ping) connections

Centrify authentication service and privilege elevation service to determine whether if a remote computer is reachable.

1433

Encrypted TCP communication for the collector connection to Microsoft SQL Server

Centrify authentication service, privilege elevation service, and audit and monitoring service to enable the collector service to send audited activity to the database.

5063

Encrypted TCP/RPC communication for the agent connection to collectors

Centrify authentication service, privilege elevation service, and audit and monitoring service to enable the auditing service to record user activity on an audited computer.

443

Cloud proxy server to Centrify cloud service

Centrify for mobile device management.

4500

Internet Key Exchange (IKE) for NAT-T

Centrify authentication service, privilege elevation service, isolation and encryption service, and audit and monitoring service to enable DirectSecure to protect data‑in‑motion.

500

Internet Key Exchange (IKE) for UDP

Centrify authentication service, privilege elevation service, isolation and encryption service, and audit and monitoring service to enable DirectSecure to protect data‑in‑motion.

Network connections and database management for auditing

If you are planning a deployment with audit and monitoring service installed together with identity and privilege management, you must plan for reliable, high-speed network connections between components that collect and transfer audit data and how network traffic will be affected. You must also plan how you will create and manage the databases that store and retrieve audit data, your data archiving and retention policies, auditor permissions, and other details. For more information about planning and sizing for audit and monitoring service, see the Auditing Administrator’s Guide.