Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8911: Firewall port settings for Centrify Privilege Service

Privileged Access Service ,  

11 July,18 at 07:32 PM

Question:

What are the ports that need to be opened for Centrify Privilege Service to operate successfully?                               
 
Answer: 

Between CPS (Centrify Identity Platform) and connector:

Protocol

Port

Direction

Remark

HTTPS

443 (TCP)

Both

 

Service Bus

30001 (TCP)

Both

Customer Managed Only


Between connector and domain controller:

Protocol

Port

Direction

Remark

DNS

53 (TCP/UDP)

Both

 

Global Catalog

3268 (TCP)

DC (inbound)

Customer Managed Only

LDAP

389 (TCP/UDP)

DC (inbound)

 

Kerberos

88 (TCP)

DC (inbound)

 

Kerberos Password

464 (TCP)

DC (inbound)

 

SMB/CIFS

445 (TCP)

DC (inbound)

 

Time Service

123 (TCP)

DC (inbound)

 

RPC Endpoint Mapper

135 (TCP)

DC (inbound)

 

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

DC (inbound)

 


Between connector and Linux resource:

Protocol

Port

Direction

Remark

SSH

22 (TCP)

Linux (inbound)

For CPS password mgmt, CPS remote login, etc.

HTTPS

443 (TCP)

CPS (inbound)

 

API Proxy (HTTP Proxy)

8080 (TCP)

Connector (inbound)

 

IWA

8443 (TCP)

Connector (inbound)

For CPS MFA


Between connector and Windows resource:

Protocol

Port

Direction

Remark

RDP

3389 (TCP)

Windows (inbound)

For CPS remote login

RPC Endpoint Mapper

135 (TCP)

Windows (inbound)

For CPS discovery, or if Management Mode is "RPC over TCP"

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

Windows (inbound)

For "RPC Endpoint Mapper" [1]. Configurable.
(Note: Each Windows can have its own port range [2].)

SMB/CIFS

445 (TCP)

Windows (inbound)

For CPS discovery, or if Management Mode is "SMB"

WinRM over HTTP

5985 (TCP)

Windows (inbound)

If Management Mode is "WinRM over HTTP"

WinRM over HTTPS

5986 (TCP)

Windows (inbound)

If Management Mode is "WinRM over HTTPS"


API Proxy
 

8080 (TCP)

Connector (inbound)

Server Authentication and MFA

IWA

8443 (TCP)

Connector (inbound)

For Windows MFA

​Between connector and CPS portal users:

Protocol

Port

Direction

Remark

SSH

22 (TCP)

Connector (inbound)

For native SSH

RDP

5555 (TCP)

Connector (inbound)

 For native RDP


Between domain controller and Windows resources​:

Protocol

Port

Direction

Remark

RPC Endpoint Mapper

135 (TCP)

DC (inbound)

For Windows to join to AD.

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

DC (inbound)

For Windows to join to AD.


Between connector and DA collector:

Protocol

Port

Direction

Remark

Internal

5063 (TCP)

DA collector (inbound)

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.