Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8911: Firewall port settings for Privileged Access Service

Privileged Access Service ,  

4 March,21 at 03:44 PM

Question:

What are the ports that need to be opened for Privileged Access Service to operate successfully?                               
 
Answer: 

Between PAS and connector:

Protocol

Port

Direction

Remark

HTTPS

443 (TCP)

Outbound

 

Service Bus

30001 (TCP)

Both

Customer Managed Only


Between connector and domain controller:

Protocol

Port

Direction

Remark

DNS

53 (TCP/UDP)

DC (inbound)

 

Global Catalog

3268 (TCP)

DC (inbound)

Customer Managed Only

LDAP

389 (TCP/UDP)

DC (inbound)

 

Kerberos

88 (TCP)

DC (inbound)

 

Kerberos Password

464 (TCP)

DC (inbound)

 

SMB/CIFS

445 (TCP)

DC (inbound)

 

Time Service

123 (TCP)

DC (inbound)

 

RPC Endpoint Mapper

135 (TCP)

DC (inbound)

 

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

DC (inbound)

 


Between connector and Linux resource:

Protocol

Port

Direction

Remark

SSH

22 (TCP)

Linux (inbound)

For PAS password mgmt, PAS remote login, etc.

HTTPS

443 (TCP)

CPS (inbound)

 

API Proxy (HTTP Proxy)

8080 (TCP)

Connector (inbound)

 

IWA

8443 (TCP)

Connector (inbound)

For PAS MFA


Between connector and Windows resource:

Protocol

Port

Direction

Remark

RDP

3389 (TCP)

Windows (inbound)

For PAS remote login

RPC Endpoint Mapper

135 (TCP)

Windows (inbound)

For PAS discovery, or if Management Mode is "RPC over TCP"

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

Windows (inbound)

For "RPC Endpoint Mapper" [1]. Configurable.
(Note: Each Windows can have its own port range [2].)

SMB/CIFS

445 (TCP)

Windows (inbound)

For PAS discovery, or if Management Mode is "SMB"

WinRM over HTTP

5985 (TCP)

Windows (inbound)

If Management Mode is "WinRM over HTTP"

WinRM over HTTPS

5986 (TCP)

Windows (inbound)

If Management Mode is "WinRM over HTTPS"


API Proxy
 
8080 (TCP)
Connector (inbound)

Server Authentication and MFA

IWA

8443 (TCP)

Connector (inbound)

For Windows MFA

​Between connector and PAS portal users:

Protocol

Port

Direction

Remark

SSH

22 (TCP)

Connector (inbound)

For native SSH

RDP

5555 (TCP)

Connector (inbound)

 For native RDP


Between domain controller and Windows resources​:

Protocol

Port

Direction

Remark

RPC Endpoint Mapper

135 (TCP)

DC (inbound)

For Windows to join to AD.

RPC Endpoint ("TCP Dynamic")

49152-65535 (TCP)

DC (inbound)

For Windows to join to AD.


Between connector and DA collector:

Protocol

Port

Direction

Remark

Internal

5063 (TCP)

DA collector (inbound)

 

Related Articles

 articleKB-11102: MFA Authentication Is Slow During "connecting to authentication service" articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-10750: How to reset the administrator password in Privileged Access Service On Prem articleCentrify 21.2 Release Notes article[Labs] Installing Centrify Privilege Service + High-Availability with Windows Failover Clustering articleCentrify Privilege Service Deployment Checklist articleKB-0029: Firewall port settings for Centrify DirectControl article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[Labs] Securing Windows Servers with Centrify Infrastructure Service - Local Password Management