Question: What are the ports that need to be opened for Privileged Access Service to operate successfully? Answer: Between PAS and connector:
Protocol
|
Port
|
Direction
|
Remark
|
---|
HTTPS
|
443 (TCP)
|
Outbound
|
|
Service Bus
|
30001 (TCP)
|
Both
|
Customer Managed Only
|
Between connector and domain controller:
Protocol
|
Port
|
Direction
|
Remark
|
---|
DNS
|
53 (TCP/UDP)
|
Both
|
|
Global Catalog
|
3268 (TCP)
|
DC (inbound)
|
Customer Managed Only
|
LDAP
|
389 (TCP/UDP)
|
DC (inbound)
|
|
Kerberos
|
88 (TCP)
|
DC (inbound)
|
|
Kerberos Password
|
464 (TCP)
|
DC (inbound)
|
|
SMB/CIFS
|
445 (TCP)
|
DC (inbound)
|
|
Time Service
|
123 (TCP)
|
DC (inbound)
|
|
RPC Endpoint Mapper
|
135 (TCP)
|
DC (inbound)
|
|
RPC Endpoint ("TCP Dynamic")
|
49152-65535 (TCP)
|
DC (inbound)
|
|
Between connector and Linux resource:
Protocol
|
Port
|
Direction
|
Remark
|
---|
SSH
|
22 (TCP)
|
Linux (inbound)
|
For PAS password mgmt, PAS remote login, etc.
|
HTTPS
|
443 (TCP)
|
CPS (inbound)
|
|
API Proxy (HTTP Proxy)
|
8080 (TCP)
|
Connector (inbound)
|
|
IWA
|
8443 (TCP)
|
Connector (inbound)
|
For PAS MFA
|
Between connector and Windows resource:
Protocol
|
Port
|
Direction
|
Remark
|
---|
RDP
|
3389 (TCP)
|
Windows (inbound)
|
For PAS remote login
|
RPC Endpoint Mapper
|
135 (TCP)
|
Windows (inbound)
|
For PAS discovery, or if Management Mode is "RPC over TCP"
|
RPC Endpoint ("TCP Dynamic")
|
49152-65535 (TCP)
|
Windows (inbound)
|
For "RPC Endpoint Mapper" [1]. Configurable. (Note: Each Windows can have its own port range [2].)
|
SMB/CIFS
|
445 (TCP)
|
Windows (inbound)
|
For PAS discovery, or if Management Mode is "SMB"
|
WinRM over HTTP
|
5985 (TCP)
|
Windows (inbound)
|
If Management Mode is "WinRM over HTTP"
|
WinRM over HTTPS
|
5986 (TCP)
|
Windows (inbound)
|
If Management Mode is "WinRM over HTTPS"
| API Proxy | 8080 (TCP) | Connector (inbound) |
Server Authentication and MFA
|
IWA
|
8443 (TCP)
|
Connector (inbound)
|
For Windows MFA
|
Between connector and PAS portal users:
Protocol
|
Port
|
Direction
|
Remark
|
---|
SSH
|
22 (TCP)
|
Connector (inbound)
|
For native SSH
|
RDP
|
5555 (TCP)
|
Connector (inbound)
|
For native RDP
|
Between domain controller and Windows resources:
Protocol
|
Port
|
Direction
|
Remark
|
---|
RPC Endpoint Mapper
|
135 (TCP)
|
DC (inbound)
|
For Windows to join to AD.
|
RPC Endpoint ("TCP Dynamic")
|
49152-65535 (TCP)
|
DC (inbound)
|
For Windows to join to AD.
|
Between connector and DA collector:
Protocol
|
Port
|
Direction
|
Remark
|
---|
Internal
|
5063 (TCP)
|
DA collector (inbound)
|
|
|