Secret Server Cloud Customer Example Architectures

If you are a current customer with support hours for Delinea Professional Services, you can discuss any of these diagrams in detail with one of our Professional Services support architects.

Multi-Site with ASR Agents Example Architecture

Figure: Multi-site with ASR Agents Example Architecture

image-20210405162451314

This design is fully supported by Delinea.

Arrows indicate the direction of initial connection.

Reference architecture requirements:
  • Ports for accessing, managing and discovering end-points must have the required ports opened between the site Distributed Engines the appropriate devices. Please see Ports Used by Secret Server.
  • All Distributed Engines servers must run on Windows Server 2012 to 2019.
  • Distributed Engines servers must have 4 cores and 4 GB RAM. We encourage increasing CPUs before RAM to improve DE efficiency.
Your first distributed engines will likely be located in the primary data center and will serve as the management zone for all other locations and domains. This includes:
  • AD synchronization
  • Account discovery
  • Password changing and heartbeats
  • SSH and RDP proxy
  • Session recording

Details for All Architectures

1: Service Buses

IP Address allowlisting is not necessary unless outbound firewall rules are in place. If IP allowlisting is necessary, please contact Delinea Support to obtain the shared engine response service bus and your dedicated customer service bus hostnames. The TCP port requirement is based on the transport type configured in the distributed engine settings. The default is Web sockets, which requires TCP 443. If the AMQP option is selected within the application, TCP 5671/5672 ports are also required.

2: Web Application Firewall (WAF)

IP Address allowlisting is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allowlisted to ensure uninterrupted connectivity.

All regions:

  • 45.60.32.37
  • 45.60.34.37
  • 45.60.36.37
  • 45.60.38.37
  • 45.60.40.37
  • 45.60.104.37

3: RADIUS

  • Inbound allow listing is necessary if RADIUS authentication is configured. IP addresses:

secretservercloud.com

  • 20.65.118.12 (Primary)
  • 23.102.107.104 (Primary)
  • 23.102.107.220 (Primary)
  • 23.102.106.185 (Primary)
  • 23.102.108.55 (Primary)
  • 52.224.253.7 (Primary)
  • 52.224.253.4 (Primary)
  • 52.151.206.73 (Primary)
  • 52.151.206.77 (Primary)
  • 52.151.206.35 (Primary)
  • 52.160.67.39 (DR)
  • 52.160.67.38 (DR)
  • 104.40.25.170 (DR)
  • 138.91.163.99 (DR)
  • 137.135.51.234 (DR)

secretservercloud.co.uk

  • 20.0.46.111 (Primary)
  • 51.142.243.172 (Primary)
  • 20.0.46.112 (Primary)
  • 20.0.46.123 (Primary)
  • 20.0.46.124 (Primary)
  • 51.104.62.220 (Secondary)
  • 51.104.62.213 (Secondary)
  • 51.104.63.38 (Secondary)
  • 51.104.62.185 (Secondary)
  • 51.104.62.252 (Secondary)

secretservercloud.ca

  • 52.228.117.246 (Primary)
  • 52.228.113.119 (Primary)
  • 52.139.7.40 (Primary)
  • 52.139.7.137 (Primary)
  • 52.139.7.197 (Primary)
  • 52.229.119.193 (DR)
  • 52.229.119.89 (DR)
  • 52.235.39.79 (DR)
  • 52.235.39.125 (DR)
  • 52.235.39.5 (DR)

secretservercloud.eu

  • 20.79.64.213 (Primary)
  • 20.79.65.3 (Primary)
  • 20.79.226.78 (Primary)
  • 20.79.226.180 (Primary)
  • 20.79.226.116 (Primary)
  • 20.50.180.242 (DR)
  • 20.50.180.187 (DR)
  • 20.50.154.28 (DR)
  • 20.50.176.86 (DR)
  • 20.50.156.219 (DR)

secretservercloud.com.sg

  • 20.195.97.220 (Primary)
  • 20.195.98.154 (Primary)
  • 20.212.128.73 (Primary)
  • 20.212.128.75 (Primary)
  • 20.212.128.74 (Primary)
  • 65.52.165.108 (DR)
  • 65.52.160.251 (DR)
  • 52.184.100.188 (DR)
  • 52.184.101.189 (DR)
  • 52.184.101.213 (DR)

secretservercloud.com.au

  • 20.37.251.37 (Primary)
  • 20.37.251.120 (Primary)
  • 20.37.5.233 (Primary)
  • 20.37.5.227 (Primary)
  • 20.37.5.48 (Primary)
  • 20.53.142.34 (DR)
  • 20.53.142.37 (DR)
  • 20.53.80.77 (DR)
  • 20.53.81.216 (DR)
  • 20.53.82.77 (DR)

4: Distributed Engine (DE)

If external clients must be able to connect to internal SSH or RDP endpoints, an SSH proxy can be configured on the DE. Additionally, TCP port 22 needs to be open for inbound connections on the DE server, as well as have an appropriate configuration to allow inbound connections from the public Internet.

5: Certificate CRLs

Allowlisting is not necessary unless outbound firewall rules are in place. If it is necessary, access to CRLs or OSCP endpoints may be required. CRL and OSCP endpoints may differ from customer to customer. To determine the endpoints, review the certificates presented by the:

  • Web application firewall
  • Customer service bus
  • Engine response service bus
  • CDN for DE updates
Obtaining and reviewing certificates is not within the scope of this document, but you can find resources online, such as OCSP & CRL and Revoked SSL Certificates, which is not owned or maintained by Delinea.