Delinea Platform Architecture

These architectural diagrams are provided to help you gain a high-level understanding of the underlying infrastructure and technology stack that supports the Delinea Platform. Additionally, you can leverage this material if you are interested in allowing access to the Delinea Platform and its related services in your firewall.

We are continuously improving and optimizing our architecture to ensure that our service is scalable, secure, and efficient.

The suggested list of ports in this document shows all of the default port numbers. These default ports may differ based on your environment and your own unique requirements. In all cases, the ports and addresses listed below should be excluded from packet inspection to allow for normal service operation.

Please see Delinea Platform Architecture and Topology for additional information.

Delinea Platform: High-Level Overview

  • The diagram below highlights the overall architecture of the Delinea Platform.

    • Shared services are foundational services that provide infrastructure and other common resources that are designed to be consumed by various applications such as authentication, notification, and audit.

    • Application services are built on top of the platform shared services, and are designed to provide functionality that is unique to the application such as vaulting and remote access.

      The Delinea Platform is evolving with every new release. The overview diagram below may be forward-looking from that perspective.

  • Delinea Platform leverages Imperva Cloud Web Application Firewall to help secure our edge services. Customers who are interested in applying outbound filtering should be able to lock down their access to the ingress Imperva IPs according to Imperva Documentation.

Delinea Platform: High-Level Overview

The IP ranges from Imperva may change periodically, and it is important to check frequently and stay up to date. IP ranges can be retrieved via the Imperva API as well - an example is below:

Copy 

  curl -s --data "resp_format=json" https://my.imperva.com/api/integration/v1/ips | json_pp
  { 
   "debug_info" : { 
      "id-info" : "999999" 
   }, 
   "ipRanges" : [ 
      "199.83.128.0/21", 
      "198.143.32.0/19", 
      "149.126.72.0/21", 
      "103.28.248.0/22", 
      "185.11.124.0/22", 
      "192.230.64.0/18", 
      "45.64.64.0/22", 
      "107.154.0.0/16", 
      "45.60.0.0/16", 
      "45.223.0.0/16", 
      "131.125.128.0/17" 
   ], 
   "ipv6Ranges" : [ 
      "2a02:e980::/29" 
   ], 
   "res" : 0, 
   "res_message" : "OK" 

Privileged Remote Access

The Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through RDP and SSH, without the need for a VPN. Privileged Remote Access (PRA) leverages a PRA engine that runs on customer premises.

  • No internet-facing ingress ports are required for the PRA Engine

  • Outbound access on port 443 TCP from PRA Engine to the Delinea Platform via Impreva ingress

  • Internal access on port 53 TCP/UDP from PRA Engine to DNS server for name resolution of target machines

  • Internal access on port 3389 TCP from PRA Engine to Windows-based target machines for RDP access

  • Internal access on port 22 TCP from PRA Engine to Linux-based target machines for SSH access

  • Internal access on port 443 TCP from PRA Engine to Secret Server (on-premise) to enable integration with Delinea Platform and leverage secret access. Only required if Secret Server (on-premise) is in use.

Delinea Remote Access Service

Delinea Connector

The Delinea Connector enables secure communication between the Delinea Platform and AD directories. Typically, the Delinea Connector is installed on-premises and requires access to an Active Directory Domain Controller.

  • No internet-facing ingress ports are required for the Connector

  • Outbound access on port 443 TCP from the Connector to the Delinea Platform via Impreva WAF

Requests from the Delinea Platform to the Delinea Connector are made via the TCP Relay hosts. Such requests for instance include querying for AD user's details. All data is encrypted.

Region TCP Relay Hosts IP Address Range
Canada 20.104.14.80 - 20.104.14.87
Australia 20.211.60.240 - 20.211.60.247
United Kingdom 20.49.210.72 - 20.49.210.79
United States 20.242.252.136 - 20.242.252.143; 52.148.145.72 - 52.148.145.79; 20.85.110.128 - 20.85.110.135
Southeast Asia 20.195.89.80 - 20.195.89.87
Europe 20.8.3.112 - 20.8.3.119

  • Internal access on port 3268 TCP from Delinea Connector to AD Domain Controller for Global Catalog access

  • Internal access on port 123 UDP from Delinea Connector to AD Domain Controller for time synchronization

  • Internal access on port 389 TCP/UDP from Delinea Connector to AD Domain Controller for handling normal authentication queries

  • Internal access on port 88 TCP from Delinea Connector to AD Domain Controller used for Kerberos authentication

  • Internal access on port 135 TCP from Delinea Connector to AD Domain Controller for remote procedure call (RPC) endpoint mapping

  • Internal access on port 53 TCP/UDP from Delinea Connector to DNS server for name resolution (this might be the DC itself depending on your environment)

Delinea Connector