Ports for Communication between Components
As discussed in Review the Firewall Rules, there are ports required for connections between components. The following summarizes the ports that must be open for inbound communication to manage Privileged Access Service's.
Connector to Active Directory Ports (Inbound)
- Global Catalog: 3268
- LDAP: 389
- Kerberos: 88
- Kerberos Password: 464
- SMB/CIFS: 445 for password management
- Time Service: 123
- RPC Endpoint Mapper: 135 (allows the connector to join to an Active Directory domain)
- RPC Endpoint (TCP Dynamic): 49152-65535
Server to the Connector (Inbound)
The server —- sometimes referred to as the cloud or application server —- handles routing of requests and starting the processes used for management operations.
- HTTPS default port 443
- DirectTCP port 30001
Ports on the Target Windows Server (Inbound)
- RDP 3389
- RPC Endpoint Mapper 135
- RPC Endpoint (“TCP Dynamic”) 49152-65535
Ports for Discovery, Testing Connectivity, and Password Management mode
- SMB/CIFS 445
- WinRM over HTTP 5985
- WinRM over HTTPS 5986
- RPC over TCP
Ports on the Connector for the Target Windows Server (Inbound)
- RDP 3389
- RPC Endpoint Mapper 135
- RDP 5555 (TCP) Connector (inbound) For native RDP
Ports on the Target Linux Server (Inbound)
- SSH 22
- HTTPS 443
Ports on the Connector for the Linux Server (Inbound)
- API Proxy (HTTP proxy) 8080
PAS Firewall Rules and Domain settings for External Integrations
When PAS interacts with your external system there may be additional port requirements.
The outbound 443 port is very likely, with a possibly of other ports, including inbound ports.
Example port recommendations:
| Example | Port Recommendations | Protocol |
|---|---|---|
| Partner federation / External IDP | Outbound / Inbound 443 for external IDP | HTTPS |
| SAML app | Outbound / Inbound 443 the application | HTTPS |
| Customer SMTP server | Port 22 | HTTPS |
