Understanding the Platform Architecture and Topology

The architectural diagrams provided in this article provide a high-level view of the underlying infrastructure and technology stack that supports the Delinea Platform. You can leverage this material if you are interested in network connectivity to the Delinea Platform and its related services.

Please note that we are continually improving and optimizing our architecture to ensure that our service is scalable, secure, and efficient.

The suggested list of ports in this document shows all of the default port numbers. These default ports may differ based on your environment and your own unique requirements. In all cases, the ports and addresses listed below should be excluded from packet inspection to allow for proper service operation.

Delinea Platform: High-Level Overview

The diagram below highlights the overall architecture of the Delinea Platform.

  • Shared services are foundational services that provide infrastructure and other common resources that are designed to be consumed by various back end applications such as authentication, notification, and audit.

  • Application services leverage platform shared services, and are designed to provide functionality that is unique to the application such as vaulting and remote access.

    The Delinea Platform is evolving with every new release. The overview diagram below may be forward-looking from that perspective.

Alt

The Delinea Platform edge is secured by a Web Application Firewall (WAF). See Setting Up a Platform Firewall.

To ensure proper configuration, you must refer to the Secret Server Hybrid Multi-Tenant Cloud Architecture for detailed information on the required ingress and egress IP ranges used by Secret Server Cloud.

Delinea Platform Engine Management

The Delinea Platform manages and protects endpoints using small software packages called engines. Engines run as services on endpoints, facilitating downloading, installing, and running other Delinea products (called workloads).

Engines exchange data with the Delinea Platform to keep endpoints up to date and provide the latest engine and workload status.

Engine Management Architecture

The Engine Management feature provides administrators with a single interface for managing engines, which are automatically updated and maintained after installation — removing the need for the separate installers and management processes that are traditionally necessary on individual machines.

Ports and Network Communication

Port 443 (outbound only) must be open for the engine to send encrypted information to the platform through the message queue service.

Outbound Message Queue - Fully Qualified Domain Names (CloudAMQP)

The following Fully Qualified Domain Names are deployed by CloudAMQP using public IP ranges of Amazon, Azure, DigitalOcean, and Google Cloud, and are used by the engine to facilitate communication with the platform through encrypted messages over the CloudAMQP messaging service.

Outbound firewall rules should include the following Fully Qualified Domain Names (selected by databoundary), rather than static IP ranges of these URLs, as these IP ranges can change.

Australia technical-blond-elk.rmq2.cloudamqp.com
Canada smart-orange-gibbon.rmq2.cloudamqp.com
EU young-azure-hare.rmq2.cloudamqp.com
SEA hippy-fuchsia-woodpecker.rmq2.cloudamqp.com
UAE young-olden-buffalo.rmq6.cloudamqp.com
UK giant-maroon-bullfrog.rmq3.cloudamqp.com
US

dramatic-coral-crow.rmq2.cloudamqp.com

loud-beige-duckbill.rmq5.cloudamqp.com

fast-green-crab.rmq2.cloudamqp.com

bobbish-coral-anteater.rmq4.cloudamqp.com
Notes:
Engines cannot be installed on domain controllers.

When using PowerShell, version 7.3 is recommended for optimal performance. Version 5.1 may result in suboptimal performance.

Engines use the Message Queue service to queue encrypted messages, which are then consumed by Engine Management. Engine Management, in turn, uses Message Queue encrypted messages for engines. These queues are separated by regional data boundary. Messages are encrypted and decrypted by tenant. For successful communication between Engine and Engine Management, the outbound message queue URLs must be allowed at the Engine endpoint, along with an open port 443 (TLS MQTT over websockets).

Privileged Remote Access

Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through RDP and SSH, without the need for a VPN. PRA leverages a PRA engine that runs on customer premises.

No internet-facing ingress ports are required for the PRA Engine. Only TLS 1.2+ is supported. See Setting Up a Platform Firewall for internal and external access ports.

Internal Access on these ports

  • 22 TCP from PRA Engine to Linux-based target machines for SSH access.

  • 53 TCP/UDP from PRA Engine to DNS server for name resolution of target machines.

  • 443 TCP from PRA Engine to Secret Server (on-premise) to enable integration with the Delinea Platform and leverage secret access. Only required if Secret Server (on-premise) is in use.

  • 445 TCP from PRA Engine to Windows-based target machines for SMB file transfers.

  • 3389 TCP from PRA Engine to Windows-based target machines for RDP access.

Outbound Access on port 443 TCP

  • from PRA Engine to the Delinea Platform through Message Queue ingress.

  • from the Secret Server (on-premise) to the Delinea Platform through Message Queue ingress to support the integration.

Delinea Privileged Remote Access

Delinea Connector

The Delinea Connector enables secure communication between the Delinea Platform and AD directories. Typically, the Delinea Connector is installed on-premises and requires access to an Active Directory Domain Controller.

  • Outbound access required on port 443 TCP from the Connector to the Delinea Platform through WAF.

  • No internet-facing ingress ports are required for the Connector.

Requests from the Delinea Platform to the Delinea Connector are made through the TCP Relay hosts. For example, such requests include querying for AD user details. All data is encrypted.

Region TCP Relay Hosts IP Address Range
Australia 20.211.60.240 - 20.211.60.247
Canada 20.104.14.80 - 20.104.14.87
Europe 20.8.3.112 - 20.8.3.119
Southeast Asia 20.195.89.80 - 20.195.89.87
United Arab Emirates 20.203.77.200 - 20.203.77.207
United Kingdom 20.49.210.72 - 20.49.210.79
United States

20.242.252.136 - 20.242.252.143;

52.148.145.72 - 52.148.145.79;

20.85.110.128 - 20.85.110.135

  • The Delinea Connector requires internal access for the following ports:

    • 53 TCP/UDP to DNS server for name resolution (this might be the DC itself depending on your environment)

    • 88 TCP to AD Domain Controller used for Kerberos authentication

    • 123 UDP to AD Domain Controller for time synchronization

    • 135 TCP to AD Domain Controller for remote procedure call (RPC) endpoint mapping

    • 389 TCP/UDP to AD Domain Controller for handling normal authentication queries

    • 3268 TCP to AD Domain Controller for Global Catalog access

    • 9521 TCP from the Delinea Connector Configuration process to the DelineaProxy service for RPC communication.

Delinea Connector

Alt

Notification Services

The platform leverages select third-party messaging providers. This enables Delinea to deliver notifications promptly and reliably to users across various channels, including email, SMS, and phone.

Vendor IP Address Purpose (examples)
AWS SES 54.240.75.72
54.240.75.73		 The Delinea Platform uses AWS SES as its primary email service provider for a variety of email notifications, including user invitations to the platform and email MFA code pins.
SendGrid 149.72.129.10 SendGrid is the primary email service provider for Secret Server email notifications, particularly for tasks such as access requests.
Twilio -- Twilio is used for SMS and Phone MFA.

Tenant IP Restrictions

The Tenant IP Restrictions feature ensures that only trusted network IP addresses or CIDR ranges can connect to your Delinea Platform tenant. By limiting access to approved network ranges, this feature adds an extra layer of security to your environment.

Key Benefits

  • Enhanced Security: Restricts access to only approved IP addresses, reducing the risk of unauthorized access.

  • Comprehensive Coverage: Applies to both the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring consistent protection across the entire environment.

Submitting an IP Restriction Request for the Platform

To enable IP restrictions, submit a support case to Delinea Support with the list of allowed IP addresses or CIDR ranges. Delinea Support will assist in configuring the allowlist for your tenant to ensure seamless and secure access.

Ensure that all necessary IPs are included to avoid unintended access disruptions.