Customer Firewall Requirements
If your environment has a firewall, you must provide access from your corporate environment out to the Delinea Platform.
Key Terms:
-
PCS is the Privilege Control for Servers feature of the Delinea Platform.
-
PRA is the Privileged Remote Access feature of the Delinea Platform.
Your Tenant's Distributed Engine Service Bus
-
Go to the URL for your platform tenant: https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
-
Locate the Customer Service Bus and Engine Response Bus URLs as shown in the diagram.
These URLs are generated during the setup of Platform. -
Ensure that both of the FQDNs are given outbound https access.
To ensure proper configuration, refer to the Secret Server Cloud egress and ingress IP address ranges and other details at Secret Server Hybrid Multi-Tenant Cloud Architecture.
Outbound (Customer to Platform)
These firewall rules must be configured with SSL Inspection disabled. The services will not function if they detect an intermediate certificate for SSL inspection. All endpoints should be configured to allow TCP Port 443 outbound unless specified otherwise.
Required for all Data Boundaries
Platform Tenant Hostname
<tenant>.delinea.app
Secret Server Cloud Tenant Hostname
Your Secret Server URL as presented in the Platform UI at
<tenant>.delinea.app/view/identity-admin/authentication/secret-server-connection
Example: <tenant>.secretservercloud.com
Certificate Validation Hostnames (port 80 HTTP traffic only)
All Platform endpoints are encrypted with TLS which require outbound TCP port 80 connections for certificate validation such as CRL and OSCP endpoints.
-
*.lencr.org
-
*.digicert.org
-
*.sectigo.com
-
*.microsoft.com
Note: If you block port 80:
-
any allow lists that use wildcards will fail
-
you must use full URLs
-
you must contact Delinea Support to obtain the required full URLs
Distributed Engine Response Queue for Secret Server Cloud
This hostname can be found on the following Platform URL:
https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
See Your Tenant's Distributed Engine Service Bus above for details.
Distributed Engine Customer Queue for Secret Server Cloud
This hostname can be found on the following Platform URL:
https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
See Your Tenant's Distributed Engine Service Bus above for details.
Platform Engine
-
enginepoolupdateprod.blob.core.windows.net
-
enginepool-downloads-prod.azureedge.net
Platform Marketplace
The Platform Marketplace contains links and downloads hosted by Delinea or third parties. The Marketplace will continually evolve and listing all possible hostnames would not be feasible within our documentation. If outbound firewall rules are in place, please add exceptions as-needed for each Marketplace link or download.
Data Boundary-Specific
United States
Platform Authentication Connector Relays (self-signed)
-
tcpr-linux-eastus-01.eastus.cloudapp.azure.com
-
tcpr-linux-eastus-02.eastus.cloudapp.azure.com
-
tcpr-linux-westus2-01.westus2.cloudapp.azure.com
-
tcpr-linux-westus2-02.westus2.cloudapp.azure.com
Platform Authentication Connector Relays (CA-Signed)
-
tcpr-linux-eastus-signed-01.identity.services.delinea.app
-
tcpr-linux-westus2-signed-01.identity.services.delinea.app
Platform Engine
-
bobbish-coral-anteater.rmq4.cloudamqp.com
-
dramatic-coral-crow.rmq2.cloudamqp.com
-
fast-green-crab.rmq2.cloudamqp.com
-
loud-beige-duckbill.rmq5.cloudamqp.com
Australia
Platform Authentication Connector Relays
-
tcpr-linux-australiaeast-01.australiaeast.cloudapp.azure.com
-
tcpr-linux-australiaeast-02.australiaeast.cloudapp.azure.com
Platform Engine
-
technical-blond-elk.rmq2.cloudamqp.com
Canada
Platform Authentication Connector Relays
-
tcpr-linux-canadacentral-01.canadacentral.cloudapp.azure.com
-
tcpr-linux-canadacentral-02.canadacentral.cloudapp.azure.com
Platform Engine
-
smart-orange-gibbon.rmq2.cloudamqp.com
Europe
Platform Authentication Connector Relays
-
tcpr-linux-westeurope-01.westeurope.cloudapp.azure.com
-
tcpr-linux-westeurope-02.westeurope.cloudapp.azure.com
Platform Engine
-
young-azure-hare.rmq2.cloudamqp.com
Southeast Asia
Platform Authentication Connector Relays
-
tcpr-linux-eastasia-01.eastasia.cloudapp.azure.com
-
tcpr-linux-eastasia-02.eastasia.cloudapp.azure.com
Platform Engine
-
hippy-fuchsia-woodpecker.rmq2.cloudamqp.com
United Arab Emirates
Platform Authentication Connector Relays
-
tcpr-linux-uaenorth-01.uaenorth.cloudapp.azure.com
-
tcpr-linux-uaenorth-02.uaenorth.cloudapp.azure.com
Platform Engine
-
young-olden-buffalo.rmq6.cloudamqp.com
United Kingdom
Platform Authentication Connector Relays
-
tcpr-linux-uksouth-01.uksouth.cloudapp.azure.com
-
tcpr-linux-uksouth-02.uksouth.cloudapp.azure.com
Platform Engine
-
giant-maroon-bullfrog.rmq3.cloudamqp.com
Inbound (Platform to Customer)
Webhooks
Allowing communication from these Platform Egress IPs is required only if you are using the Webhooks feature.
United States
-
13.68.202.64/29
-
172.203.27.16/29
Australia
-
23.101.212.8/29
-
20.11.207.32/29
Canada
-
40.85.216.32/29
-
40.86.243.40/29
Europe
-
108.143.39.32/29
-
137.116.238.240/29
Southeast Asia
-
104.215.150.80/29
-
23.100.88.32/29
United Arab Emirates
-
40.123.218.160/29
-
20.45.67.96/29
United Kingdom
-
51.140.10.160/29
-
20.90.1.200/29
Privileged Remote Access
Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through RDP and SSH, without the need for a VPN. PRA leverages a PRA engine that runs on customer premises.
No internet-facing ingress ports are required for the PRA Engine. Only TLS 1.2+ is supported. See Setting Up a Platform Firewall for internal and external access ports.
Internal Access on these ports
-
22 TCP from PRA Engine to Linux-based target machines for SSH access.
-
53 TCP/UDP from PRA Engine to DNS server for name resolution of target machines.
-
443 TCP from PRA Engine to Secret Server (on-premise) to enable integration with the Delinea Platform and leverage secret access. Only required if Secret Server (on-premise) is in use.
-
445 TCP from PRA Engine to Windows-based target machines for SMB file transfers.
-
3389 TCP from PRA Engine to Windows-based target machines for RDP access.
Outbound Access on port 443 TCP
-
from PRA Engine to the Delinea Platform through Message Queue ingress.
-
from the Secret Server (on-premise) to the Delinea Platform through Message Queue ingress to support the integration.
Delinea Connector
The Delinea Connector enables secure communication between the Delinea Platform and AD directories. Typically, the Delinea Connector is installed on-premises and requires access to an Active Directory Domain Controller.
-
Outbound access required on port 443 TCP from the Connector to the Delinea Platform through WAF.
-
No internet-facing ingress ports are required for the Connector.
Requests from the Delinea Platform to the Delinea Connector are made through the TCP Relay hosts. For example, such requests include querying for AD user details. All data is encrypted.
Region | TCP Relay Hosts IP Address Range |
---|---|
Australia | 20.211.60.240 - 20.211.60.247 |
Canada | 20.104.14.80 - 20.104.14.87 |
Europe | 20.8.3.112 - 20.8.3.119 |
Southeast Asia | 20.195.89.80 - 20.195.89.87 |
United Arab Emirates | 20.203.77.200 - 20.203.77.207 |
United Kingdom | 20.49.210.72 - 20.49.210.79 |
United States |
20.242.252.136 - 20.242.252.143; 52.148.145.72 - 52.148.145.79; 20.85.110.128 - 20.85.110.135 |
-
The Delinea Connector requires internal access for the following ports:
-
53 TCP/UDP to DNS server for name resolution (this might be the DC itself depending on your environment)
-
88 TCP to AD Domain Controller used for Kerberos authentication
-
123 UDP to AD Domain Controller for time synchronization
-
135 TCP to AD Domain Controller for remote procedure call (RPC) endpoint mapping
-
389 TCP/UDP to AD Domain Controller for handling normal authentication queries
-
3268 TCP to AD Domain Controller for Global Catalog access
-
9521 TCP from the Delinea Connector Configuration process to the DelineaProxy service for RPC communication.
-
Privilege Control for Servers (PCS) Agent
The PCS agent requires internal access for the following ports:
-
8443 TCP and 8080 TCP for the Delinea Connector
-
5063 TCP to for the Audit Collector
Notification Services
The platform leverages select third-party messaging providers. This enables Delinea to deliver notifications promptly and reliably to users across various channels, including email, SMS, and phone.
Vendor | IP Address | Purpose (examples) |
---|---|---|
AWS SES | 54.240.75.72
54.240.75.73 |
The Delinea Platform uses AWS SES as its primary email service provider for a variety of email notifications, including user invitations to the platform and email MFA code pins. |
SendGrid | 149.72.129.10 | SendGrid is the primary email service provider for Secret Server email notifications, particularly for tasks such as access requests. |
Twilio | -- | Twilio is used for SMS and Phone MFA. |
Tenant IP Restrictions
The Tenant IP Restrictions feature ensures that only trusted network IP addresses or CIDR ranges can connect to your Delinea Platform tenant. By limiting access to approved network ranges, this feature adds an extra layer of security to your environment.
Key Benefits
-
Enhanced Security: Restricts access to only approved IP addresses, reducing the risk of unauthorized access.
-
Comprehensive Coverage: Applies to both the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring consistent protection across the entire environment.
Submitting an IP Restriction Request for the Platform
To enable IP restrictions, submit a support case to Delinea Support with the list of allowed IP addresses or CIDR ranges. Delinea Support will assist in configuring the allowlist for your tenant to ensure seamless and secure access.
When submitting a request, please ensure the following:
-
Maximum Address Limit: The request must contain no more than 50 individual IP addresses or CIDR blocks combined.
-
No Duplicate Addresses: The request must not contain any duplicate IP addresses.
-
Exclude Reserved IPs: Do not include any of the Delinea-owned IP addresses.
-
CIDR Block Standards: Submitted CIDR blocks must follow strict standards. For example, a /29 block must align with valid start addresses.
-
Invalid: 192.0.2.20/29
-
Valid: 192.0.2.16/29
-
Failure to meet these requirements may result in delays or rejection of the request.
Ensure that all necessary IPs are included to avoid unintended access disruptions.