Network Requirements
This page describes the hardware, software, ports, and configurations you need to meet the Delinea Platform firewall requirements.
Key Terms:
-
PCS is the Privilege Control for Servers feature of the Delinea Platform.
-
PRA is the Privileged Remote Access feature of the Delinea Platform.
Firewall Requirements
You must provide access from your corporate environment out to the Delinea Platform.
Determining Your Tenant's Customer Service Bus and Engine Response Bus
-
Go to the URL for your platform tenant: https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
-
Locate the Customer Service Bus and Engine Response Bus Information shown in the diagram.
These URLs are generated during the setup of Platform. -
Ensure that both of the FQDNs are given outbound https access.
U.S. Tenants
These firewall rules must be configured with SSL Inspection disabled. The services will not function if they detect an intermediate certificate for SSL inspection
URLs (SSL 443 Outbound) | Notes |
---|---|
<tenant>.delinea.app <tenant>.secretservercloud.com downloads.marketplace.delinea.com |
URL for the platform tenant. URL for the Secret Server tenant Access to the Marketplace site for software downloads |
prod-tcpr-1.eastus.cloudapp.azure.com prod-tcpr-2.eastus.cloudapp.azure.com prod-tcpr-1.westus.cloudapp.azure.com prod-tcpr-2.westus.cloudapp.azure.com |
TCP Relays are VMs using custom code. |
enginepoolupdateprod.blob.core.windows.net authstorprod8138094.blob.core.windows.net enginepool-downloads-prod.azureedge.net |
Microsoft .NET services for the Engine Pool. CDN for the Download center. |
bobbish-coral-anteater.rmq4.cloudamqp.com dramatic-coral-crow.rmq2.cloudamqp.com fast-green-crab.rmq2.cloudamqp.com loud-beige-duckbill.rmq5.cloudamqp.com |
RabbitMQ for Engine Management |
*.lencr.org (http) *.digicert.org (http) |
Certificate Validation URLS (port 80 http traffic only) Connector requires digital certificate validation at letsencrypt.org and digicert. |
Engine Response Bus (FQDN) Customer Service Bus (FQDN) |
Enter these URLs from your platform tenant. They are generated during platform setup. |
Non-US Tenants
URLs (SSL 443 Outbound) | Notes |
---|---|
<tenant>.delinea.app <tenant>.secretservercloud.com downloads.marketplace.delinea.com |
URL for the platform tenant URL for the Secret Server tenant Access to the Marketplace site for software downloads |
enginepoolupdateprod.blob.core.windows.net authstorprod8138094.blob.core.windows.net enginepool-downloads-prod.azureedge.net |
Microsoft .NET services for the Engine Pool. CDN for the Download center. |
*.lencr.org (http) *.digicert.org (http) |
Certificate Validation URLS (port 80 http traffic only) Connector requires digital certificate validation at letsencrypt.org and digicert. |
Australia |
prod-tcpr-1.australiaeast.cloudapp.azure.com prod-tcpr-2.australiaeast.cloudapp.azure.com technical-blond-elk.rmq2.cloudamqp.com (include US Addresses below for backup) |
Canada |
prod-tcpr-1.canadacentral.cloudapp.azure.com prod-tcpr-2.canadacentral.cloudapp.azure.com smart-orange-gibbon.rmq2.cloudamqp.com (include US Addresses below for backup) |
Europe |
prod-tcpr-1.westeurope.cloudapp.azure.com prod-tcpr-2.westeurope.cloudapp.azure.com young-azure-hare.rmq2.cloudamqp.com (include US Addresses below for backup) |
Southeast Asia |
prod-tcpr-1.eastasia.cloudapp.azure.com prod-tcpr-2.eastasia.cloudapp.azure.com hippy-fuchsia-woodpecker.rmq2.cloudamqp.com (include US Addresses below for backup) |
United Arab Emirates |
prod-tcpr-1.uaenorth.cloudapp.azure.com prod-tcpr-2.uaenorth.cloudapp.azure.com young-olden-buffalo.rmq6.cloudamqp.com (include US Addresses below for backup) |
United Kingdom |
prod-tcpr-1.uksouth.cloudapp.azure.com prod-tcpr-2.uksouth.cloudapp.azure.com giant-maroon-bullfrog.rmq3.cloudamqp.com (include US Addresses below for backup) |
United States: Include these backup addresses in your firewall table. Emergency failover is routed to the US regions. |
prod-tcpr-1.eastus.cloudapp.azure.com prod-tcpr-2.eastus.cloudapp.azure.com prod-tcpr-1.westus.cloudapp.azure.com prod-tcpr-2.westus.cloudapp.azure.com |
Engine Response Bus (FQDN) Customer Service Bus (FQDN) |
Enter these URLs from your platform tenant. They are generated during platform setup.
|
The Delinea Platform edge is secured by a Web Application Firewall (WAF). See Network Requirements.
Customers interested in implementing inbound filtering can restrict access to traffic originating from the Delinea Platform to the specified egress IP address ranges below:
-
4.180.243.168/29
-
13.68.202.64/29
-
20.11.207.32/29
-
20.90.1.200/29
-
23.100.88.32/29
-
23.101.212.8/29
-
40.85.216.32/29
-
40.85.241.48/29
-
40.86.243.40/29
-
51.140.10.160/29
-
51.145.8.56/29
-
65.52.165.168/29
-
74.235.247.24/29
-
104.210.77.120/29
-
104.215.150.80/29
-
108.143.39.32/29
-
137.116.238.240/29
-
172.203.27.16/29
To ensure proper configuration, you must refer to the Secret Server Hybrid Multi-Tenant Cloud Architecture for detailed information on the required ingress and egress IP ranges used by Secret Server Cloud.
Ports and Network Communication
Port 443 (outbound only) must be open for the engine to send encrypted information to the platform through the message queue service.
Outbound Message Queue - Fully Qualified Domain Names (CloudAMQP)
The following Fully Qualified Domain Names are deployed by CloudAMQP using public IP ranges of Amazon, Azure, DigitalOcean, and Google Cloud, and are used by the engine to facilitate communication with the platform through encrypted messages over the CloudAMQP messaging service.
Outbound firewall rules should include the following Fully Qualified Domain Names (selected by databoundary), rather than static IP ranges of these URLs, as these IP ranges can change.
Australia | technical-blond-elk.rmq2.cloudamqp.com |
Canada | smart-orange-gibbon.rmq2.cloudamqp.com |
EU | young-azure-hare.rmq2.cloudamqp.com |
SEA | hippy-fuchsia-woodpecker.rmq2.cloudamqp.com |
UAE | young-olden-buffalo.rmq6.cloudamqp.com |
UK | giant-maroon-bullfrog.rmq3.cloudamqp.com |
US |
dramatic-coral-crow.rmq2.cloudamqp.com |
Engines cannot be installed on domain controllers.
When using PowerShell, version 7.3 is recommended for optimal performance. Version 5.1 may result in suboptimal performance.
Engines use the Message Queue service to queue encrypted messages, which are then consumed by Engine Management. Engine Management, in turn, uses Message Queue encrypted messages for engines. These queues are separated by regional data boundary. Messages are encrypted and decrypted by tenant. For successful communication between
Privileged Remote Access
Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through RDP and SSH, without the need for a VPN. PRA leverages a PRA engine that runs on customer premises.
No internet-facing ingress ports are required for the PRA Engine. Only TLS 1.2+ is supported. See Setting Up a Platform Firewall for internal and external access ports.
Internal Access on these ports
-
22 TCP from PRA Engine to Linux-based target machines for SSH access.
-
53 TCP/UDP from PRA Engine to DNS server for name resolution of target machines.
-
443 TCP from PRA Engine to Secret Server (on-premise) to enable integration with the Delinea Platform and leverage secret access. Only required if Secret Server (on-premise) is in use.
-
445 TCP from PRA Engine to Windows-based target machines for SMB file transfers.
-
3389 TCP from PRA Engine to Windows-based target machines for RDP access.
Outbound Access on port 443 TCP
-
from PRA Engine to the Delinea Platform through Message Queue ingress.
-
from the Secret Server (on-premise) to the Delinea Platform through Message Queue ingress to support the integration.
Delinea Connector
The Delinea Connector enables secure communication between the Delinea Platform and AD directories. Typically, the Delinea Connector is installed on-premises and requires access to an Active Directory Domain Controller.
-
Outbound access required on port 443 TCP from the Connector to the Delinea Platform through WAF.
-
No internet-facing ingress ports are required for the Connector.
Requests from the Delinea Platform to the Delinea Connector are made through the TCP Relay hosts. For example, such requests include querying for AD user details. All data is encrypted.
Region | TCP Relay Hosts IP Address Range |
---|---|
Australia | 20.211.60.240 - 20.211.60.247 |
Canada | 20.104.14.80 - 20.104.14.87 |
Europe | 20.8.3.112 - 20.8.3.119 |
Southeast Asia | 20.195.89.80 - 20.195.89.87 |
United Arab Emirates | 20.203.77.200 - 20.203.77.207 |
United Kingdom | 20.49.210.72 - 20.49.210.79 |
United States |
20.242.252.136 - 20.242.252.143; 52.148.145.72 - 52.148.145.79; 20.85.110.128 - 20.85.110.135 |
-
The Delinea Connector requires internal access for the following ports:
-
53 TCP/UDP to DNS server for name resolution (this might be the DC itself depending on your environment)
-
88 TCP to AD Domain Controller used for Kerberos authentication
-
123 UDP to AD Domain Controller for time synchronization
-
135 TCP to AD Domain Controller for remote procedure call (RPC) endpoint mapping
-
389 TCP/UDP to AD Domain Controller for handling normal authentication queries
-
3268 TCP to AD Domain Controller for Global Catalog access
-
9521 TCP from the Delinea Connector Configuration process to the DelineaProxy service for RPC communication.
-
Notification Services
The platform leverages select third-party messaging providers. This enables Delinea to deliver notifications promptly and reliably to users across various channels, including email, SMS, and phone.
Vendor | IP Address | Purpose (examples) |
---|---|---|
AWS SES | 54.240.75.72
54.240.75.73 |
The Delinea Platform uses AWS SES as its primary email service provider for a variety of email notifications, including user invitations to the platform and email MFA code pins. |
SendGrid | 149.72.129.10 | SendGrid is the primary email service provider for Secret Server email notifications, particularly for tasks such as access requests. |
Twilio | -- | Twilio is used for SMS and Phone MFA. |
Tenant IP Restrictions
The Tenant IP Restrictions feature ensures that only trusted network IP addresses or CIDR ranges can connect to your Delinea Platform tenant. By limiting access to approved network ranges, this feature adds an extra layer of security to your environment.
Key Benefits
-
Enhanced Security: Restricts access to only approved IP addresses, reducing the risk of unauthorized access.
-
Comprehensive Coverage: Applies to both the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring consistent protection across the entire environment.
Submitting an IP Restriction Request for the Platform
To enable IP restrictions, submit a support case to Delinea Support with the list of allowed IP addresses or CIDR ranges. Delinea Support will assist in configuring the allowlist for your tenant to ensure seamless and secure access.
Ensure that all necessary IPs are included to avoid unintended access disruptions.