Setting Up a Platform Firewall

This page describes the hardware, software, ports, and configurations you need to meet the Delinea Platform firewall requirements.

Key Terms:

PCS is the Privilege Control for Servers feature of the Delinea Platform.
PRA is the Privileged Remote Access feature of the Delinea Platform.

Firewall Requirements

You must provide access from your corporate environment out to the Delinea Platform.

Determining Your Tenant's Customer Service Bus and Engine Response Bus

Go to the URL for your platform tenant: https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
Locate the Customer Service Bus and Engine Response Bus Information shown in the diagram.
These URLs are generated during the setup of Platform.
Ensure that both of the FQDNs are given outbound https access.

U.S. Tenants

These firewall rules must be configured with SSL Inspection disabled. The services will not function if they detect an intermediate certificate for SSL inspection

URLs (SSL 443 Outbound)	Notes
<tenant>.delinea.app <tenant>.secretservercloud.com downloads.marketplace.delinea.com	URL for the platform tenant. URL for the Secret Server tenant Access to the Marketplace site for software downloads
prod-tcpr-1.eastus.cloudapp.azure.com prod-tcpr-2.eastus.cloudapp.azure.com prod-tcpr-1.westus.cloudapp.azure.com prod-tcpr-2.westus.cloudapp.azure.com	TCP Relays are VMs using custom code.
enginepoolupdateprod.blob.core.windows.net authstorprod8138094.blob.core.windows.net enginepool-downloads-prod.azureedge.net	Microsoft .NET services for the Engine Pool. CDN for the Download center.
bobbish-coral-anteater.rmq4.cloudamqp.com dramatic-coral-crow.rmq2.cloudamqp.com fast-green-crab.rmq2.cloudamqp.com loud-beige-duckbill.rmq5.cloudamqp.com	RabbitMQ for Engine Management
.lencr.org (http) .digicert.org (http)	Certificate Validation URLS (port 80 http traffic only) Connector requires digital certificate validation at letsencrypt.org and digicert.
Engine Response Bus (FQDN) Customer Service Bus (FQDN)	Enter these URLs from your platform tenant. They are generated during platform setup.

URLs (SSL 443 Outbound)

Notes

<tenant>.delinea.app

<tenant>.secretservercloud.com

downloads.marketplace.delinea.com

URL for the platform tenant.

URL for the Secret Server tenant

Access to the Marketplace site for software downloads

prod-tcpr-1.eastus.cloudapp.azure.com

prod-tcpr-2.eastus.cloudapp.azure.com

prod-tcpr-1.westus.cloudapp.azure.com

prod-tcpr-2.westus.cloudapp.azure.com

TCP Relays are VMs using custom code.

enginepoolupdateprod.blob.core.windows.net

authstorprod8138094.blob.core.windows.net

enginepool-downloads-prod.azureedge.net

Microsoft .NET services for the Engine Pool.

CDN for the Download center.

bobbish-coral-anteater.rmq4.cloudamqp.com

dramatic-coral-crow.rmq2.cloudamqp.com

fast-green-crab.rmq2.cloudamqp.com

loud-beige-duckbill.rmq5.cloudamqp.com

RabbitMQ for Engine Management

*.lencr.org (http)

*.digicert.org (http)

Certificate Validation URLS (port 80 http traffic only)

Connector requires digital certificate validation at letsencrypt.org and digicert.

Engine Response Bus (FQDN)

Customer Service Bus (FQDN)

Enter these URLs from your platform tenant. They are generated during platform setup.

Non-US Tenants

URLs (SSL 443 Outbound)	Notes
<tenant>.delinea.app <tenant>.secretservercloud.com downloads.marketplace.delinea.com	URL for the platform tenant URL for the Secret Server tenant Access to the Marketplace site for software downloads
enginepoolupdateprod.blob.core.windows.net authstorprod8138094.blob.core.windows.net enginepool-downloads-prod.azureedge.net	Microsoft .NET services for the Engine Pool. CDN for the Download center.
.lencr.org (http) .digicert.org (http)	Certificate Validation URLS (port 80 http traffic only) Connector requires digital certificate validation at letsencrypt.org and digicert.
Canada	prod-tcpr-1.canadacentral.cloudapp.azure.com prod-tcpr-2.canadacentral.cloudapp.azure.com smart-orange-gibbon.rmq2.cloudamqp.com  (include US Addresses below for backup)
Europe	prod-tcpr-1.westeurope.cloudapp.azure.com prod-tcpr-2.westeurope.cloudapp.azure.com young-azure-hare.rmq2.cloudamqp.com  (include US Addresses below for backup)
United Kingdom	prod-tcpr-1.uksouth.cloudapp.azure.com prod-tcpr-2.uksouth.cloudapp.azure.com giant-maroon-bullfrog.rmq3.cloudamqp.com  (include US Addresses below for backup)
Australia	prod-tcpr-1.australiaeast.cloudapp.azure.com prod-tcpr-2.australiaeast.cloudapp.azure.com technical-blond-elk.rmq2.cloudamqp.com  (include US Addresses below for backup)
Southeast Asia	prod-tcpr-1.eastasia.cloudapp.azure.com prod-tcpr-2.eastasia.cloudapp.azure.com hippy-fuchsia-woodpecker.rmq2.cloudamqp.com  (include US Addresses below for backup)
US Addresses: Include these backup addresses in your firewall table. Emergency failover is routed to the US regions.	prod-tcpr-1.eastus.cloudapp.azure.com prod-tcpr-2.eastus.cloudapp.azure.com prod-tcpr-1.westus.cloudapp.azure.com prod-tcpr-2.westus.cloudapp.azure.com
Engine Response Bus (FQDN) Customer Service Bus (FQDN)	Enter these URLs from your platform tenant. They are generated during platform setup.