Customer Firewall Requirements

If your environment has a firewall, you must provide access from your corporate environment out to the Delinea Platform.

Key Terms:

  • PCS is the Privilege Control for Servers feature of the Delinea Platform.

  • PRA is the Privileged Remote Access feature of the Delinea Platform.

Determining Your Tenant's Customer Service Bus and Engine Response Bus

  1. Go to the URL for your platform tenant: https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus

  2. Locate the Customer Service Bus and Engine Response Bus Information shown in the diagram.
    These URLs are generated during the setup of Platform.

  3. Ensure that both of the FQDNs are given outbound https access.

US Tenants

These firewall rules must be configured with SSL Inspection disabled. The services will not function if they detect an intermediate certificate for SSL inspection

URLs (SSL 443 Outbound) Notes

<tenant>.delinea.app

<tenant>.secretservercloud.com

downloads.marketplace.delinea.com

URL for the platform tenant.

URL for the Secret Server tenant

Access to the Marketplace site for software downloads 

tcpr-linux-eastus-01.eastus.cloudapp.azure.com

tcpr-linux-eastus-02.eastus.cloudapp.azure.com

tcpr-linux-westus2-01.westus2.cloudapp.azure.com

tcpr-linux-westus2-02.westus2.cloudapp.azure.com

 Delinea-Managed Relays

tcpr-linux-eastus-signed-01.identity.services.delinea.app

tcpr-linux-westus2-signed-01.identity.services.delinea.app

 CA signed relays

REMOVED:

prod-tcpr-1.eastus.cloudapp.azure.com

prod-tcpr-2.eastus.cloudapp.azure.com

prod-tcpr-3.eastus.cloudapp.azure.com

prod-tcpr-4.eastus.cloudapp.azure.com

prod-tcpr-1.westus.cloudapp.azure.com

prod-tcpr-2.westus.cloudapp.azure.com

prod-tcpr-3.westus.cloudapp.azure.com

prod-tcpr-4.westus.cloudapp.azure.com

TCP Relays are VMs using custom code.

enginepoolupdateprod.blob.core.windows.net

authstorprod8138094.blob.core.windows.net

enginepool-downloads-prod.azureedge.net

Microsoft .NET services for the Engine Pool.

CDN for the Download center.

   

bobbish-coral-anteater.rmq4.cloudamqp.com  

dramatic-coral-crow.rmq2.cloudamqp.com  

fast-green-crab.rmq2.cloudamqp.com 

loud-beige-duckbill.rmq5.cloudamqp.com

RabbitMQ for Engine Management

*.lencr.org (http)

*.digicert.org (http)

Certificate Validation URLS (port 80 http traffic only)

Connector requires digital certificate validation at letsencrypt.org and digicert.

Engine Response Bus (FQDN)

Customer Service Bus (FQDN)

Enter these URLs from your platform tenant. They are generated during platform setup.

Non-US Tenants

URLs (SSL 443 Outbound) Notes

<tenant>.delinea.app

 

 

URL for the platform tenant

<tenant>.secretservercloud.<your chosen 3-letter domain> Your Secret Server URL as presented in the Platform UI at: <tenant>.delinea.app/view/identity-admin/authentication/secret-server-connection
downloads.marketplace.delinea.com Access to the Marketplace site for software downloads 

enginepoolupdateprod.blob.core.windows.net authstorprod8138094.blob.core.windows.net

enginepool-downloads-prod.azureedge.net

Microsoft .NET services for the Engine Pool.

CDN for the Download center.

*.lencr.org (http)

*.digicert.org (http)

Certificate Validation URLS (port 80 http traffic only)

Connector requires digital certificate validation at letsencrypt.org and digicert.

prod-tcpr-1.australiaeast.cloudapp.azure.com

prod-tcpr-2.australiaeast.cloudapp.azure.com

tcpr-linux-australiaeast-01.australiaeast.cloudapp.azure.com

tcpr-linux-australiaeast-02.australiaeast.cloudapp.azure.com

technical-blond-elk.rmq2.cloudamqp.com 

(include US Addresses below for backup)

Australia 

prod-tcpr-1.canadacentral.cloudapp.azure.com

prod-tcpr-2.canadacentral.cloudapp.azure.com

tcpr-linux-canadacentral-01.canadacentral.cloudapp.azure.com

tcpr-linux-canadacentral-02.canadacentral.cloudapp.azure.com

smart-orange-gibbon.rmq2.cloudamqp.com 

(include US Addresses below for backup)

Canada 

prod-tcpr-1.westeurope.cloudapp.azure.com

prod-tcpr-2.westeurope.cloudapp.azure.com

tcpr-linux-westeurope-01.westeurope.cloudapp.azure.com

tcpr-linux-westeurope-02.westeurope.cloudapp.azure.com

young-azure-hare.rmq2.cloudamqp.com 

(include US Addresses below for backup)

Europe 

prod-tcpr-1.eastasia.cloudapp.azure.com

prod-tcpr-2.eastasia.cloudapp.azure.com

tcpr-linux-eastasia-01.eastasia.cloudapp.azure.com

tcpr-linux-eastasia-02.eastasia.cloudapp.azure.com

hippy-fuchsia-woodpecker.rmq2.cloudamqp.com 

(include US Addresses below for backup)

Southeast Asia

prod-tcpr-1.uaenorth.cloudapp.azure.com

prod-tcpr-2.uaenorth.cloudapp.azure.com

tcpr-linux-uaenorth-01.uaenorth.cloudapp.azure.com

tcpr-linux-uaenorth-02.uaenorth.cloudapp.azure.com

young-olden-buffalo.rmq6.cloudamqp.com

(include US Addresses below for backup)

United Arab Emirates

prod-tcpr-1.uksouth.cloudapp.azure.com

prod-tcpr-2.uksouth.cloudapp.azure.com

tcpr-linux-uksouth-01.uksouth.cloudapp.azure.com

tcpr-linux-uksouth-02.uksouth.cloudapp.azure.com

giant-maroon-bullfrog.rmq3.cloudamqp.com 

(include US Addresses below for backup)

United Kingdom 

prod-tcpr-1.eastus.cloudapp.azure.com

prod-tcpr-2.eastus.cloudapp.azure.com

prod-tcpr-3.eastus.cloudapp.azure.com

prod-tcpr-4.eastus.cloudapp.azure.com

prod-tcpr-1.westus.cloudapp.azure.com

prod-tcpr-2.westus.cloudapp.azure.com

prod-tcpr-3.westus.cloudapp.azure.com

prod-tcpr-4.westus.cloudapp.azure.com

United States: Include these backup addresses in your firewall table. Emergency failover is routed to the US regions.

Engine Response Bus (FQDN)

Customer Service Bus (FQDN)

Enter these URLs from your platform tenant. They are generated during platform setup.

Inbound Filtering

Customers interested in implementing inbound filtering can restrict access to traffic originating from the Delinea Platform to the specified egress IP address ranges below:

  • 4.180.243.168/29

  • 13.68.202.64/29

  • 20.11.207.32/29

  • 20.90.1.200/29

  • 23.100.88.32/29

  • 23.101.212.8/29

  • 40.85.216.32/29

  • 40.85.241.48/29

  • 40.86.243.40/29

  • 51.140.10.160/29

  • 51.145.8.56/29

  • 65.52.165.168/29

  • 74.235.247.24/29

  • 104.210.77.120/29

  • 104.215.150.80/29

  • 108.143.39.32/29

  • 137.116.238.240/29

  • 172.203.27.16/29

 

To ensure proper configuration, you must refer to the Secret Server Hybrid Multi-Tenant Cloud Architecture for detailed information on the required ingress and egress IP ranges used by Secret Server Cloud.

Ports and Network Communication

Port 443 (outbound only) must be open for the engine to send encrypted information to the platform through the message queue service.

Outbound Message Queue - Fully Qualified Domain Names (CloudAMQP)

The following Fully Qualified Domain Names are deployed by CloudAMQP using public IP ranges of Amazon, Azure, DigitalOcean, and Google Cloud, and are used by the engine to facilitate communication with the platform through encrypted messages over the CloudAMQP messaging service.

Outbound firewall rules should include the following Fully Qualified Domain Names (selected by databoundary), rather than static IP ranges of these URLs, as these IP ranges can change.

Region FQDN
Australia technical-blond-elk.rmq2.cloudamqp.com
Canada smart-orange-gibbon.rmq2.cloudamqp.com
EU young-azure-hare.rmq2.cloudamqp.com
SEA hippy-fuchsia-woodpecker.rmq2.cloudamqp.com
UAE young-olden-buffalo.rmq6.cloudamqp.com
UK giant-maroon-bullfrog.rmq3.cloudamqp.com
US

dramatic-coral-crow.rmq2.cloudamqp.com

loud-beige-duckbill.rmq5.cloudamqp.com

fast-green-crab.rmq2.cloudamqp.com

bobbish-coral-anteater.rmq4.cloudamqp.com
Notes:
Engines cannot be installed on domain controllers.

When using PowerShell, version 7.3 is recommended for optimal performance. Version 5.1 may result in suboptimal performance.

Engines use the Message Queue service to queue encrypted messages, which are then consumed by Engine Management. Engine Management, in turn, uses Message Queue encrypted messages for engines. These queues are separated by regional data boundary. Messages are encrypted and decrypted by tenant. For successful communication between

Privileged Remote Access

Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through RDP and SSH, without the need for a VPN. PRA leverages a PRA engine that runs on customer premises.

No internet-facing ingress ports are required for the PRA Engine. Only TLS 1.2+ is supported. See Setting Up a Platform Firewall for internal and external access ports.

Internal Access on these ports

  • 22 TCP from PRA Engine to Linux-based target machines for SSH access.

  • 53 TCP/UDP from PRA Engine to DNS server for name resolution of target machines.

  • 443 TCP from PRA Engine to Secret Server (on-premise) to enable integration with the Delinea Platform and leverage secret access. Only required if Secret Server (on-premise) is in use.

  • 445 TCP from PRA Engine to Windows-based target machines for SMB file transfers.

  • 3389 TCP from PRA Engine to Windows-based target machines for RDP access.

Outbound Access on port 443 TCP

  • from PRA Engine to the Delinea Platform through Message Queue ingress.

  • from the Secret Server (on-premise) to the Delinea Platform through Message Queue ingress to support the integration.

 

Delinea Connector

The Delinea Connector enables secure communication between the Delinea Platform and AD directories. Typically, the Delinea Connector is installed on-premises and requires access to an Active Directory Domain Controller.

  • Outbound access required on port 443 TCP from the Connector to the Delinea Platform through WAF.

  • No internet-facing ingress ports are required for the Connector.

Requests from the Delinea Platform to the Delinea Connector are made through the TCP Relay hosts. For example, such requests include querying for AD user details. All data is encrypted.

Region TCP Relay Hosts IP Address Range
Australia 20.211.60.240 - 20.211.60.247
Canada 20.104.14.80 - 20.104.14.87
Europe 20.8.3.112 - 20.8.3.119
Southeast Asia 20.195.89.80 - 20.195.89.87
United Arab Emirates 20.203.77.200 - 20.203.77.207
United Kingdom 20.49.210.72 - 20.49.210.79
United States

20.242.252.136 - 20.242.252.143;

52.148.145.72 - 52.148.145.79;

20.85.110.128 - 20.85.110.135

  • The Delinea Connector requires internal access for the following ports:

    • 53 TCP/UDP to DNS server for name resolution (this might be the DC itself depending on your environment)

    • 88 TCP to AD Domain Controller used for Kerberos authentication

    • 123 UDP to AD Domain Controller for time synchronization

    • 135 TCP to AD Domain Controller for remote procedure call (RPC) endpoint mapping

    • 389 TCP/UDP to AD Domain Controller for handling normal authentication queries

    • 3268 TCP to AD Domain Controller for Global Catalog access

    • 9521 TCP from the Delinea Connector Configuration process to the DelineaProxy service for RPC communication.

Privilege Control for Servers (PCS) Agent

The PCS agent requires internal access for the following ports:

  • 8443 TCP and 8080 TCP for the Delinea Connector

  • 5063 TCP to for the Audit Collector

Notification Services

The platform leverages select third-party messaging providers. This enables Delinea to deliver notifications promptly and reliably to users across various channels, including email, SMS, and phone.

Vendor IP Address Purpose (examples)
AWS SES 54.240.75.72

54.240.75.73		 The Delinea Platform uses AWS SES as its primary email service provider for a variety of email notifications, including user invitations to the platform and email MFA code pins.
SendGrid 149.72.129.10 SendGrid is the primary email service provider for Secret Server email notifications, particularly for tasks such as access requests.
Twilio -- Twilio is used for SMS and Phone MFA.

Tenant IP Restrictions

The Tenant IP Restrictions feature ensures that only trusted network IP addresses or CIDR ranges can connect to your Delinea Platform tenant. By limiting access to approved network ranges, this feature adds an extra layer of security to your environment.

Key Benefits

  • Enhanced Security: Restricts access to only approved IP addresses, reducing the risk of unauthorized access.

  • Comprehensive Coverage: Applies to both the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring consistent protection across the entire environment.

Submitting an IP Restriction Request for the Platform

To enable IP restrictions, submit a support case to Delinea Support with the list of allowed IP addresses or CIDR ranges. Delinea Support will assist in configuring the allowlist for your tenant to ensure seamless and secure access.

When submitting a request, please ensure the following:

  • Maximum Address Limit: The request must contain no more than 50 individual IP addresses or CIDR blocks combined.

  • No Duplicate Addresses: The request must not contain any duplicate IP addresses.

  • Exclude Reserved IPs: Do not include any of the Delinea-owned IP addresses.

  • CIDR Block Standards: Submitted CIDR blocks must follow strict standards. For example, a /29 block must align with valid start addresses.

    • Invalid: 192.0.2.20/29

    • Valid: 192.0.2.16/29

Failure to meet these requirements may result in delays or rejection of the request.

Ensure that all necessary IPs are included to avoid unintended access disruptions.