This topic applies to Secret Server On-Premises and Secret Server Cloud.

Ports and IP Addresses Used by Secret Server

This article lists ports and addresses typically used in Secret Server.

Notes

Microsoft Remote Procedure Call (RPC) Functionality

  • The Remote Procedure Call (RPC) dynamic port ranges are a range of ports used by RPC. This port range varies by operating system. For Windows Server 2008 or greater, this port range is 49152 to 65535 and this entire port range must be open for RPC technology to work. The RPC range is needed to perform Remote Password Changing (also RPC) since you will need to connect to the computer using DCOM protocol.
  • The range can vary separately for MS Exchange servers. For more information about changing the Remote Procedure Call (RPC) port range, see How to configure RPC dynamic port allocation to work with firewalls.
  • To see your ipv4 dynamic range on a given machine, type netsh int ipv4 show dynamicport tcp in the command line.
  • To specify a specific port on your environment to communicate with, see the related article on enabling WMI ports on Windows client machines.

Source and Target Designations

  • Secret Server On-Premises has an initial site named local that you can configure to perform actions within the environment using the application server or distributed engines.
  • Configure local at Settings > Configuration Search > Distributed Engine > Sites > <site name> > Processing Location or Settings > Configuration Search > Administration > Setup and Operation > Distributed Engine > Sites > <site name> > Processing Location.
  • Secret Server Cloud and Delinea Platform have an initial site named Default that performs all actions through distributed engines.

Port Listing

Active Directory Sync Ports

Table: Active Directory Sync Ports

Type of Traffic Port Number Source Target Purpose
Kerberos TCP/88, UDP/88 Web server or engines assigned to site Domain controllers Authentication
LDAP TCP/389, UDP/389 Web server or engines assigned to site Domain controllers AD sync, authentication, and authorization
LDAPS* TCP/636, UDP/636 Web server or engines assigned to site Domain controllers AD sync, authentication, and authorization
SMB/Microsoft-DS TCP445, UDP/445 Web server or engines assigned to site Domain controllers AD sync, authentication, and authorization

*For LDAPS to work, the LDAP port (389) must also be open.

Database Server Incoming Ports

Table: Database Server Incoming Ports

Type of Traffic Port Number Source Target Purpose
SQL connection TCP/1433, UDP/1434 Web servers Microsoft SQL Server or availbility group listener Database communication. Can be customized

Discovery Ports

Table: Discovery Ports

Type of Traffic Port Number Source Target Purpose
RPC dynamic port range TCP/49152-65535, UDP/49152-65535 Web server or engines assigned to site Windows servers Windows Server discovery scanning for user and service accounts
RPC endpoint mapper TCP/135 Web server or engines assigned to site Windows servers Windows Server discovery scanning for user and service accounts
SMB/Microsoft-DS TCP/445, UDP/445 Web server or engines assigned to site Windows servers Windows Server discovery scanning for user and service accounts
SSH TCP/22 Web server or engines assigned to site Unix and Linux Servers Unix and Linux server discovery scanning for user and SSH keys

Distributed Engines and Application Servers

Table: Distributed Engines and Application Servers

Type of Traffic Port Number Source Target Purpose
RDP proxy TCP/3390 Client workstations Web server or engines assigned to site Proxied RDP sessions
RDP Proxy Outbound TCP/3389 Webserver or engines assigned to site Windows servers Proxied RDP sessions
SSH proxy TCP/22 Client workstations Web server or engines assigned to site Proxied SSH sessions
SSH proxy TCP/22 Webserver or engines assigned to site Unix and Linux Servers SSH proxy and terminal sessions
SSH terminal TCP/22 Client workstations Web server or engines assigned to site SSH terminal traffic

Email Ports for On-Premise installations

Table: Email Ports for On-Premise installations

Type of Traffic Port Number Source Target Purpose
SMTP TCP/25, TCP/465, TCP/2525, or TCP/587 Web servers Mail servers Email alerts and reporting. Port can be customized to suit environment

Message Queuing Site Connector Ports

Table: Message Queuing Site Connector Ports

Type of Traffic Port Number Source Target Purpose
MemoryMQ TCP/8672 (non-SSL), TCP/8671 (SSL) Web servers and distributed engines MemoryMQ server Non-production AMQP message queueing
RabbitMQ TCP/5672 (non-SSL), TCP/5671 (SSL) Web servers and distributed engines RabbitMQ servers AMQP message queueing
RabbitMQ CLI tools communication TCP/25672-25682 Localhost RabbitMQ nodes Used by rabbitmqctl and other management tools to communicate with nodes.
RabbitMQ management interface TCP/15672 or TCP/156771 Localhost RabbitMQ nodes HTTP API and management UI (not directly related to clustering). Can be configured to use HTTP or HTTPS

On-Premise Web Server Incoming Ports

Table: On-Premise Web Server Incoming Ports

Type of Traffic Port Number Source Target Purpose
HTTP TCP/80 Client devices Web server Optional HTTP access for legacy devices to web application and API
HTTPS TCP/443 Client devices Web server HTTPS access to web application and API
HTTPS TCP/443 Distributed engine Web server Distributed engines use callback flow for initial activation, periodic check of site and site connector settings, log file uploads, and software updates. This callback can also be configured to communicate over HTTP or TCP

RabbitMQ Clustering Ports

Table: RabbitMQ Clustering Ports

Type of Traffic Port Number Source Target Purpose
EPMD (Erlang Port Mapper Daemon) TCP/4369 All RabbitMQ cluster nodes All RabbitMQ cluster nodes Used for node discovery. The EPMD maps node names to network ports
Inter-node communication TCP/25672-25682 All RabbitMQ cluster nodes All RabbitMQ cluster nodes Used for communication between cluster nodes, including data replication and heartbeats

RADIUS Server Ports

Table: RADIUS Server Ports

Type of Traffic Port Number Source Target Purpose
RADIUS authentication UDP/1812 Web servers or Secret Server Cloud Radius server Authentication

Remote Password Changing Ports

Table: Remote Password Changing Ports

Type of Traffic Port Number Source Target Purpose
Encrypted Telnet TCP/23, TCP/22, otTCP/992 Web server or engines assigned to site iSeries Mainframes and zSeries Mainframes RPC and heartbeat
Entra ID Microsoft Graph API TCP/443 Web server or engines assigned to site Entra Graph API RPC and heartbeat
Kerberos password change TCP/464, UDP/464 Web server or engines assigned to site Microsoft Active Directory domain controllers RPC and heartbeat
LDAP TCP/389, UDP/389 Web server or engines assigned to site Microsoft Active Directory domain controllers or LDAP-based domains RPC and heartbeat
LDAPS TCP/636, UDP/636 Web server or engines assigned to site Microsoft Active Directory domain controllers or LDAP-based domains RPC and heartbeat
Microsoft SQL TCP/1433, UDP/1434 Web server or engines assigned to site SQL servers RPC and heartbeat
Oracle listener TCP/1521 Web server or engines assigned to site Oracle servers RPC and heartbeat
RPC dynamic port range TCP/49152-65535, UDP/49152-65535 Web server or engines assigned to site Windows computers RPC and heartbeat
RPC endpoint mapper TCP/135 Web server or engines assigned to site Windows servers RPC and heartbeat
SMB/Microsoft-DS TCP/445, UDP/445 Web server or engines assigned to site Windows computers RPC and heartbeat
SSH TCP/22 Web server or engines assigned to site SSH-based servers and devices RPC and heartbeat
Sybase TCP/2638, TCP/5000 Web server or engines assigned to site Sybase Servers RPC and heartbeat
Telnet TCP/23 Web server or engines assigned to site Networking equipment and Unix servers RPC and heartbeat
Windows privileged account (WinNT ADSI service provider) TCP/139 Web server or engines assigned to site Windows servers RPC and heartbeat

Secret Server Cloud Specific Traffic

Table: Secret Server Cloud Specific Traffic

Type of Traffic Port Number Source Target Purpose
Distributed engine communication TCP/443 (Web Sockets) or TCP/443 (Web Sockets), TCP/5671, TCP/5672 (AMQP) Distributed engine Azure service bus Message queueing

Syslog Ports

Table: Syslog Ports

Type of Traffic Port Number Source Target Purpose
Syslog TCP/514, UDP/514 Web server or engines assigned to site Syslog collector SEIM logging

IP Addresses

Web Application Firewall (WAF) for Traffic to Secret Server Cloud

IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.

All regions:

  • 45.60.32.37
  • 45.60.34.37
  • 45.60.36.37
  • 45.60.38.37
  • 45.60.40.37
  • 45.60.104.37

Secret Server Cloud Outgoing IP Addresses

secretservercloud.com

Primary:

  • 20.65.118.12
  • 23.102.107.104
  • 23.102.106.185
  • 23.102.107.220
  • 23.102.108.55
  • 52.151.206.35
  • 52.224.253.4
  • 52.151.206.73
  • 52.151.206.77
  • 52.224.253.7
  • 20.228.138.112/29

DR:

  • 52.160.67.39
  • 52.160.67.38
  • 104.40.25.170
  • 138.91.163.99
  • 137.135.51.234
  • 52.190.184.16/29

secretservercloud.co.uk

Primary:

  • 20.0.46.111
  • 51.142.243.172
  • 20.0.46.112
  • 20.0.46.123
  • 20.0.46.124
  • 20.162.162.64/29

Secondary:

  • 51.104.62.220
  • 51.104.62.213
  • 51.104.63.38
  • 51.104.62.185
  • 51.104.62.252
  • 20.117.16.40/29

secretservercloud.ca

Primary:

  • 52.228.117.246
  • 52.228.113.119
  • 52.139.7.40
  • 52.139.7.137
  • 52.139.7.197
  • 40.85.220.216/29

DR:

  • 52.229.119.193
  • 52.229.119.89
  • 52.235.39.79
  • 52.235.39.125
  • 52.235.39.5
  • 20.220.90.80/29

secretservercloud.eu

Primary:

  • 20.79.64.213
  • 20.79.65.3
  • 20.79.226.78
  • 20.79.226.180
  • 20.79.226.116
  • 51.116.178.152/29

DR:

  • 20.50.180.242
  • 20.50.180.187
  • 20.50.154.28
  • 20.50.176.86
  • 20.50.156.219
  • 20.16.113.88.144/29

secretservercloud.com.sg

Primary:

  • 20.195.97.220
  • 20.195.98.154
  • 20.212.128.73
  • 20.212.128.75
  • 20.212.128.74
  • 52.237.113.56/29

DR:

  • 65.52.165.108
  • 65.52.160.251
  • 52.184.100.188
  • 52.184.101.189
  • 52.184.101.213
  • 23.100.88.144/29

secretservercloud.com.au

Primary:

  • 20.37.251.37
  • 20.37.251.120
  • 20.37.5.233
  • 20.37.5.227
  • 20.37.5.48
  • 20.37.1.16/29

DR:

  • 20.53.142.34
  • 20.53.142.37
  • 20.53.80.77
  • 20.53.81.216
  • 20.53.82.77
  • 23.101.211.80/29

Azure Service Bus

To find the customer specific Azure service bus information navigate to https://<tenantname>.secretservercloud.<tld>/AdminDiagnostics.aspx.

How to configure RPC dynamic port allocation to work with firewalls (Microsoft)