This topic applies to Secret Server On-Premises and Secret Server Cloud.
Ports and IP Addresses Used by Secret Server
This article lists ports and addresses typically used in Secret Server.
Notes
Microsoft Remote Procedure Call (RPC) Functionality
- The Remote Procedure Call (RPC) dynamic port ranges are a range of ports used by RPC. This port range varies by operating system. For Windows Server 2008 or greater, this port range is 49152 to 65535 and this entire port range must be open for RPC technology to work. The RPC range is needed to perform Remote Password Changing (also RPC) since you will need to connect to the computer using DCOM protocol.
- The range can vary separately for MS Exchange servers. For more information about changing the Remote Procedure Call (RPC) port range, see How to configure RPC dynamic port allocation to work with firewalls.
- To see your ipv4 dynamic range on a given machine, type netsh int ipv4 show dynamicport tcp in the command line.
- To specify a specific port on your environment to communicate with, see the related article on enabling WMI ports on Windows client machines.
Source and Target Designations
- Secret Server On-Premises has an initial site named local that you can configure to perform actions within the environment using the application server or distributed engines.
- Configure local at Settings > Configuration Search > Distributed Engine > Sites > <site name> > Processing Location or Settings > Configuration Search > Administration > Setup and Operation > Distributed Engine > Sites > <site name> > Processing Location.
- Secret Server Cloud
Port Listing
Active Directory Sync Ports
Table: Active Directory Sync Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| Kerberos | TCP/88, UDP/88 | Web server or engines assigned to site | Domain controllers | Authentication |
| LDAP | TCP/389, UDP/389 | Web server or engines assigned to site | Domain controllers | AD sync, authentication, and authorization |
| LDAPS* | TCP/636, UDP/636 | Web server or engines assigned to site | Domain controllers | AD sync, authentication, and authorization |
| SMB/Microsoft-DS | TCP445, UDP/445 | Web server or engines assigned to site | Domain controllers | AD sync, authentication, and authorization |
*For LDAPS to work, the LDAP port (389) must also be open.
Database Server Incoming Ports
Table: Database Server Incoming Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| SQL connection | TCP/1433, UDP/1434 | Web servers | Microsoft SQL Server or availbility group listener | Database communication. Can be customized |
Discovery Ports
Table: Discovery Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| RPC dynamic port range | TCP/49152-65535, UDP/49152-65535 | Web server or engines assigned to site | Windows servers | Windows Server discovery scanning for user and service accounts |
| RPC endpoint mapper | TCP/135 | Web server or engines assigned to site | Windows servers | Windows Server discovery scanning for user and service accounts |
| SMB/Microsoft-DS | TCP/445, UDP/445 | Web server or engines assigned to site | Windows servers | Windows Server discovery scanning for user and service accounts |
| SSH | TCP/22 | Web server or engines assigned to site | Unix and Linux Servers | Unix and Linux server discovery scanning for user and SSH keys |
Distributed Engines and Application Servers
Table: Distributed Engines and Application Servers
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| RDP proxy | TCP/3390 | Client workstations | Web server or engines assigned to site | Proxied RDP sessions |
| RDP Proxy Outbound | TCP/3389 | Webserver or engines assigned to site | Windows servers | Proxied RDP sessions |
| SSH proxy | TCP/22 | Client workstations | Web server or engines assigned to site | Proxied SSH sessions |
| SSH proxy | TCP/22 | Webserver or engines assigned to site | Unix and Linux Servers | SSH proxy and terminal sessions |
| SSH terminal | TCP/22 | Client workstations | Web server or engines assigned to site | SSH terminal traffic |
Email Ports for On-Premise installations
Table: Email Ports for On-Premise installations
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| SMTP | TCP/25, TCP/465, TCP/2525, or TCP/587 | Web servers | Mail servers | Email alerts and reporting. Port can be customized to suit environment |
Message Queuing Site Connector Ports
Table: Message Queuing Site Connector Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| MemoryMQ | TCP/8672 (non-SSL), TCP/8671 (SSL) | Web servers and distributed engines | MemoryMQ server | Non-production AMQP message queueing |
| RabbitMQ | TCP/5672 (non-SSL), TCP/5671 (SSL) | Web servers and distributed engines | RabbitMQ servers | AMQP message queueing |
| RabbitMQ CLI tools communication | TCP/25672-25682 | Localhost | RabbitMQ nodes | Used by rabbitmqctl and other management tools to communicate with nodes. |
| RabbitMQ management interface | TCP/15672 or TCP/156771 | Localhost | RabbitMQ nodes | HTTP API and management UI (not directly related to clustering). Can be configured to use HTTP or HTTPS |
On-Premise Web Server Incoming Ports
Table: On-Premise Web Server Incoming Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| HTTP | TCP/80 | Client devices | Web server | Optional HTTP access for legacy devices to web application and API |
| HTTPS | TCP/443 | Client devices | Web server | HTTPS access to web application and API |
| HTTPS | TCP/443 | Distributed engine | Web server | Distributed engines use callback flow for initial activation, periodic check of site and site connector settings, log file uploads, and software updates. This callback can also be configured to communicate over HTTP or TCP |
RabbitMQ Clustering Ports
Table: RabbitMQ Clustering Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| EPMD (Erlang Port Mapper Daemon) | TCP/4369 | All RabbitMQ cluster nodes | All RabbitMQ cluster nodes | Used for node discovery. The EPMD maps node names to network ports |
| Inter-node communication | TCP/25672-25682 | All RabbitMQ cluster nodes | All RabbitMQ cluster nodes | Used for communication between cluster nodes, including data replication and heartbeats |
RADIUS Server Ports
Table: RADIUS Server Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| RADIUS authentication | UDP/1812 | Web servers or Secret Server Cloud | Radius server | Authentication |
Remote Password Changing Ports
Table: Remote Password Changing Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| Encrypted Telnet | TCP/23, TCP/22, otTCP/992 | Web server or engines assigned to site | iSeries Mainframes and zSeries Mainframes | RPC and heartbeat |
| Entra ID Microsoft Graph API | TCP/443 | Web server or engines assigned to site | Entra Graph API | RPC and heartbeat |
| Kerberos password change | TCP/464, UDP/464 | Web server or engines assigned to site | Microsoft Active Directory domain controllers | RPC and heartbeat |
| LDAP | TCP/389, UDP/389 | Web server or engines assigned to site | Microsoft Active Directory domain controllers or LDAP-based domains | RPC and heartbeat |
| LDAPS | TCP/636, UDP/636 | Web server or engines assigned to site | Microsoft Active Directory domain controllers or LDAP-based domains | RPC and heartbeat |
| Microsoft SQL | TCP/1433, UDP/1434 | Web server or engines assigned to site | SQL servers | RPC and heartbeat |
| Oracle listener | TCP/1521 | Web server or engines assigned to site | Oracle servers | RPC and heartbeat |
| RPC dynamic port range | TCP/49152-65535, UDP/49152-65535 | Web server or engines assigned to site | Windows computers | RPC and heartbeat |
| RPC endpoint mapper | TCP/135 | Web server or engines assigned to site | Windows servers | RPC and heartbeat |
| SMB/Microsoft-DS | TCP/445, UDP/445 | Web server or engines assigned to site | Windows computers | RPC and heartbeat |
| SSH | TCP/22 | Web server or engines assigned to site | SSH-based servers and devices | RPC and heartbeat |
| Sybase | TCP/2638, TCP/5000 | Web server or engines assigned to site | Sybase Servers | RPC and heartbeat |
| Telnet | TCP/23 | Web server or engines assigned to site | Networking equipment and Unix servers | RPC and heartbeat |
| Windows privileged account (WinNT ADSI service provider) | TCP/139 | Web server or engines assigned to site | Windows servers | RPC and heartbeat |
Secret Server Cloud Specific Traffic
Table: Secret Server Cloud Specific Traffic
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| Distributed engine communication | TCP/443 (Web Sockets) or TCP/443 (Web Sockets), TCP/5671, TCP/5672 (AMQP) | Distributed engine | Azure service bus | Message queueing |
Syslog Ports
Table: Syslog Ports
| Type of Traffic | Port Number | Source | Target | Purpose |
|---|---|---|---|---|
| Syslog | TCP/514, UDP/514 | Web server or engines assigned to site | Syslog collector | SEIM logging |
IP Addresses
Web Application Firewall (WAF) for Traffic to Secret Server Cloud
IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.
All regions:
- 45.60.32.37
- 45.60.34.37
- 45.60.36.37
- 45.60.38.37
- 45.60.40.37
- 45.60.104.37
Secret Server Cloud Outgoing IP Addresses
secretservercloud.com
Primary:
- 20.65.118.12
- 23.102.107.104
- 23.102.106.185
- 23.102.107.220
- 23.102.108.55
- 52.151.206.35
- 52.224.253.4
- 52.151.206.73
- 52.151.206.77
- 52.224.253.7
- 20.228.138.112/29
DR:
- 52.160.67.39
- 52.160.67.38
- 104.40.25.170
- 138.91.163.99
- 137.135.51.234
- 52.190.184.16/29
secretservercloud.co.uk
Primary:
- 20.0.46.111
- 51.142.243.172
- 20.0.46.112
- 20.0.46.123
- 20.0.46.124
- 20.162.162.64/29
Secondary:
- 51.104.62.220
- 51.104.62.213
- 51.104.63.38
- 51.104.62.185
- 51.104.62.252
- 20.117.16.40/29
secretservercloud.ca
Primary:
- 52.228.117.246
- 52.228.113.119
- 52.139.7.40
- 52.139.7.137
- 52.139.7.197
- 40.85.220.216/29
DR:
- 52.229.119.193
- 52.229.119.89
- 52.235.39.79
- 52.235.39.125
- 52.235.39.5
- 20.220.90.80/29
secretservercloud.eu
Primary:
- 20.79.64.213
- 20.79.65.3
- 20.79.226.78
- 20.79.226.180
- 20.79.226.116
- 51.116.178.152/29
DR:
- 20.50.180.242
- 20.50.180.187
- 20.50.154.28
- 20.50.176.86
- 20.50.156.219
- 20.16.113.88.144/29
secretservercloud.com.sg
Primary:
- 20.195.97.220
- 20.195.98.154
- 20.212.128.73
- 20.212.128.75
- 20.212.128.74
- 52.237.113.56/29
DR:
- 65.52.165.108
- 65.52.160.251
- 52.184.100.188
- 52.184.101.189
- 52.184.101.213
- 23.100.88.144/29
secretservercloud.com.au
Primary:
- 20.37.251.37
- 20.37.251.120
- 20.37.5.233
- 20.37.5.227
- 20.37.5.48
- 20.37.1.16/29
DR:
- 20.53.142.34
- 20.53.142.37
- 20.53.80.77
- 20.53.81.216
- 20.53.82.77
- 23.101.211.80/29
Azure Service Bus
To find the customer specific Azure service bus information navigate to https://<tenantname>.secretservercloud.<tld>/AdminDiagnostics.aspx.
Related Articles and Resources
How to configure RPC dynamic port allocation to work with firewalls (Microsoft)
