Ports Used by Secret Server

Overview

This article lists ports typically used in Secret Server. Please note the following:

  • The RPC Dynamic Port ranges are a range of ports utilized by Microsoft's Remote Procedure Call (RPC) functionality. This port range varies by operating system. For Windows Server 2008 or greater, this port range is 49152 to 65535 and this entire port range must be open for RPC technology to work. The RPC range is needed to perform Remote Password Changing since Secret Server will need to connect to the computer using DCOM protocol.
  • The range can vary separately for Exchange servers. For more information about changing the RPC port range, see the related Microsoft's Knowledge Base article on how to configure RPC dynamic port allocation to work with firewalls.
  • To see your ipv4 dynamic range on a given machine, type netsh int ipv4 show dynamicport tcp in the command line.
  • To specify a specific port on your environment that Secret Server will communicate to, see the related article on enabling WMI ports on Windows client machines.

Port Listing

Table: Active Directory Sync Ports

Type of Traffic Port Number
Kerberos TCP/88, UDP/88
LDAP TCP/389, UDP/389
LDAPS TCP/636, UDP/636
SMB/Microsoft-DS TCP445, UDP/445
For LDAPS to work the LDAP port (389) must also be open.

Table: Discovery Ports

Type of Traffic Port Number
RPC Dynamic Port Range TCP/49152-65535, UDP/49152-65535
SMB/Microsoft-DS TCP/445, UDP/445
RPC Endpoint Mapper TCP/135
SSH TCP/22

Table: Distributed Engines and Application Servers

Type of Traffic Port Number
RDP Proxy TCP/3390
RDP Proxy Outbound TCP/3389
SSH Proxy TCP/22
SSH Terminal TCP/22

Table: Remote Password Changing Ports

Type of Traffic Port Number
RPC Dynamic Port Range TCP/49152-65535, UDP/49152-65535
SSH TCP/22
Telnet TCP/23
Microsoft SQL TCP/1433, UDP/1434
SMB/Microsoft-DS TCP/445, UDP/445
LDAP TCP/389, UDP/389
LDAPS TCP/636, UDP/636
Sybase TCP/2638, TCP/5000
Oracle Listener TCP/1521
Kerberos Password Change TCP/464, UDP/464
Windows Privileged Account (WinNT ADSI Service Provider) TCP/139
RPC Endpoint Mapper TCP/135
Entra ID Microsoft Graph API TCP/443

Table: Web Server Incoming Ports

Type of Traffic Port Number
HTTP TCP/80
HTTPS TCP/443

Table: Database Server Incoming Ports

Type of Traffic Port Number
SQL Connection TCP/1433, UDP/1434

Table: Email Ports

Type of Traffic Port Number
SMTP TCP/25

Table: RADIUS Server Ports

Type of Traffic Port Number
RADIUS Authentication UDP/1812

Table: Syslog Ports

Type of Traffic Port Number
Syslog TCP/514, UDP/514

Table: Internal Site Connector Ports

Type of Traffic Port Number
RabbitMQ TCP/5672 (non-SSL), TCP/5671 (SSL)
MemoryMQ TCP/8672 (non-SSL), TCP/8671 (SSL)

Table: RabbitMQ Clustering Ports

Type of Traffic Port Number
EPMD TCP/4369
Inter-node Communication TCP/25672

Web Application Firewall (WAF)

IP Address allow-listing is not necessary unless outbound firewall rules are in place. Generally, the public IP the hostname resolves to is based on geographical location of the request source. All IPs below should be allow-listed to ensure uninterrupted connectivity.

All regions:

  • 45.60.32.37

  • 45.60.34.37

  • 45.60.36.37

  • 45.60.38.37

  • 45.60.40.37

  • 45.60.104.37

Related Articles and Resources