Port Requirements

The following ports may be used by Privileged Identity. Actual port usage will vary based on the options used and the systems managed. The port direction defined below is relative to the Privileged Identity component.

The following ports are the standard ports for the various protocols. These ports may have been changed on the target systems. It is the Privileged Identity administrator's responsibility to determine if any of the target ports have been changed and to reflect that changed port when password change jobs or account discovery jobs are performed.

Port Direction Description
22 TCP, outbound, SSH Used to manage SSH-based devices.
23 TCP, outbound, Telnet Used to manage non-Windows devices that support Telnet.
25/465/587 TCP, outbound, SMTP Used to send email. Only required if email notifications will be sent from Privileged Identity.
80/443 TCP, inbound, HTTP/S Used to access the web application and web service.
88 TCP/UDP, outbound, Kerberos Used by the jump server when authenticating with Kerberos.
135 & Ephemeral ports TCP/UDP, outbound, RPC port mapper service

Used for most Windows COM/DCOM-based operations. The remote DCOM management port and ephemeral ports are typically provided by granting access to DLLHOST.EXE in the %systemroot%\system32 directory. Ephemeral ports vary by target Windows operating systems.

  • Internet Information Services (IIS)
  • Scheduled Tasks (iTask interface)
  • SQL Server Reporting Services action account (SSRS)
  • SCOM RunAs accounts
161 TCP, outbound, SNMP

Used during system/network discovery operations and device management functions.

389/636 TCP, outbound, LDAP/LDAPS Used for LDAP-compliant directories such as Active Directory.
443 TCP, outbound, HTTPS Used for ESXi native management, as well as various cloud service providers and SAML/OAUTH authentication providers.
445 TCP, outbound, SMB

Used for Windows Server.

464 TCP/UDP, outbound, Kerberos Used by the jump server when authenticating with Kerberos.
514 UDP, outbound, syslog Used to communicate to logger systems such as ArcSight, QRadar, Splunk, syslog, etc.
623 UDP, outbound, IPMI Used to manage lights-out devices such as Dell DRAC, HP iLO, etc.
1025 TCP, outbound, Teradata Used to discover and manage Teradata databases.
1433 TCP, outbound, MS SQL Server Used to connect product components to the Microsoft SQL Server data store.
1521 TCP, outbound, Oracle Used to discover and manage Oracle databases.
2002 TCP, outbound, Java SDK Used for remote connection to RMI host.
3306 TCP, outbound, MySQL Used to discover and manage MySQL databases.
3389 TCP, outbound and inbound, Remote Desktop Protocol (RDP) Used for remote connections to target servers (automatic sessions) as well as inbound to the application launch server.
Port 5000 TCP, outbound, Sybase Used to discover and manage Sybase ASE databases.
Port 5432 TCP, outbound, PostgreSQL Used to discover and manage PostgreSQL databases.
Port 50000 TCP, outbound, DB2 Used to discover IBM DB2 databases.

Other ports may be required depending on the application being managed. If your setup uses additional external items or processes, additional ports are required. Please refer to the following table for known port connection requirements:

Application Direction
BMC Remedy TCP/UDP, outbound, BMC_AR_Port
HP Service Manager TCP, outbound, HPSM Port
Microsoft SharePoint Server TCP, outbound, the SharePoint administrative port
Microsoft System Center Configuration Manager

TCP, outbound, typically Microsoft file and printer sharing or remote management ports

Oracle WebLogic TCP, outbound
IBM WebSphere TCP, outbound
Others Check your integration component port requirements

Additional ports may be required based on target system configuration or Privileged Identity configuration. For example, an SSH target listening on port 5555 must accept connections from Privileged Identity, and Privileged Identity must communicate out on that port to the target. Similarly, if the web service or web application is on a non-default port for its HTTP/S configuration, the firewalls must be configured to allow communication on those ports.