The following ports may be used by Privileged Identity. Actual port usage will vary based on the options used and the systems managed. The port direction defined below is relative to the Privileged Identity component.
The following ports are the standard ports for the various protocols. These ports may have been changed on the target systems. It is the Privileged Identity administrator's responsibility to determine if any of the target ports have been changed and to reflect that changed port when password change jobs or account discovery jobs are performed.
|22||TCP, outbound, SSH||Used to manage SSH-based devices.|
|23||TCP, outbound, Telnet||Used to manage non-Windows devices that support Telnet.|
|25/465/587||TCP, outbound, SMTP||Used to send email. Only required if email notifications will be sent from Privileged Identity.|
|80/443||TCP, inbound, HTTP/S||Used to access the web application and web service.|
|88||TCP/UDP, outbound, Kerberos||Used by the jump server when authenticating with Kerberos.|
|135 & Ephemeral ports||TCP/UDP, outbound, RPC port mapper service||
Used for most Windows COM/DCOM-based operations. The remote DCOM management port and ephemeral ports are typically provided by granting access to DLLHOST.EXE in the %systemroot%\system32 directory. Ephemeral ports vary by target Windows operating systems.
|161||TCP, outbound, SNMP||
Used during system/network discovery operations and device management functions.
|389/636||TCP, outbound, LDAP/LDAPS||Used for LDAP-compliant directories such as Active Directory.|
|443||TCP, outbound, HTTPS||Used for ESXi native management, as well as various cloud service providers and SAML/OAUTH authentication providers.|
|445||TCP, outbound, SMB||
Used for Windows Server.
|464||TCP/UDP, outbound, Kerberos||Used by the jump server when authenticating with Kerberos.|
|514||UDP, outbound, syslog||Used to communicate to logger systems such as ArcSight, QRadar, Splunk, syslog, etc.|
|623||UDP, outbound, IPMI||Used to manage lights-out devices such as Dell DRAC, HP iLO, etc.|
|1025||TCP, outbound, Teradata||Used to discover and manage Teradata databases.|
|1433||TCP, outbound, MS SQL Server||Used to connect product components to the Microsoft SQL Server data store.|
|1521||TCP, outbound, Oracle||Used to discover and manage Oracle databases.|
|2002||TCP, outbound, Java SDK||Used for remote connection to RMI host.|
|3306||TCP, outbound, MySQL||Used to discover and manage MySQL databases.|
|3389||TCP, outbound and inbound, Remote Desktop Protocol (RDP)||Used for remote connections to target servers (automatic sessions) as well as inbound to the application launch server.|
|Port 5000||TCP, outbound, Sybase||Used to discover and manage Sybase ASE databases.|
|Port 5432||TCP, outbound, PostgreSQL||Used to discover and manage PostgreSQL databases.|
|Port 50000||TCP, outbound, DB2||Used to discover IBM DB2 databases.|
Other ports may be required depending on the application being managed. If your setup uses additional external items or processes, additional ports are required. Please refer to the following table for known port connection requirements:
|BMC Remedy||TCP/UDP, outbound, BMC_AR_Port|
|HP Service Manager||TCP, outbound, HPSM Port|
|Microsoft SharePoint Server||TCP, outbound, the SharePoint administrative port|
|Microsoft System Center Configuration Manager||
TCP, outbound, typically Microsoft file and printer sharing or remote management ports
|Oracle WebLogic||TCP, outbound|
|IBM WebSphere||TCP, outbound|
|Others||Check your integration component port requirements|
Additional ports may be required based on target system configuration or Privileged Identity configuration. For example, an SSH target listening on port 5555 must accept connections from Privileged Identity, and Privileged Identity must communicate out on that port to the target. Similarly, if the web service or web application is on a non-default port for its HTTP/S configuration, the firewalls must be configured to allow communication on those ports.