Outbound traffic network and port requirements
The Privilege Cloud components
This topic presents the FQDNs, ports and protocols that should be configured to enable these communications.
|
For security reasons, all communication to the Privilege Cloud service must be TLS 1.2 or higher. |
Recommended communication configuration
If your organization requires outbound allowlist firewall rules, we recommend:
-
Dynamic configuration using wildcard-based dynamic firewall rules. These will cover all communication interfaces for outbound interface.
If you are unable to use dynamic configuration, setup one of the following static configurations:
-
Static configuration using Hostname of each component & port
-or-
-
Static configuration using IP of each component & port
Dynamic configuration (recommended)
|
Component |
Network & port details |
|---|---|
|
Privilege Cloud
|
FQDN: https://*.cyberark.cloud Port/Protocol: 443/HTTPS/TCP (for REST/API calls) Port/Protocol: 1858/TCP Communication to the backend on port 1858/TCP is supported for both sticky and non-sticky sessions. |
|
AWS SSL (for SSL certificates) |
FQDN: http://*.amazontrust.com Port: 80/HTTP |
|
Connector Management agent |
FQDNs:
where <Region> is the AWS region where Privilege Cloud is available. |
|
Secure Zones access control (optional) |
In Identity Administration, configure authorized IP addresses defined in Control access using secure zones. |
|
Privilege Cloud uses AWS as a Certificate Authority for SSL certificates. For more details, see Amazon trust services. |
Static configuration (if dynamic configuration does not apply)
If you are unable to use wildcards, add the following FQDNs & port, or IP & port, to your allowlist.
|
Static configuration is not recommended, and you may need to update this list in the future when additional services are added. If using static configuration, we recommend using FQDNs and not IPs. |
|
Component |
Network & port details |
|---|---|
|
Privilege Cloud Vault service backend (Required for Connector and related components: CPM, PSM, PSM for SSH, Credential Providers, Central Credential Provider) |
IP: Provided by CyberArk support. Port: 1858/TCP Communication to the backend on port 1858/TCP is supported for both sticky and non-sticky sessions. |
|
Backend service management (Required for Secure Tunnel) |
FQDN: https://console.privilegecloud.cyberark.cloud IP: CloudFront IPs
Open CloudFront IPs based on regions where your organization users need access to the service. See amazonaws ip ranges. Port: 443/HTTPs (for REST/API calls) |
|
Connector (Required for Secure Tunnel) |
FQDN: https://connector-<subdomain>.privilegecloud.cyberark.cloud IP: Provided by CyberArk support Port: 443/HTTPs (for REST/API calls) |
|
Privilege Cloud portal (Required for browser access and related components) |
FQDN: https://<subdomain>.cyberark.cloud The <subdomain> appears in the first section of the Privilege Cloud Portal URL. IP: CloudFront IPs
Open CloudFront IPs based on regions where your organization users need access to the service. See amazonaws ip ranges. Port: 443/HTTPS |
|
Privilege Cloud for API |
FQDN: https://<subdomain>.privilegecloud.cyberark.cloud The <subdomain> appears in the first section of the Privilege Cloud Portal URL. IP: EC2 IPs
Open EC2 IPs based on regions where your organization needs access to the service. See amazonaws ip ranges. Port: 443/HTTPS |
|
Identity Administration (Required for PSM for handling native RDP client authentication) |
FQDN: https://<Identity-tenant-id>.id.cyberark.cloud IP: Identity Administration Port: 443/HTTPs (for REST/API calls) |
|
(Optional) HTML5 Gateway |
FQDN: https://webaccess-<subdomain>.privilegecloud.cyberark.cloud IP: EC2 IPs
Open EC2 IPs based on regions where your organization needs access to the service. See amazonaws ip ranges. Port: 443/HTTPS |
|
AWS SSL (for SSL certificates) |
FQDNs:
-or- IP: CloudFront IPs
Open CloudFront IPs based on regions where your organization's users need access to the service. See amazonaws ip ranges. Port: 80/HTTP |
|
Connector Management agent |
FQDNs:
where <Region> is the AWS region where Privilege Cloud is available. |
|
Secure Zones access control (optional) |
In Identity Administration, configure authorized IP addresses defined in Control access using secure zones. |
Public-facing IP addresses
To secure the service, CyberArk permits inbound traffic only from specific IP addresses. Provide CyberArk support with the public-facing IP addresses for all communication between the Privilege Cloud service to the Connectors, including Secrets Manager, in order to add them to the CyberArk allowlist.
CyberArk Identity Connector configuration
All connections to the internet made by Identity Administration (including the CyberArk Identity Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.
The destination resource, IP address, and host for outbound connections may vary over time and should be updated for new or cancelled resources.
Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Identity Administration. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.
You have the following options for allowing outbound traffic required for the CyberArk Identity Connector.
| Option | Description | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Add the traffic source to an allow list |
Given the variability of connection targets, the simplest allow list configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the CyberArk Identity Connector and for outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place. |
||||||||||||||||||||||||||||||||
|
Add source ports to an allow list |
You can also use an allow list configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the CyberArk Identity Connector, as well as outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place. |
||||||||||||||||||||||||||||||||
|
Add destinations to an allow list |
If destination approval is required, you can add outbound ports or elastic IP addresses to an allow list. Do not delete any CyberArk-related IP and Hostnames until you have successfully deployed the connector.
If adding an entire domain to an allow list is not acceptable per your organization's security policy, then you need to add the TCPRelay IPs allocated to your pod to an allow list. Contact CyberArk Support for the IP addresses. If your domain controller is on a private WAN, allow communication on the following ports (inbound to the domain controller) to facilitate communication between the domain controller and the connector host.
The following diagram illustrates the default ports used by the CyberArk Identity Connector.
|
