Network Communication Requirements for SecureAuth IdP

Size: px

Start display at page:

Download "Network Communication Requirements for SecureAuth IdP"

Chester Cole
5 years ago
Views:

1 Network Communication Requirements for SecureAuth IdP Introduction This document lists the firewall ports that must be opened to ensure network connectivity of the SecureAuth IdP v9.1 - v9.2 appliance. Refer to How to Configure the Windows Server 2012 R2 Firewall for instructions on how to open firewall ports on the appliance's firewall. Connectivity The following ports are required to be open for SecureAuth IdP to function Direction Port Protocol Destination Status Description Host-Based FW Rules Inbound 443 TCP All SecureAuth IdP appliances Provides access to the SecureAuth web interface World Wide Web Services (HTTPS Traffic-In) Outbound 80 & 443 TCP Refer to SecureAuth Cloud Services for the latest URLs and requirements Needed for access to SecureAuth cloud infrastructure Cloud Services SecureAuth Activation Outbound 53 TCP, UDP To the preferred IPs of your internal Domain Name System servers DNS Core Networking - DNS DNS Outbound 123 UDP The preferred Network Time Provider service (S)NTP / Windows Time NTP Outbound 80 TCP For Windows Operation System Activation Windows Activation (1) Windows Activation (2) Outbound 443 TCP For Windows Operation System Activation Windows Activation (1) Windows Activation (2) Further Connectivity

2 The following groups of ports are necessary if your deployment uses the services indicated. If your implementation does not use a service, then you are not required to open the corresponding ports. Direction Port Protocol Destination Status Description Host-Based FW Rules SecureAuth Sync Service Inbound / Outbound Inbound / Outbound Inbound / Outbound Inbound / Outbound 445 TCP The participating SecureAuth appliances 139 TCP The participating SecureAuth appliances 138 UDP The participating SecureAuth appliances 137 UDP The participating SecureAuth appliances SMB/CIFS SecureAuth Filesync Service (TCP-In) NetBIOS-Session NetBIOS-Datagram NetBIOS-Name SecureAuth Filesync Service (UDP-In) SecureAuth Filesync Service SecureAuth Filesync Service Active Directory / LDAP(S) Outbound 389 TCP, UDP The appropriate Active or LDAP server(s) LDAP

3 Outbound 636 TCP The appropriate Active or LDAP server(s) Optional LDAP - SSL/TLS Outbound 3268 TCP The appropriate Active Directory Global Catalog server(s) * LDAP Global Catalog (* if connecting to AD DC) Outbound 3269 TCP The appropriate Active Directory Global Catalog server(s) Optional* LDAP Global Catalog - SSL/TLS (* if connecting to AD DC over SSL/TLS) Outbound 88 TCP, UDP The appropriate Active Kerberos Domain Outbound 389 TCP, UDP The appropriate Active LDAP Domain Domain Outbound 636 TCP The appropriate Active Optional LDAP - SSL/TLS Domain Domain

4 Outbound 3268 TCP The appropriate Active LDAP Global Catalog Domain Domain Outbound 3269 TCP The appropriate Active Optional LDAP Global Catalog - SSL/TLS Domain Domain Outbound 88 TCP, UDP The appropriate Active Kerberos Domain Domain Outbound 445 TCP, UDP The appropriate Active SMB/CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc Domain Domain Outbound 135 TCP The appropriate Active RPC, EPM Domain Domain Outbound 137 UDP The appropriate Active NetLogon, NetBIOS Name Resolution Domain Domain

5 Outbound 138 UDP The appropriate Active DFSN, NetLogon, NetBIOS Datagram Service Domain Domain Outbound 139 TCP The appropriate Active DFSN, NetBIOS Session Service, NetLogon Domain Domain Outbound TCP Dynamic TCP The appropriate Active Optional Default Dynamic Port Range (see note below) Domain Domain Password Reset Outbound 139 TCP The appropriate Active DFSN, NetBIOS Session Service, NetLogon Active Directory Password Reset Active Directory Password Reset Outbound 445 TCP, UDP The appropriate Active SMB/CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc Outbound 464 TCP, UDP The appropriate Active Kerberos Change\Set Password Reporting / Database Outbound 1433 TCP The appropriate Database Servers Optional if using ODBC\MSSQL as a Data Store and\or reporting server SQL Outbound 514 UDP The appropriate Database Servers Optional if Syslog logging will be used Syslog

6 RADIUS Inbound 1812 UDP The appropriate Radius Servers RADIUS Authentication RADIUS Inbound 1813 UDP The appropriate Radius Servers RADIUS Accounting RADIUS SMTP Outbound 25 TCP The preferred SMTP server SMTP for One Time Password notification SMTP In a domain that consists of Windows Server 2003 based domain controllers, the default dynamic port range is 1025 through Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and through When you see TCP Dynamic in the Port column, it refers to ports 1025 through 5000, the default port range for Windows Server 2003, and ports through 65535, the default port range beginning with Windows Server See the Microsoft support document Active Directory and Active Services Port Requirements for more information on this topic. Basic Services

7 DNS DNS The SecureAuth IdP appliance will need to resolve DNS addresses. Ensure the appliance is configured with usable DNS IP resolvers and all firewalls are configured to allow the traffic (TCP-UDP/53).

8 SMTP SMTP If you intend for users to receive their One Time Password (OTP) code via , then you will have to allow SMTP (TCP/25) connectivity. If your internal SMTP server requires encryption see the SecureAuth document Enab ling SSL/TLS Support for SMTP. SecureAuth IdP appliances come pre-configured to use the mail relay, smtp.mercha ntsecure.com ( ). This relay is intended for testing purposes only and should not be used in your production environment. SecureAuth Corporation offers no SLA for the uptime of the mail relay. We strongly recommended that customers configure the appliance to use their internal mail relay at the earliest possible opportunity.

9 NTP NTP / Windows Time SecureAuth uses the Kerberos protocol to facilitate secure communications for many of its functions. The Kerberos protocol is sensitive to time drifts and, as such, keeping the clock disciplined on the appliance is important. The SecureAuth appliance should be within a few minutes of the LDAP/Active Directory Server. If the SecureAuth appliance is not joined to a domain and receiving accurate timing from a Domain Controller, we recommend enabling NTP to keep the time accurate. Active Directory / LDAP Active Directory / LDAP

10 If your environment uses Microsoft Active Directory or an LDAP based solution (e.g. OpenLDAP), then you will need to open the applicable ports below: Active Directory / LDAP Direction Port Protocol Outbound 389 TCP, UDP Outbound 636 TCP Outbound 3268 TCP Outbound 3269 TCP Outbound 88 TCP, UDP SSL Certificates are required for Secure LDAP (LDAPS) functionality. Revi ew the following documents for specific information. How to enable LDAP over SSL with a third-party certification authority for information regarding the SSL certificates needed for LDAPS How to add a Subject Alternative Name to a secure LDAP certificate fo r information on using a domain alias with LDAPS

11 SecureAuth-specific Services SecureAuth IdP Interface SecureAuth IdP Interface

12 All interaction with the SecureAuth IdP appliance, whether administrative or user facing, occurs over HTTPS for maximum security. HTTPS (TCP/443) access must be allowed or the appliance will be rendered inoperable. When using multiple SecureAuth IdP appliances in a load balanced configuration you need to be aware of how sessions are handled. Normally, a load balancer routes each request independently to a node with the smallest load. While this method works fine for normal (stateless) web applications, it will cause issues with SecureAuth IdP, which is a stateful application. In this case the node which first handles the request from a user must continue to answer their requests until the session concludes. To accommodate this use case most load balancers have a sticky session feature (also known as session affinity) which enables the load balancer to bind a user's session to a specific node. This ensures that all requests coming from the user during the session will be sent to the same node.

SecureAuth Cloud Services SecureAuth Cloud Services The SecureAuth cloud infrastructure handles many critical services for the SecureAuth IdP product, including but not limited to: 1. 2. 3. 4. 5.

13 SecureAuth Cloud Services SecureAuth Cloud Services The SecureAuth cloud infrastructure handles many critical services for the SecureAuth IdP product, including but not limited to: SMS One Time Password (OTP) Notifications Telephony One Time Password (OTP) Notifications Issuance of x509 v3 certificates Licensing Adaptive Authentication options To ensure proper operation of the SecureAuth IdP appliance, refer to SecureAuth Cloud Services for the URLs required to be accessible from the device.

SecureAuth Sync Service SecureAuth Sync Service The SecureAuth sync service keeps configuration information synchronized between two or more SecureAuth IdP appliances.

14 SecureAuth Sync Service SecureAuth Sync Service The SecureAuth sync service keeps configuration information synchronized between two or more SecureAuth IdP appliances. If you would like to install the service in your environment, contact SecureAuth support at (949) option 2 or submit a ticket at support.secureaut h.com to arrange for the software to be installed. As a pre-requisite to deploying the service, ensure the following ports and protocols are allowed between the SecureAuth IdP appliances: SecureAuth Sync Service Direction Port Protocol Inbound\outbound 445 TCP Inbound\outbound 139 TCP Inbound\outbound 138 UDP Inbound\outbound 137 UDP Client-based Services

15 Domain Domain If the SecureAuth IdP appliance will be joined to a domain, then you will need to ensure that the ports listed in the Domain se ction above are allowed between the SecureAuth appliance and applicable Domain Controllers. Password Reset Password Reset If the SecureAuth IdP appliance is used to reset passwords, then you need to ensure the port listed below are open between the appliance and applicable domain controllers: Password Reset Direction Port Protocol Outbound 139 TCP Outbound 445 TCP, UDP Outbound 464 TCP, UDP

16 Reporting Connectivity Reporting Connectivity If the SecureAuth IdP appliance is writing logging data to an external ODBC, Microsoft SQL or Syslog server, then you need to ensure that the ports listed below are open between the appliance and the DB/Syslog server: Reporting / Database Direction Port Protocol Description Outbound 1433 TCP MS SQL / ODBC Outbound 514 UDP Syslog

RADIUS RADIUS If SecureAuth IdP communicates with a RADIUS server, then you need to ensure the ports listed below are open: RADIUS Direction Port Protocol Outbound 1812 UDP Outbound 1813 UDP Early

17 RADIUS RADIUS If SecureAuth IdP communicates with a RADIUS server, then you need to ensure the ports listed below are open: RADIUS Direction Port Protocol Outbound 1812 UDP Outbound 1813 UDP Early deployments of RADIUS were done using UDP port number 1645, which conflicts with the data metrics service. The officially assigned port number for RADIUS is Additional Information Active Directory and Active Services Port Requirements How the Global Catalog Works RFC 2865: Remote Authentication Dial In User Service (RADIUS) How to enable LDAP over SSL with a third-party certification authority How to add a Subject Alternative Name to a secure LDAP certificate

Domain Restructuring Windows Server 2008

Domain Restructuring Windows Server 2008 Introduction: This document will describe design decision to add Additional Domain Controller in the existing Active Directory Forest. The infrastructure is assumed