Documentation
Introduction

This document discusses the network connectivity required by the SecureAuth IdP 8.0.x appliance.

Required Connectivity

The following ports are required to be open for SecureAuth IdP to function

DirectionPortProtocolDestinationStatusDescription
Inbound443TCPAll SecureAuth IdP appliancesRequiredProvides access to the SecureAuth web interface
Outbound80 & 443TCP

Refer to SecureAuth cloud services for the latest URLs and requirements

RequiredNeeded for access to SecureAuth cloud infrastructure
Outbound53TCP, UDPTo the preferred IPs of your internal Domain Name System serversRequiredDNS
Outbound25TCPThe preferred SMTP serverRequiredSMTP for One Time Password notification
Outbound123UDP

The preferred Network Time Provider service

RequiredNTP / Windows Time
Outbound80TCPwww.microsoft.comRequiredFor Windows Operation System Activation
Outbound443TCPwww.microsoft.comRequiredFor Windows Operation System Activation
Further Connectivity

The following groups of ports are necessary if your deployment uses the services indicated. If your implementation does not use a service, then you are not required to open the corresponding ports.

DirectionPortProtocolDestinationStatusDescription

SecureAuth Sync Service

Inbound\outbound445TCPThe participating SecureAuth AppliancesRequiredSMB/CIFS
Inbound\outbound139TCPThe participating SecureAuth AppliancesRequiredNetBIOS-Session
Inbound\outbound138UDPThe participating SecureAuth AppliancesRequiredNetBIOS-Datagram
Inbound\outbound137UDPThe participating SecureAuth AppliancesRequiredNetBIOS-Name

Active Directory \ LDAP

Outbound389TCP, UDPThe appropriate Active Directory Domain Controller(s) or LDAP server(s)RequiredLDAP
Outbound636TCPThe appropriate Active Directory Domain Controller(s) or LDAP server(s)OptionalLDAP - SSL\TLS
Outbound3268TCPThe appropriate Active Directory Global Catalog server(s)Required*LDAP Global Catalog (*Required if connecting to AD DC)
Outbound3269TCPThe appropriate Active Directory Global Catalog server(s)Optional*LDAP Global Catalog - SSL\TLS (*Required if connecting to AD DC over SSL\TLS)
Outbound88TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredKerberos

Domain Membership

Outbound389TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredLDAP
Outbound636TCPThe appropriate Active Directory Domain Controller(s)OptionalLDAP - SSL\TLS
Outbound3268TCPThe appropriate Active Directory Domain Controller(s)RequiredLDAP Global Catalog
Outbound3269TCPThe appropriate Active Directory Domain Controller(s)OptionalLDAP Global Catalog - SSL\TLS
Outbound88TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredKerberos
Outbound445TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredSMB/CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
Outbound135TCPThe appropriate Active Directory Domain Controller(s)RequiredRPC, EPM
Outbound137UDPThe appropriate Active Directory Domain Controller(s)RequiredNetLogon, NetBIOS Name Resolution
Outbound138UDPThe appropriate Active Directory Domain Controller(s)RequiredDFSN, NetLogon, NetBIOS Datagram Service
Outbound139TCPThe appropriate Active Directory Domain Controller(s)RequiredDFSN, NetBIOS Session Service, NetLogon
OutboundTCP DynamicTCPThe appropriate Active Directory Domain Controller(s)OptionalDefault Dynamic Port Range (Please see note below)

Password Reset

Outbound139TCPThe appropriate Active Directory Domain Controller(s)RequiredDFSN, NetBIOS Session Service, NetLogon
Outbound445TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredSMB/CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
Outbound464TCP, UDPThe appropriate Active Directory Domain Controller(s)RequiredKerberos Change\Set Password

Reporting \ Database

Outbound1433TCPThe appropriate Database ServersOptionalRequired if using ODBC\MSSQL as a Data Store and\or reporting server
Outbound514UDPThe appropriate Database ServersOptionalRequired if Syslog logging will be used

RADIUS

Inbound1812UDPThe appropriate Radius ServersRequiredRADIUS Authentication
Inbound1813UDPThe appropriate Radius ServersRequiredRADIUS Accounting

In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see TCP Dynamic in the Port column, it refers to ports 1025 through 5000, the default port range for Windows Server 2003, and ports 49152 through 65535, the default port range beginning with Windows Server 2008. 

Please see the Microsoft support document Active Directory and Active Directory Domain Services Port Requirements for more information on this topic.

 


SecureAuth Specific

SecureAuth IdP Interface


 

All interaction with the SecureAuth appliance, whether administrative or user facing, occurs over HTTPS for maximum security. HTTPS (TCP/443) access must be allowed or the appliance will be rendered inoperable.

When using multiple SecureAuth appliances in a load balanced configuration you need to be aware of how sessions are handled. Normally, a load balancer routes each request independently to a node with the smallest load. While this method works fine for normal (stateless) web applications, it will cause issues with SecureAuth. In the case of SecureAuth, which is a stateful application, the node which first handles the request from a user must continue to answer their requests until the session concludes. To accommodate this use case most load balancers have a sticky session feature (also known as session affinity) which enables the load balancer to bind a user's session to a specific node. This ensures that all requests coming from the user during the session will be sent to the same node.

SecureAuth Cloud Services


 

The SecureAuth cloud infrastructure handles many critical services for the SecureAuth IdP product, including, but not limited to:

  1. SMS One Time Password (OTP) Notifications
  2. Telephony One Time Password (OTP) Notifications
  3. Issuance of x509 v3 certificates
  4. Licensing
  5. Adaptive Authentication options

To ensure proper operation of the SecureAuth IdP appliance, refer to SecureAuth cloud services for the URLs required to be accessible from the device.

SecureAuth Sync Service


The SecureAuth sync service keeps configuration information synchronized between two or more SecureAuth IdP appliances. If you would like to install the service in your environment, please contact SecureAuth support at 949.777.6959 option 2 or submit a ticket at support.secureauth.com to arrange for the software to be installed. As a pre-requisite to deploying the service please ensure the following ports and protocols are allowed between the SecureAuth IdP appliances:

SecureAuth Sync Service
DirectionPortProtocol
Inbound\outbound445TCP
Inbound\outbound139TCP
Inbound\outbound138UDP
Inbound\outbound137UDP

Basic Required Services

DNS


 

The SecureAuth IdP appliance will need to resolve DNS addresses. Please ensure the appliance is configured with usable DNS IP resolvers and all firewalls are configured to allow the traffic (TCP-UDP/53).

SMTP


 

If you intend for users to receive their One Time Password (OTP) code via email, then you will have to allow SMTP (TCP/25) connectivity. If your internal SMTP server requires encryption please see the SecureAuth document Enabling SSL\TLS Support for SMTP.

SecureAuth IdP appliances come pre-configured to use the mail relay smtp.merchantsecure.com (64.34.120.34). This relay is intended for testing purposes only and should not be used in your production environment. SecureAuth Corporation offers no SLA for the uptime of the mail relay. We strongly recommended customer's configure the appliance to use their internal mail relay at the earliest possible opportunity.

NTP \ Windows Time


 

SecureAuth uses the Kerberos protocol to facilitate secure communications for many of its functions. The Kerberos protocol is sensitive to time drifts and, as such, keeping the clock disciplined on the appliance is important. The SecureAuth appliance should be within a few minutes of the LDAP\Active Directory Server. If the SecureAuth appliance is not joined to a domain and receiving accurate timing from a Domain Controller, we recommend enabling NTP to keep the time accurate.

Active Directory / LDAP


If your environment uses Microsoft Active Directory or an LDAP based solution (e.g. OpenLDAP), then you will need to open the applicable ports below:

Active Directory \ LDAP
DirectionPortProtocol
Outbound389TCP, UDP
Outbound636TCP
Outbound3268TCP
Outbound3269TCP
Outbound88TCP, UDP

SSL Certificates are required for LDAPS functionality. Please review the following documents for specific information. See How to enable LDAP over SSL with a third-party certification authority for more information regarding the SSL Certificates needed for Secure LDAP. Additionally, for information related to using a domain alias with Secure LDAP please see How to add a Subject Alternative Name to a secure LDAP certificate.

Client-based Services

Domain Membership


 

If the SecureAuth IdP appliance will be joined to a domain, you will need to ensure that the ports listed in the Domain Membership section above are allowed between the SecureAuth appliance and applicable Domain Controllers.

Password Reset


If your SecureAuth IdP appliance is used to reset passwords, then you need to ensure the port listed below are open between the appliance and applicable domain controllers:

Password Reset
DirectionPortProtocol
Outbound139TCP
Outbound445TCP, UDP
Outbound464TCP, UDP

Reporting Connectivity


 

If your SecureAuth IdP appliance is writing logging data to an external ODBC, Microsoft SQL or Syslog server, then you need to ensure the port listed below are open between the appliance and the DB/Syslog server:

Reporting \ Database
DirectionPortProtocolDescription
Outbound1433TCPMS SQL \ ODBC
Outbound514UDPSyslog

RADIUS


If SecureAuth IdP communicates with a RADIUS server, you need to ensure the port listed below are open:

RADIUS
DirectionPortProtocol
Outbound1812UDP
Outbound1813UDP

Early deployments of RADIUS were done using UDP port number 1645, which conflicts with the datametrics service. The officially assigned port number for RADIUS is 1812.

Additional Information

Active Directory and Active Directory Domain Services Port Requirements
How the Global Catalog Works
RFC 2865: Remote Authentication Dial In User Service (RADIUS)
How to enable LDAP over SSL with a third-party certification authority
How to add a Subject Alternative Name to a secure LDAP certificate