Firewall Considerations

Keyfactor Command needs to be able to communicate internally between the various Keyfactor Command components installed on different servers, if applicable, and to the SQL server, certificate authorities, centralized logging server (if applicable), and Active Directory. If there are any firewalls in the environment that control internal traffic, these may need to be updated to allow the appropriate level of communication. Table 762: Protocols Keyfactor Command Uses for Communication shows each Keyfactor Command component and the protocols they use to communicate. In addition, all Keyfactor Command components require a healthy Active Directory environment with the ability to use Kerberos, LDAP, and DNSClosed The Domain Name System is a service that translates names into IP addresses..

Table 762: Protocols Keyfactor Command Uses for Communication

Keyfactor Command Component

Protocols and Ports

Target

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

Client browser (e.g. Microsoft Edge)

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

Certificate revocation listClosed A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. (CRLClosed A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.) distribution points

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

EJBCA Certificate Authorities

Keyfactor Command Management Portal

RPCClosed Remote procedure call (RPC) allows one program to call a function from a program located on another computer on a network without specifying network details. In the context of Keyfactor Command, RPC errors often indicate Kerberos authentication or delegation issues./DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Microsoft Certificate Authorities

Keyfactor Command Management Portal

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Keyfactor vendor gateways to cloud CAs (e.g. Entrust, Symantec)

Keyfactor Command Management Portal

MS SQL (default TCP 1433)

SQL Server

Keyfactor Command Management Portal

Varies depending on the implemented solution (TCP 514 for rsyslogClosed Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network., TCP 5000 for Logstash are some standard defaults)

Centralized logging solution
Keyfactor Command Active Directory (TCP/UDP 389) Microsoft Active Directory queries
Keyfactor Command SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Management Active Directory Web Services (TCP 9389) Microsoft Active Directory for group membership enumeration

All Orchestrators and Agents

HTTP/HTTPS (TCP 80/443)

Keyfactor Command OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server.

Keyfactor Windows OrchestratorClosed The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location.
(IIS Certificate Stores)

PowerShell Remoting (default TCP 5985 and 5986)

IIS Servers to which PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. files will be distributed

Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.
(IIS Certificate Stores)

PowerShell Remoting (default TCP 5985 and 5986)

IIS Servers to which PFX files will be distributed

Keyfactor Windows Orchestrator
(SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Endpoint Management)

Any configured for scanning

The SSL endpoint being scanned by the SSL discovery or monitoring job

Keyfactor Universal Orchestrator
(SSL Endpoint Management)

Any configured for scanning

The SSL endpoint being scanned by the SSL discovery or monitoring job

Keyfactor Windows Orchestrator
(F5 and NetScaler Certificate Store Management)

HTTP/HTTPS (TCP 80/443)

F5 or NetScaler Devices

Keyfactor Windows Orchestrator
(Remote Certificate AuthorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.)

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Microsoft Certificate Authorities

Keyfactor Universal Orchestrator
(Remote Certificate Authority)

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Microsoft Certificate Authorities

Keyfactor Windows Orchestrator
(FTP)

FTP (TCP 21)

FTP Servers

Keyfactor Universal Orchestrator
(FTP)

FTP (TCP 21)

FTP Servers
Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. SSH (TCP 22 by default) Remote control targets for SSH management

Keyfactor Gateways to Cloud CAs

HTTP/HTTPS (TCP 80/443)

Cloud providers (e.g. Entrust, Symantec)
Keyfactor Cloud Gateway Active Directory Web Services (TCP 9389) Microsoft Active Directory for group membership enumeration