Firewall Considerations

Keyfactor Command needs to be able to communicate internally between the various Keyfactor Command components installed on different servers, if applicable, and to the SQL server, certificate authorities, centralized logging server (if applicable), your identity provider. If there are any firewalls in the environment that control internal traffic, these may need to be updated to allow the appropriate level of communication. Table 896: Protocols Keyfactor Command Uses for Communication shows each Keyfactor Command component and the protocols they use to communicate. In environments using Active Directory as an identity provider, all Keyfactor Command components require a healthy Active Directory environment with the ability to use Kerberos, LDAP, and DNSClosed The Domain Name System is a service that translates names into IP addresses..

Table 896: Protocols Keyfactor Command Uses for Communication

Keyfactor Command Component

Protocols and Ports

Target

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

Client browser (e.g. Microsoft Edge)

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

Certificate revocation list (CRL) distribution points

Keyfactor Command Management Portal

HTTP/HTTPS (TCP 80/443)

EJBCA Certificate Authorities

Keyfactor Command Management Portal

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Microsoft Certificate Authorities

Keyfactor Command Management Portal

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Keyfactor vendor gateways to cloud CAs (e.g. Entrust, Symantec)

Keyfactor Command Management Portal

MS SQL (default TCP 1433)

SQL Server

Keyfactor Command Management Portal

Varies depending on the implemented solution (TCP 514 for rsyslog, TCP 5000 for Logstash are some standard defaults)

Centralized logging solution

Keyfactor Command Active Directory (TCP/UDP 389) Microsoft Active Directory queries
Keyfactor Command SSH Management Active Directory Web Services (TCP 9389) Microsoft Active Directory for group membership enumeration

All Orchestrators and Agents

HTTP/HTTPS (TCP 80/443)

Keyfactor Command Orchestrator API endpoint

Keyfactor Universal Orchestrator with Extension Relying on PowerShell Remoting and WinRM
(IIS and Remote File Extensions)

PowerShell Remoting (default TCP 5985 and 5986)

Windows Servers to which certificate files will be distributed

Keyfactor Universal Orchestrator
(SSL Endpoint Management)

Any configured for scanning

The SSL endpoint being scanned by the SSL discovery or monitoring job

Keyfactor Universal Orchestrator with Extension Relying on HTTP/HTTPS
(F5 and Citrix NetScaler Certificate Store Management)

HTTP/HTTPS (TCP 80/443)

F5 or NetScaler Devices

Keyfactor Universal Orchestrator
(Remote Certificate Authority)

RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535)

Microsoft Certificate Authorities

Keyfactor Bash Orchestrator SSH (TCP 22 by default) Remote control targets for SSH management

Keyfactor Gateways to Cloud CAs

HTTP/HTTPS (TCP 80/443)

Cloud providers (e.g. Entrust, Symantec)

Keyfactor Cloud Gateway Active Directory Web Services (TCP 9389) Microsoft Active Directory for group membership enumeration