Keyfactor Command needs to be able to communicate internally between the various Keyfactor Command components installed on different servers (for installations on Windows under IIS), if applicable, and to the SQL server, certificate authorities, centralized logging server (if applicable), and your identity provider. If there are any firewalls in the environment that control internal traffic, these may need to be updated to allow the appropriate level of communication. Table 108: Protocols Keyfactor Command Uses for Communication shows each Keyfactor Command component and the protocols they use to communicate. In environments using Active Directory as an identity provider, all Keyfactor Command components require a healthy Active Directory environment with the ability to use Kerberos, LDAP, and DNS
The Domain Name System is a service that translates names into IP addresses..
Table 108: Protocols Keyfactor Command Uses for Communication
|
Keyfactor Command Component |
Protocols and Ports |
Target |
|---|---|---|
|
Keyfactor Command Management Portal |
HTTP/HTTPS (TCP 80/443) |
Client browser (e.g. Microsoft Edge) |
|
Keyfactor Command Management Portal |
HTTP/HTTPS (TCP 80/443) |
Certificate revocation list (CRL) distribution points |
|
Keyfactor Command Management Portal |
HTTP/HTTPS (TCP 80/443) |
EJBCA Certificate Authorities |
|
Keyfactor Command Management Portal |
RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535) |
Microsoft Certificate Authorities |
|
Keyfactor CommandManagement Portal |
HTTP/HTTPS (TCP 80/443) |
Keyfactor REST CA Gateways |
|
Keyfactor Command Management Portal |
RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535) |
Keyfactor DCOM CA Gateways |
|
Keyfactor Command Management Portal |
MS SQL (default TCP 1433) |
SQL Server |
|
Keyfactor Command Management Portal |
Varies depending on the implemented solution (TCP 514 for rsyslog, TCP 5000 for Logstash are some standard defaults) |
Centralized logging solution |
| Keyfactor Command | Active Directory (TCP/UDP 389) | Microsoft Active Directory queries |
| Keyfactor Command SSH Management | Active Directory Web Services (TCP 9389) | Microsoft Active Directory for group membership enumeration |
|
All Orchestrators and Agents |
HTTP/HTTPS (TCP 80/443) |
Keyfactor Command Orchestrator API endpoint |
|
Keyfactor Universal Orchestrator with Extension Relying on PowerShell Remoting and WinRM |
PowerShell Remoting (default TCP 5985 and 5986) |
Windows Servers to which certificate files will be distributed |
|
Keyfactor Universal Orchestrator
|
Any configured for scanning |
The SSL endpoint being scanned by the SSL discovery or monitoring job |
|
Keyfactor Universal Orchestrator with Extension Relying on HTTP/HTTPS |
HTTP/HTTPS (TCP 80/443) |
F5 or NetScaler Devices |
|
Keyfactor Universal Orchestrator
|
RPC/DCOM (TCP 135 plus random high ports typically in the range 49152 – 65535) |
Microsoft Certificate Authorities |
| Keyfactor Bash Orchestrator | SSH (TCP 22 by default) | Remote control targets for SSH management |
|
Keyfactor DCOM and REST CA Gateways to Cloud CAs |
HTTP/HTTPS (TCP 80/443) |
Cloud providers (e.g. Entrust, Symantec) |
| Keyfactor Cloud Gateway | Active Directory Web Services (TCP 9389) | Microsoft Active Directory for group membership enumeration |