Skip to main content

Firewall Configuration for Key Manager Deployments

This section describes the network services and the protocols that Key Manager components are expected to communicate with. When deploying Key Manager into your network environment, ensure that your network firewall settings allow appropriate access to and from Key Manager devices.

The firewall recommendations in this section should be viewed as guidelines. Some of the services listed here may not be specifically applicable in your network environment, whereas more-complex network environments may have additional restrictions that must be taken into account. Also, the port numbers specified for incoming connections are default values, and may be configured differently if desired. Please consult with your network administrators to determine the exact firewall requirements in your network environment.

Key Manager components are expected to be able to communicate as follows:

Key Manager Front Ends

  • Connect to the DNS for basic networking.

  • Connect to the NTP service for time synchronization.

  • Connect to the Key Manager Database. Depending on your Key Manager configuration, the connection can be established with or without TLS.

  • Accept HTTPS connections to port 443. This allows access to the Key Manager GUI, and the Key Manager API. Note that Key Manager command-line client and User Portal instances require access to the Key Manager API.

  • Accept SSH connections to port 22 to allow remote-terminal sessions, which may be required for maintenance and troubleshooting.

  • (Optional): Connect to LDAP and AD servers for LDAP/AD authentication, using the LDAP or the LDAPS protocol. Required when enabling LDAP authentication to Key Manager management interfaces.

  • (Optional): Connect to SYSLOG/SIEM services.

  • (Optional): Connect to the network HSM.

  • (Optional): Connect to the certificate server for client-certificate validation. The connection can be established using HTTP, HTTPS, LDAP, or LDAPS.

Key Manager Back Ends

  • Connect to the DNS for basic networking.

  • Connect to the NTP service for time synchronization.

  • Connect to the Key Manager Database. Depending on your Key Manager configuration, the connection can be established with or without TLS.

  • Connect to all Key Manager front ends via HTTPS.

  • Accept SSH connections to port 22, to receive management connections from agent-based hosts. SSH is also recommended for allowing remote-terminal sessions, which may be required for maintenance and troubleshooting. You may want to set up a separate SSH server dedicated to maintenance purposes. The SSH server used for maintenance must run on another port (such as 222).

  • (Optional): Connect to SYSLOG/SIEM services.

  • (Optional): Connect to outbound SMTP or smart-host server. Needed for sending email alerts.

  • (Optional): Connect to the network HSM.

Key Manager Database

Accept database connections from Key Manager front ends and Key Manager back ends. Depending on your Key Manager configuration, database connections are established with or without TLS.

Agentless Hosts

Accept SSH connections from Key Manager back ends.

Agent-Based Hosts

Connect to Key Manager back ends via SSH, to port 22 by default.

Hosts running a stand-alone Key Manager Command-Line Client

  • Connect to a Key Manager front end via HTTPS.

  • (Optional): Connect to outbound SMTP or smart-host server. The command-line client itself does not send emails. However, SMTP connectivity may be required by automated applications that are used for operating the command-line client (such as cron).

If you plan to add User Portals to your Key Manager deployment, see also the PrivX Key Manager User Portal Manual for information about User Portal firewall settings.

note

Network services required by Key Manager may run on non-standard ports. It might be a good idea to allow connections to any port from Key Manager devices if you are not entirely certain about the ports used by the required network services.