Default Ports for Credential Manager

The following tables list the ports that enable Credential Manager and associated target connectors use to communicate with each other. Ensure that networks and firewalls permit data transfer between these ports.
capam33
The following tables list the ports that enable Credential Manager and associated target connectors use to communicate with each other. Ensure that networks and firewalls permit data transfer between these ports.
2
Default Port Assignments for Credential Manager Components
You can configure the port number in the following file:
installation_directory
/cspmclient/config/cspm_client_config.xml
.
In the
Source
column, the term
Appliance
represents the
Privileged Access Manager
virtual or hardware appliance.
Default Port
Source
Destination
Name of Config Variable
Description
5900, 3306, 7900, 7901, 443
Appliance
Appliance
N/A
Communication between
CA PAM
appliances on the network.
27077
Appliance
Windows Proxy
Windows Proxy configuration file:
daemonserver_port
CA PAM
appliance to Windows Proxy communications
28088
A2A requesting application
A2A client daemon
A2A Client configuration file:
daemonserver1_port
Used for A2A client stub requests. Daemon validates request is local.
28888
Appliance
A2A Client
A2A Client configuration file:
daemonserver2_port
PAM Appliance to A2A Client host
443
A2A Client
Appliance
A2A Client configuration file:
cspmserver_port
A2A Client to PAM Appliance
8550
Appliance
Server with Socket Filter Agent (SFA)
Socket Filter configuration file:
port#
Leapfrog prevention and containment.
443
Socket Filter Agent
Appliance
N/A
Reporting policy violations
The appliance uses TCP port 5900. Network security scans typically assume that TCP port 5900 is used by a VNC server. For that reason, security scans might erroneously indicate that the appliance has a security vulnerability.
Default Ports for Target Connectors
The following tables list the default ports that the out-of the box target connectors use to communicate with Credential Manager. Target connectors represent supported application types.
In the
Source
column, the term
Appliance
represents the
Privileged Access Manager
virtual or hardware appliance.
If a target connector is not listed here, then firewall ports do not have to be open.
For AWS or Azure, ensure that these ports are also open in the AWS or Azure network settings, and the OS firewall of the instance.
Active Directory
Default Port
Source
Destination
Configurable
Applicability
636
Appliance
AD Domain Controllers
In the target application
27077
Appliance
Windows Proxy
Windows Proxy configuration file:
daemonserver1_port
For a target account configured to discover services or to discover scheduled tasks
AS/400
Default Port
Source
Destination
Configurable
Applicability
449
Appliance
Target server
No
8475
Appliance
Target server
No
8476
Appliance
Target server
No
9475
Appliance
Target server
No
Port must be open to use SSL
The AS/400 target connector uses the IBM Toolbox for Java and JTOpen. For details, see https://www.ibm.com/support/pages/node/1119561?mhsrc=ibmsearch_a&mhq=ibm%20toolbox%20for%20java.
  • Port 8475 provides Remote Command functionality (
    as-rmtcmd
    ).
  • Ports 449 and 8476 are for non-SSL services, such as AS/400 server mapping (
    as-svrmap)
    and AS/400 user ID and password validation (
    as-signon
    ).
AWS Access Credentials Accounts
Default Port
Source
Destination
Configurable
Applicability
443
Appliance
iam.amazonaws.com
No
443
Appliance
sts.amazonaws.com
No
AWS Policy
Cisco
Default Port
Source
Destination
Configurable
Applicability
22
Appliance
Target server
In target application
If ssh is used
23
Appliance
Target server
In target application
If Telnet is used
Juniper JUNOS
Default Port
Source
Destination
Configurable
Applicability
22
Appliance
Target server
In target application
LDAP
Default Port
Source
Destination
Configurable
Applicability
389
Appliance
LDAP server
In target application
MSSQL
Default Port
Source
Destination
Configurable
Applicability
1433
Appliance
Microsoft SQL Server database host
In target application
MySQL
Default Port
Source
Destination
Configurable
Applicability
3306
Appliance
MySQL server database host
In target application
Oracle
Default Port
Source
Destination
Configurable
Applicability
1521
Appliance
Oracle server database host
In target application
SPML
Default Port
Source
Destination
Configurable
Applicability
8080
Appliance
Target server
In target application
UNIX
Default Port
Source
Destination
Configurable
Applicability
22
Appliance
Target server
In target application
If ssh is used
23
Appliance
Target server
In target application
If Telnet is used
VMware ESX/ESXi
Default Port
Source
Destination
Configurable
Applicability
443
Appliance
Target server
In target application
VMware NSX Controller
Default Port
Source
Destination
Configurable
Applicability
22
Appliance
Target server
In target application
VMware NSX Manager
Default Port
Source
Destination
Configurable
Applicability
22
Appliance
Target server
In target application
WebLogic 10
Default Port
Source
Destination
Configurable
Applicability
7001
Appliance
Target server
In target application
Windows Proxy
Default Port
Source
Destination
Configurable
Applicability
389, 636, 445
Windows Proxy Server
AD Domain Controllers
No
Domain accounts
389 and 636
Appliance
AD Domain Controllers
No
Domain accounts
27077
Appliance
Windows Proxy
Windows Proxy configuration file:
daemonserver1_port
Sybase database communications
443
Windows Proxy Server
CA PAM
appliance
No
Proxy requests
445
Windows Proxy Server
Target Servers
No
SMB2 communication
Windows Remote
Default Port
Source
Destination
Configurable
Applicability
445
Appliance
Windows target device
No
SMB2 communication
135
Appliance
Windows target device
No
WMI communication
49152 through 65535
1024 through 4999
Appliance
Windows target device
No
WMI communication