Network Flow Matrix
To do security monitoring, Tenable Identity Exposure must communicate with the Primary Domain Controller emulator (PDCe) of each domain. You must open network ports and transport protocols on each PDCe to ensure efficient monitoring.
In addition to these network flows, you must consider other network flows, such as:
-
Access to the end-user services.
-
The network flows between Tenable Identity Exposure services.
-
The network flows from the support services that Tenable Identity Exposure uses, such as the update management infrastructure and the network time protocol.
Required Protocols
The following table describes each required protocol and port that Tenable Identity Exposure uses.
|
Network Flows |
From | To |
Tenable Identity Exposure’s Usage |
Type of Traffic |
Protocol and Port |
|---|---|---|---|---|---|
| 1. | Tenable Identity Exposure’s Secure Relay(s) | Domain controllers |
Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
LDAP/LDAPS |
TCP/389 and TCP/636 ICMP/echo-request ICMP/echo-response |
|
Replication, User and Computer Authentication, Group Policy, Trusts |
SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
TCP/445 |
|||
|
User and Computer Authentication, Forest Level Trusts |
Kerberos |
TCP/88, TCP/464 and UDP/464 |
|||
|
User and Computer Authentication, Name Resolution, Trusts |
DNS |
UDP/53 and TCP/53 |
|||
|
Replication, User and Computer Authentication, Group Policy, Trusts |
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS |
TCP Dynamic (49152–65535) Note: Starting with Windows Vista and Windows Server 2008, the default dynamic port range is 49152–65535. This is a change from earlier versions that used ports 1025–5000.
|
|||
|
Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
Global Catalog |
TCP/3268 and TCP/3269 |
|||
|
Replication |
RPC Endpoint Mapper |
TCP/135 |
|||
| 2. | Tenable Identity Exposure’s Secure Relay(s) |
Tenable Identity Exposure SaaS Platform |
Tenable Identity Exposure’s internal API flows |
HTTPS |
TCP/443 |
|
3. |
End users |
Tenable Identity Exposure SaaS Platform |
Tenable Identity Exposure’s end-user services (Web portal, REST API, etc.) |
HTTPS |
TCP/443 |
Additional Flows
In addition to the Active Directory protocols, certain Tenable Identity Exposure configurations require additional flows. You must open these protocols and ports between Tenable Identity Exposure and the targeted service.
|
Network flows |
From | To |
Tenable Identity Exposure’s Usage (optional) |
Type of Traffic |
Protocol and Port |
|---|---|---|---|---|---|
|
|
Tenable Identity Exposure’s Secure Relay(s) | Cybersecurity services |
Email notifications |
SMTP |
TCP/25, TCP/587, TCP/465, TCP/2525, TCP/25025
|
|
Syslog notifications |
Syslog |
TCP/601, TCP/6515, UDP/514 (depending on the event log server’s configuration) |
|||
| Domain controllers | Privileged Analysis | RPC dynamic ports | TCP/49152-65535, UDP/49152-65535 | ||
| Identity Provider | LDAP Authentication | LDAP/LDAPS | TCP/389, TCP/636 |
Support Services
Support services are often highly vendor or configuration-specific. For example, the WSUS service listens by default on port TCP/8530 for its 6.2 version and higher, but on TCP/80 for other versions. You can reconfigure this port to any another port.