SaaS Network Configuration
Early Access Be advised that Tenable Patch Management SaaS is in its Early Access phase. Interested customers should contact their Tenable representative or Tenable Customer Support to inquire about participation.
The Tenable Patch Management (TPM) SaaS deployment model utilizes a modern, secure communication model for connecting clients to the TPM cloud environment. This simplifies the perimeter firewall configuration significantly. While the primary communication is outbound, the peer-to-peer content sharing between clients on the same local network must be also enabled, which requires specific internal firewall rules.
Primary Cloud Communication
To connect to the TPM Cloud environment, all managed clients require outbound access over HTTPS (TCP port 443).
Internet Destinations
SaaS clients require outbound access on TCP port 443 to the following internet destinations for core functionality. It is recommended to whitelist these destinations using their Fully Qualified Domain Names (FQDN) where possible, as the underlying IP addresses are dynamic.
| Ports | Source | Destination | Description |
|---|---|---|---|
| http/https (TCP port 443) ICMP, UDP 3478 |
TPM Server and Internet-based Clients |
*.Adaptiva.cloud *.opendns.com | Adaptiva Services |
| https (TCP port 443) |
TPM Server and Internet-based Clients |
*.Adaptivacdn.cloud | Adaptiva CDN |
| https (TCP port 443) |
TPM Server
|
api.sendgrid.com api.twilio.com | Approval messaging, email and SMS messaging. |
| https (TCP port 443) |
TPM Server
|
cloud.tenable.com | Tenable Patch Management and Vulnerability Management Integration |
| https (TCP port 443) |
TPM Server
|
<SC IP address/FQDN> | Tenable Security Center Integration |
Note: The backend infrastructure for the SaaS service also relies on Amazon Web Services (AWS) and Bunny CDN. Depending on your firewall policies, you may need to whitelist *.amazonaws.com and *.bunnycdn.com.
Depending on your level of DNS inspection/resolution you may need to also whitelist the following as they resolve to the below:
-
adaptiva-releases.b-cdn.net
-
adaptiva-public-storage.b-cdn.net
-
adaptiva-opr-storage.b-cdn.net
-
<Customer Name from the Server Activation page>.b-cdn.net
-
<Customer Name from the Server Activation page>.adaptivacdn.cloud
Firewall and Proxy Considerations
To ensure successful communication between clients and the SaaS platform, you must enable outbound traffic to the required SaaS URLs.
-
HTTP Proxy Configuration: Allow outbound traffic to SaaS URLs through any HTTPS proxies in your environment.
-
Firewall Rules:
-
Perimeter/Edge Firewall (Client to Internet): This policy requires that you allow outbound traffic on TCP port 443 to the specified internet destinations.
-
Internal/Host-Based Firewall (Client to Client): The Peer-to-Peer (P2P) content sharing feature is mandatory. This policy requires inbound rules to allow UDP traffic between clients on trusted internal subnets. See “Peer-to-Peer (P2P) Port Configuration” section below for more details.
-
-
Handling Dynamic IP Addresses: The destination IP addresses for cloud services are dynamic, therefore, you must use the following process to configure your firewall. Outbound restrictions are unlikely for most client environments, but may be restricted on devices in data centers or other restrictive environments.
-
If your firewall supports it, create the rule using your FQDN (e.g., <your-tenant-name>.console.adaptiva.cloud) instead of IP addresses.
-
If your firewall does not support rules using FQDNs, you must use the following process:
-
Identify your unique tenant hostname (e.g., <your-tenant-name>.console.adaptiva.cloud).
-
Use the nslookup command to find the current IP addresses for your hostname: nslookup <your-tenant-name>.console.adaptiva.cloud
-
In your firewall, create an outbound rule allowing TCP port 443 traffic to all IP addresses returned by the lookup.
-
Example: If you run nslookup <your-tenant-name>.console.adaptiva.cloud and get the following sample IPs:
-
208.50.243.211
-
107.57.7.21
-
208.50.253.210
In this example, your firewall must allow outbound connections to all three of the above IP addresses on TCP port 443.
Note: These IP addresses can change. This process may need to be repeated periodically to ensure continued connectivity.
-
-
-
-
IP Address Whitelisting (for Relay Servers): If whitelisting by FQDN or wildcard is not supported for *.adaptiva.cloud Relay Servers, the following link provides a list of IP addresses that can be whitelisted: https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt
-
SSL Inspection: Ensure to disable SSL inspection for the outbound traffic to *.adaptiva.cloud and *.adaptivacdn.cloud. If SSL inspection cannot be disabled, then the TPM clients must have this registry key updated:
HKLM\software\adaptiva\client\security.certificate_trust_store_type = WINDOWS-ROOT
-
Service Notifications: Adaptiva.cloud server names for planned outages are available here: https://support.adaptiva.com/hc/en-us/articles/14971450276877-Adaptiva-Cloud-Services-Planned-Outages
Peer-to-Peer (P2P) Port Configuration
The inbound and outbound ports listed below are required for enabling the P2P content distribution between clients on the same Local Area Network (LAN) to optimize internet bandwidth. This function requires the clients to be able to listen for and accept inbound connections from their peers on the local network. Make sure to open the necessary UDP ports below in your internal or host-based firewalls.
| Port | Protocol | Direction | Listening Process | Description |
|---|---|---|---|---|
| 34324 | UDP |
Inbound |
AdaptivaClientService.exe | Replies from the server and clients. |
| 34325 | UDP |
Inbound |
AdaptivaClientService.exe | Messages from server to client. |
| 34329 | UDP |
Inbound
|
AdaptivaClientService.exe | All broadcast messages from client to client. |
| 34545 | UDP |
Inbound
|
AdaptivaServerService.exe | Content transfer control port. |
| 34546 | UDP |
Inbound
|
AdaptivaClientService.exe / and the system process | Content transfer control port. |
| 34750 | UDP |
Inbound
|
AdaptivaClientService.exe and the system process | All WAN or Internet Peer to Peer content transfers |
| 34760 | UDP |
Inbound
|
AdaptivaClientService.exe and the system process | All LAN content transfers. |
| 34760 | TCP |
Inbound
|
N/A | The port used by TenablePatchP2PClientInstaller.msi. |
| N/A | ICMP |
Inbound
|
N/A | ICMP (ping) requests to determine latency to Adaptiva Cloud Services relays. |
| 443 | HTTP |
Outbound
|
AdaptivaServerService.exe | Operations Manager, Cloud Relay servers and patch content locations on a content delivery network (CDN). |
| 443 | HTTPS / TCP |
Outbound
|
cloud.tenable.com | Tenable Vulnerability Management (TVM) |
| 443 | HTTPS / TCP |
Outbound
|
<SC IP address/FQDN> | Tenable Security Center (TSC) |
| 3478 | UDP |
Outbound
|
AdaptivaServerService.exe | STUN requests to Cloud Relay Servers to determine public IP address |
| 34322 | UDP |
Outbound
|
AdaptivaServerService.exe | Messages from client to server. |
| 34545 | UDP |
Outbound
|
System | Content transfer control port. |