How to Configure a Firewall for Specops Password Policy
Internal Communication
Source | Destination | Protocol | Port |
---|---|---|---|
All DCs | Arbiter(s) | TCP | 4383 |
Password Policy Administration Tool | Arbiter(s) | TCP | 4383 |
Password Policy Administration Tool | PDC Emulator | TCP | 4385 |
Breached Password Protection
- Make sure that URLs are not blocked by a proxy or firewall
- Firewall SSL inspection is not supported. SSL inspection exceptions to the below URLs may be necessary and must have outbound access through proxy/firewalls.
- Make sure 7.3 GBs is available to download the list
Please see the tables below for URLs or IPs that you will need to allow connectivity to for Breached Password Protection to work correctly.
Breached Password Protection Express (Also used for Password Auditor)
Breached Password Protection Express (on-premise subset of Breached Password Protection Complete used to block breached passwords in real time at the computer password change prompt). Access is required from systems running Password Policy Domain Administration when downloading the Express list.
Host | IP Address | Protocol | Port |
---|---|---|---|
breach-protection.specopssoft.com | 20.49.104.8 | TCP | 443 |
blacklist.specopssoft.com* | 20.49.104.8 | TCP | 443 |
ocsp.digicert.com | TCP | 80 | |
cdp.geotrust.com | TCP | 80 | |
download.specopssoft.com** | Geo load balanced | TCP | 443 |
crl.godaddy.com | TCP | 80 |
Breached Password Protection Complete
Breached Password Protection Complete uses the Specops Arbiter component to connect to the Breached Password Protection cloud API and check passwords against the complete list of breached passwords). The following hosts must be accessible from your Arbiter server(s):
Host | IP Address | Protocol | Port |
---|---|---|---|
breach-protection.specopssoft.com | 20.49.104.8 | TCP | 443 |
blacklist.specopssoft.com* | 20.49.104.8 | TCP | 443 |
ocsp.digicert.com | TCP | 80 | |
cdp.geotrust.com | TCP | 80 |
*For Version of Specops Password Policy 7.4 and earlier only
**IP addresses are dynamic based on CDN provider. You can use https://cachecheck.opendns.com to view many of the IP addresses.