Ports Guide

Last modified on March 19, 2024

To understand how the components of StrongDM work together, first look at the How It Works pages. This page details the network ports that need to be opened in order for the various components to successfully communicate.

All ports listed are TCP unless otherwise noted.

Client

DestinationPortTypeRequirementDescription
app.strongdm.com443EgressRequiredAllows communication with StrongDM to authenticate users and obtain information such as available resources and routing information
api.strongdm.com443EgressRequiredAllows CLI commands to make calls to StrongDM API endpoints
downloads.strongdm.com443EgressRequiredAllows updates to the software to be downloaded
checkip.amazonaws.com443EgressOptionalAllows information to be derived from public IP, such as for connection troubleshooting
1.1.1.153 (UDP)EgressOptionalCloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
GatewayCustomEgressRequiredClients egress to gateways (default 5000)
Client (loopback)65220IngressRequiredRequired for the CLI to be able to report on state/status
Client (loopback)65230IngressRequiredRequired to allow proxy traffic for web resources
Client (loopback)CustomIngressRequiredConfigured inbound port override for each resource to which the client has access

Relays

DestinationPortTypeRequirementDescription
app.strongdm.com443EgressRequiredAllows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources
downloads.strongdm.com443EgressRequiredAllows updates to the software to be downloaded
checkip.amazonaws.com443EgressOptionalAllows information to be derived from public IP, such as the Admin UI “Location” field for gateways/relays
1.1.1.153 (UDP)EgressOptionalCloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
GatewayCustomEgressRequiredEgress to gateways in order to securely establish connections through which to allow traffic (default 5000)
ResourceCustomEgressRequiredEgress to resources
Secret StoresCustomEgressRequiredMay reach out to the configured secret store (if any) and acquire credentials to connect to the target resource

Gateways

DestinationPortTypeRequirementDescription
app.strongdm.com443EgressRequiredAllows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources
downloads.strongdm.com443EgressRequiredAllows updates to the software to be downloaded
checkip.amazonaws.com443EgressOptionalAllows information to be derived from public IP, such as the Admin UI “Location” field for gateways/relays
1.1.1.153 (UDP)EgressOptionalCloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
GatewayCustomEgressRequiredEgress to other gateways dependent upon your network topology (default 5000)
ResourceCustomEgressRequiredEgress to resources
Secret StoresCustomEgressRequiredMay reach out to the appropriate secret store (if any) and acquire credentials to connect to the target resource
Advertised PortCustomIngressRequiredIngress allowed from clients, gateways, and relays (default 5000)

Scripts That Use the API

DestinationPortTypeRequirementDescription
api.strongdm.com443EgressRequiredRequired for calling API endpoints