Ports Guide
To understand how the components of StrongDM work together, first look at the How StrongDM Works pages. This page details the network ports that need to be opened in order for the various components to successfully communicate.
All ports listed are TCP unless otherwise noted.
Client
Follow instructions in the tab for your organization's StrongDM region, not your location.
app.strongdm.com
443
Egress
Required
Allows communication with StrongDM to authenticate users and obtain information such as available resources and routing information
login.strongdm.com
443
Egress
Required
Allows the client to determine which control plane to connect to during login
downloads.strongdm.com
443
Egress
Required
Allows updates to the software to be downloaded
checkip.amazonaws.com
443
Egress
Optional
Allows information to be derived from public IP, such as for connection troubleshooting
1.1.1.1
53 (UDP)
Egress
Optional
Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
Gateway
Custom
Egress
Required
Clients egress to gateways (default 5000)
Client (loopback)
65220
Ingress
Required
Required for the CLI to be able to report on state/status
Client (loopback)
65230
Ingress
Required
Required to allow proxy traffic for web resources
Client (loopback)
Custom
Ingress
Required
Configured inbound port override for each resource to which the client has access
Relays and Workers
Relays and proxy workers in a bridged proxy cluster only need to have egress traffic.
Follow instructions in the tab for your organization's StrongDM region, not your location.
app.strongdm.com
443
Egress
Required
Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources
downloads.strongdm.com
443
Egress
Required
Allows updates to the software to be downloaded
checkip.amazonaws.com
443
Egress
Optional
Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays
1.1.1.1
53 (UDP)
Egress
Optional
Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
Gateway
Custom
Egress
Required
Egress to gateways in order to securely establish connections through which to allow traffic (default 5000)
Resource
Custom
Egress
Required
Egress to resources
Secret Stores
Custom
Egress
Required
May reach out to the configured secret store (if any) and acquire credentials to connect to the target resource
Gateways and Workers
Gateways, bridge workers in a bridged proxy cluster, or proxy clusters in a single-worker cluster (no bridge or load balancer) have a small amount of ingress required.
Follow instructions in the tab for your organization's StrongDM region, not your location.
app.strongdm.com
443
Egress
Required
Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources
downloads.strongdm.com
443
Egress
Required
Allows updates to the software to be downloaded
checkip.amazonaws.com
443
Egress
Optional
Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays
1.1.1.1
53 (UDP)
Egress
Optional
Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails
Gateway
Custom
Egress
Required
Egress to other gateways dependent upon your network topology (default 5000)
Resource
Custom
Egress
Required
Egress to resources
Secret Stores
Custom
Egress
Required
May reach out to the appropriate secret store (if any) and acquire credentials to connect to the target resource
Advertised Port
Custom
Ingress
Required
Ingress allowed from clients, gateways, and relays (default 5000)
Scripts That Use the API
Follow instructions in the tab for your organization's StrongDM region, not your location.
app.strongdm.com
443
Egress
Required
Required for calling API endpoints
Active Directory Domain Controllers for RDP Certificate Auth
Follow instructions in the tab for your organization's StrongDM region, not your location.
app.strongdm.com
443
Egress
Required
Allows communication with StrongDM to obtain information such as the Certificate Revocation List
Last updated
Was this helpful?