# Ports Guide To understand how the components of StrongDM work together, first look at the [How StrongDM Works](/concepts/how-strongdm-works.md) pages. This page details the network ports that need to be opened in order for the various components to successfully communicate. All ports listed are TCP unless otherwise noted. ### Client {% tabs %} {% tab title="US" %} | Destination | Port | Type | Requirement | Description | | ---------------------- | -------- | ------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------- | | app.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate users and obtain information such as available resources and routing information | | login.strongdm.com | 443 | Egress | Required | Allows the client to determine which control plane to connect to during login | | downloads.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as for connection troubleshooting | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Clients egress to gateways (default 5000) | | Client (loopback) | 65220 | Ingress | Required | Required for the CLI to be able to report on state/status | | Client (loopback) | 65230 | Ingress | Required | Required to allow proxy traffic for web resources | | Client (loopback) | Custom | Ingress | Required | Configured inbound [port override](/admin/resources/port-overrides.md) for each resource to which the client has access | | {% endtab %} | | | | | {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------- | | app.uk.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate users and obtain information such as available resources and routing information | | login.strongdm.com | 443 | Egress | Required | Allows the client to determine which control plane to connect to during login | | downloads.uk.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as for connection troubleshooting | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Clients egress to gateways (default 5000) | | Client (loopback) | 65220 | Ingress | Required | Required for the CLI to be able to report on state/status | | Client (loopback) | 65230 | Ingress | Required | Required to allow proxy traffic for web resources | | Client (loopback) | Custom | Ingress | Required | Configured inbound [port override](/admin/resources/port-overrides.md) for each resource to which the client has access | | {% endtab %} | | | | | {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------- | | app.eu.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate users and obtain information such as available resources and routing information | | login.strongdm.com | 443 | Egress | Required | Allows the client to determine which control plane to connect to during login | | downloads.eu.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as for connection troubleshooting | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Clients egress to gateways (default 5000) | | Client (loopback) | 65220 | Ingress | Required | Required for the CLI to be able to report on state/status | | Client (loopback) | 65230 | Ingress | Required | Required to allow proxy traffic for web resources | | Client (loopback) | Custom | Ingress | Required | Configured inbound [port override](/admin/resources/port-overrides.md) for each resource to which the client has access | | {% endtab %} | | | | | | {% endtabs %} | | | | | ### Relays and Workers Relays and proxy workers in a bridged proxy cluster only need to have egress traffic. {% tabs %} {% tab title="US" %} | Destination | Port | Type | Requirement | Description | | ---------------------- | -------- | ------ | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to gateways in order to securely establish connections through which to allow traffic (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the configured secret store (if any) and acquire credentials to connect to the target resource | | {% endtab %} | | | | | {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------ | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.uk.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.uk.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to gateways in order to securely establish connections through which to allow traffic (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the configured secret store (if any) and acquire credentials to connect to the target resource | | {% endtab %} | | | | | {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------ | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.eu.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.eu.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to gateways in order to securely establish connections through which to allow traffic (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the configured secret store (if any) and acquire credentials to connect to the target resource | | {% endtab %} | | | | | | {% endtabs %} | | | | | ### Gateways and Workers Gateways, bridge workers in a bridged proxy cluster, or proxy clusters in a single-worker cluster (no bridge or load balancer) have a small amount of ingress required. {% tabs %} {% tab title="US" %} | Destination | Port | Type | Requirement | Description | | ---------------------- | -------- | ------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to other gateways dependent upon your network topology (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the appropriate secret store (if any) and acquire credentials to connect to the target resource | | Advertised Port | Custom | Ingress | Required | Ingress allowed from clients, gateways, and relays (default 5000) | | {% endtab %} | | | | | {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.uk.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.uk.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to other gateways dependent upon your network topology (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the appropriate secret store (if any) and acquire credentials to connect to the target resource | | Advertised Port | Custom | Ingress | Required | Ingress allowed from clients, gateways, and relays (default 5000) | | {% endtab %} | | | | | {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------------- | -------- | ------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | app.eu.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to authenticate and obtain information such as routing information and credential information for resources | | downloads.eu.strongdm.com | 443 | Egress | Required | Allows updates to the software to be downloaded | | checkip.amazonaws.com | 443 | Egress | Optional | Allows information to be derived from public IP, such as the Admin UI "Location" field for gateways/relays | | 1.1.1.1 | 53 (UDP) | Egress | Optional | Cloudflare fallback for DNS resolution of StrongDM endpoints if default DNS fails | | Gateway | Custom | Egress | Required | Egress to other gateways dependent upon your network topology (default 5000) | | Resource | Custom | Egress | Required | Egress to resources | | Secret Stores | Custom | Egress | Required | May reach out to the appropriate secret store (if any) and acquire credentials to connect to the target resource | | Advertised Port | Custom | Ingress | Required | Ingress allowed from clients, gateways, and relays (default 5000) | | {% endtab %} | | | | | | {% endtabs %} | | | | | ### Scripts That Use the API {% tabs %} {% tab title="US" %} | Destination | Port | Type | Requirement | Description | | ---------------- | ---- | ------ | ----------- | ---------------------------------- | | app.strongdm.com | 443 | Egress | Required | Required for calling API endpoints | | {% endtab %} | | | | | {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------- | ---- | ------ | ----------- | ---------------------------------- | | app.uk.strongdm.com | 443 | Egress | Required | Required for calling API endpoints | | {% endtab %} | | | | | {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------- | ---- | ------ | ----------- | ---------------------------------- | | app.eu.strongdm.com | 443 | Egress | Required | Required for calling API endpoints | | {% endtab %} | | | | | | {% endtabs %} | | | | | ### Active Directory Domain Controllers for RDP Certificate Auth {% tabs %} {% tab title="US" %} | Destination | Port | Type | Requirement | Description | | ---------------- | ---- | ------ | ----------- | ------------------------------------------------------------------------------------------------ | | app.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to obtain information such as the Certificate Revocation List | | {% endtab %} | | | | | {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------- | ---- | ------ | ----------- | ------------------------------------------------------------------------------------------------ | | app.uk.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to obtain information such as the Certificate Revocation List | | {% endtab %} | | | | | {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* | Destination | Port | Type | Requirement | Description | | ------------------- | ---- | ------ | ----------- | ------------------------------------------------------------------------------------------------ | | app.eu.strongdm.com | 443 | Egress | Required | Allows communication with StrongDM to obtain information such as the Certificate Revocation List | | {% endtab %} | | | | | | {% endtabs %} | | | | | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/networking/ports-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.