Advanced Server Access port requirements

In order to provide access to server resources, teams must allow traffic through several different network ports.

Advanced Server Access client

Port Description
22 Used for outgoing SSH connections to servers.
443 Used for outgoing connections to Okta and the Advanced Server Access platform.
4421 Used for outgoing RDP connections to servers.
7234 Used for outgoing connections to Advanced Server Access gateways.

Advanced Server Access server agent

Teams can modify the default ports through the server agent configuration file. See Configure the Advanced Server Access server agent.

Port Description
22 Used for incoming SSH connections.
443 Used for outgoing connections to Okta and the Advanced Server Access platform.
3389 Used locally on Windows servers for RDP loopbacks. Does not need to be publicly available.
4421 Used for incoming connections to help provision On Demand users. See Create a project.

On Windows servers, this port is also used to proxy RDP sessions to port 3389.

Advanced Server Access gateway

Teams can modify the default ports through the gateway configuration file. See Configure the Advanced Server Access gateway.

Port Description
443 Used for outgoing connections to Okta and the Advanced Server Access platform.

Also used for outgoing connections to AWS or GCP if session capture stores logs in a cloud bucket. See Session capture.

7234 Used for incoming connections from the Advanced Server Access client.

3389

Used for outgoing connections when using AD-Joined. It is not required when using Advanced Server Access agent.

53

Used for resolving hostnames through DNS.

389

Used in AD-Joined to query devices from the domain.

Proxy Information

Organizations that use a web proxy or perform deep packet inspection to restrict network traffic may encounter issues with Advanced Server Access. To ensure Advanced Server Access can operate correctly, teams should add exceptions for the following characteristics:

Characteristic Value
Advanced Server Access domain

Teams can allow access to the entire Advanced Server Access domain. This is the simplest option and ensures that all traffic to Advanced Server Access is allowed through a proxy.

  • *.scaleft.com
Advanced Server Access subdomains

Teams can allow access to specific Advanced Server Access subdomains.

  • app.scaleft.com
  • dist.scaleft.com
  • pkg.scaleft.com
Advanced Server Access User Agent strings

Teams can allow access based on specific user strings. Teams will need to modify the values below based on a specific version of Advanced Server Access.

  • Advanced Server Access client: scaleft.go/<version> (sft;)
  • Advanced Server Access sever agent: scaleft.go/<version> (sftd;)
  • Advanced Server Access gateway: sft-gatewayd/<version>
Minimum TLS version
  • TLS 1.2 or later
SSL inspection (MITM) Advanced Server Access leverages Certificate Pinning to allow communication between the Advanced Server Access platform, clients, and servers. To work around the restrictions of SSL inspection, teams should consider allowing traffic to the Advanced Server Access domain (*.scaleft.com)

Related topics