Okta Privileged Access port requirements
To provide access to server resources, teams must allow traffic through several different network ports.
Okta Privileged Access client
| Port | Description |
|---|---|
| 22 | Used for outgoing SSH connections to servers. |
| 443 | Used for outgoing connections to Okta and the Okta Privileged Access platform. |
| 4421 | Used for outgoing RDP connections to servers. |
| 7234 | Used for outgoing connections to Okta Privileged Access gateways. |
Okta Privileged Access server agent
Teams can modify the default ports through the server agent configuration file. See Configure the Okta Privileged Access server agent.
| Port | Description |
|---|---|
| 22 | Used for incoming SSH connections. |
| 443 | Used for outgoing connections to Okta and the Okta Privileged Access platform. |
| 3389 | Used locally on Windows servers for RDP loopbacks. Doesn't need to be publicly available. |
| 4421 | Used for incoming connections to help provision on-demand users. See Okta Privileged Access accounts. On Windows servers, this port is also used to proxy RDP sessions to port 3389. |
Okta Privileged Access gateway
Teams can modify the default ports through the gateway configuration file. See Configure the Okta Privileged Access gateway.
| Port | Description |
|---|---|
| 443 | Used for outgoing connections to Okta and the Okta Privileged Access platform.
Also used for outgoing connections to AWS or if session capture stores logs in a cloud bucket. See Session recording. |
| 7234 | Used for incoming connections from the Okta Privileged Access client. |
Proxy Information
Organizations that use a web proxy or perform deep packet inspection to restrict network traffic may encounter issues with Okta Privileged Access. To ensure Okta Privileged Access can operate correctly, teams should add exceptions for the following characteristics:
| Characteristic | Value |
|---|---|
| Okta Privileged Access domain |
Teams can allow access to the entire Okta Privileged Access domain. This is the simplest option and ensures that all traffic to Okta Privileged Access is allowed through a proxy.
|
| Okta Privileged Access subdomains |
Teams can allow access to specific Okta Privileged Access subdomains.
|
| Okta Privileged Access User Agent strings |
Teams can allow access based on specific user strings. Teams need to modify the following values based on a specific version of Okta Privileged Access.
|
| Minimum TLS version |
|
| SSL inspection (MITM) | Okta Privileged Access uses Certificate Pinning to allow communication between the Okta Privileged Access platform, clients, and servers. To work around the restrictions of SSL inspection, teams should consider allowing traffic to the Okta Privileged Access domain (pam.oktapreview.com) |