Advanced Server Access port requirements
In order to provide access to server resources, teams must allow traffic through several different network ports.
Advanced Server Access client
| Port | Description |
|---|---|
| 22 | Used for outgoing SSH connections to servers. |
| 443 | Used for outgoing connections to Okta and the Advanced Server Access platform. |
| 4421 | Used for outgoing RDP connections to servers. |
| 7234 | Used for outgoing connections to Advanced Server Access gateways. |
Advanced Server Access server agent
Teams can modify the default ports through the server agent configuration file. See Configure the Advanced Server Access Advanced Server Access server agent.
| Port | Description |
|---|---|
| 22 | Used for incoming SSH connections. |
| 443 | Used for outgoing connections to Okta and the Advanced Server Access platform. |
| 3389 | Used locally on Windows servers for RDP loopbacks. Does not need to be publicly available. |
| 4421 | Used for incoming connections to help provision On Demand users. See Create a project. On Windows servers, this port is also used to proxy RDP sessions to port 3389. |
Advanced Server Access gateway
Teams can modify the default ports through the gateway configuration file. See Configure the Advanced Server Access gateway.
| Port | Description |
|---|---|
| 443 | Used for outgoing connections to Okta and the Advanced Server Access platform.
Also used for outgoing connections to AWS or GCP if session capture stores logs in a cloud bucket. See Session capture. |
| 7234 | Used for incoming connections from the Advanced Server Access client. |
|
3389 |
Used for outgoing connections when using AD-Joined. It is not required when using Advanced Server Access agent. |
|
53 |
Used for resolving hostnames through DNS. |
|
389 |
Used in AD-Joined to query devices from the domain. |
Proxy Information
Organizations that use a web proxy or perform deep packet inspection to restrict network traffic may encounter issues with Advanced Server Access. To ensure Advanced Server Access can operate correctly, teams should add exceptions for the following characteristics:
| Characteristic | Value |
|---|---|
| Advanced Server Access domain |
Teams can allow access to the entire Advanced Server Access domain. This is the simplest option and ensures that all traffic to Advanced Server Access is allowed through a proxy.
|
| Advanced Server Access subdomains |
Teams can allow access to specific Advanced Server Access subdomains.
|
| Advanced Server Access User Agent strings |
Teams can allow access based on specific user strings. Teams will need to modify the values below based on a specific version of Advanced Server Access.
|
| Minimum TLS version |
|
| SSL inspection (MITM) | Advanced Server Access leverages Certificate Pinning to allow communication between the Advanced Server Access platform, clients, and servers. To work around the restrictions of SSL inspection, teams should consider allowing traffic to the Advanced Server Access domain (*.scaleft.com) |