Network and Firewall Requirements¶
Section: Getting Started | Article 03
Audience: Network Administrators, IT Administrators
Last Updated: 2026-04-06
Overview¶
RP-PAM uses a well-defined set of network ports for its services. This article lists every port, explains what it is used for, and provides firewall rule guidance for both single-node and high-availability (HA) deployments.
All RP-PAM services bind to configurable ports. The defaults listed here assume the standard grpcPortBase of 7001 in rppam.config. If you change the base port, all gRPC service ports shift accordingly.
Port Reference Table¶
Client-Facing Ports¶
These ports must be accessible from user workstations and administrative machines.
| Port | Protocol | Service | Direction | Description |
|---|---|---|---|---|
| 7101 | HTTPS | Web Portal / REST API | Inbound | Browser-based management portal and all REST API calls. This is the primary port users and integrations connect to. |
| 443 | HTTPS | Outbound HTTPS | Outbound | License Verification Service (LVS) check-ins, AI provider API calls (OpenAI, Anthropic, xAI), and optional webhook notifications. |
Internal gRPC Service Ports¶
These ports are used for internal service-to-service communication over mTLS-encrypted gRPC. In a single-node deployment, these remain on localhost and do not need firewall rules. In an HA deployment, these must be open between all cluster nodes.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 7001 | gRPC (mTLS) | VaultService | Credential vault operations (store, checkout, rotate DEK) |
| 7002 | gRPC (mTLS) | AuthService | Authentication, MFA verification, session management |
| 7003 | gRPC (mTLS) | AuditService | Audit event writes and query operations |
| 7004 | gRPC (mTLS) | LicenseService | License validation and feature gating |
| 7005 | gRPC (mTLS) | ModuleManagerService | Module lifecycle (install, enable, disable, health) |
| 7006 | gRPC (mTLS) | WorkflowService | Access request submission, approval, escalation |
| 7007 | gRPC (mTLS) | AccessService | Access grant provisioning and revocation |
| 7008 | gRPC (mTLS) | SessionRecordingService | Session capture and playback (Phase 2) |
| 7009 | gRPC (mTLS) | NotificationService | Alert delivery to Slack, email, webhook (Phase 2) |
| 7010 | gRPC (mTLS) | TenantService | Multi-tenant management (MSP tier) |
| 7011 | gRPC (mTLS) | ReportingService | Compliance report generation |
| 7012 | gRPC (mTLS) | AIService | AI assistant inference and RAG queries |
Note: All gRPC ports use mutual TLS (mTLS) with certificates issued by the internal Step-CA. No plaintext gRPC traffic is permitted in production.
Infrastructure Ports¶
| Port | Protocol | Service | Direction | Description |
|---|---|---|---|---|
| 1433 | TCP | Microsoft SQL Server | Outbound (from RP-PAM to DB) | Database connections when using MSSQL. Only required if your database is on a separate server. |
| 5432 | TCP | PostgreSQL | Outbound (from RP-PAM to DB) | Database connections when using PostgreSQL. Only required if your database is on a separate server. |
| 636 | TCP (LDAPS) | Active Directory | Outbound (from RP-PAM to DC) | Secure LDAP connections to domain controllers. Required for the Active Directory module. |
| 3389 | TCP | RDP Session Proxy | Outbound (from RP-PAM to targets) | Remote Desktop connections to target Windows servers. Required for browser-based RDP sessions. RP-PAM proxies all RDP traffic — end users never connect directly. |
| 22 | TCP | SSH Session Proxy | Outbound (from RP-PAM to targets) | SSH connections to target Linux/Unix servers. Required for browser-based SSH sessions. |
| 443 | HTTPS | Microsoft Graph API | Outbound | Entra ID (Azure AD) module calls to graph.microsoft.com. Required for the Entra ID module. |
| 6379 | TCP | Redis | Between nodes | Distributed cache and leader election. Required only for HA (multi-node) deployments. |
| 5201 | TCP | Cluster Heartbeat | Between nodes | Inter-node health checks, leader election, and database sync coordination. Required only for HA deployments. |
Firewall Rules — Single-Node Deployment¶
A single-node deployment is the simplest configuration. Only two inbound rules are needed.
Inbound Rules¶
| Rule | Source | Destination | Port | Protocol | Action |
|---|---|---|---|---|---|
| Web Portal access | User workstations / admin network | RP-PAM server | 7101 | TCP (HTTPS) | Allow |
| (Optional) Database remote access | DBA workstations | RP-PAM server | 1433 or 5432 | TCP | Allow |
Outbound Rules¶
| Rule | Source | Destination | Port | Protocol | Action |
|---|---|---|---|---|---|
| LVS check-in | RP-PAM server | lvs.ravenphyre.net |
443 | TCP (HTTPS) | Allow |
| AI provider (if enabled) | RP-PAM server | AI API endpoint | 443 | TCP (HTTPS) | Allow |
| Active Directory (if used) | RP-PAM server | Domain controllers | 636 | TCP (LDAPS) | Allow |
| Entra ID (if used) | RP-PAM server | graph.microsoft.com, login.microsoftonline.com |
443 | TCP (HTTPS) | Allow |
gRPC Ports (Single-Node)¶
In a single-node deployment, all gRPC services communicate over localhost. No inbound firewall rules are needed for ports 7001-7012. These ports should be blocked from external access.
# Windows Firewall — block external access to gRPC ports (recommended)
New-NetFirewallRule -DisplayName "RP-PAM Block External gRPC" `
-Direction Inbound -LocalPort 7001-7012 -Protocol TCP `
-RemoteAddress "Any" -Action Block
New-NetFirewallRule -DisplayName "RP-PAM Allow Localhost gRPC" `
-Direction Inbound -LocalPort 7001-7012 -Protocol TCP `
-RemoteAddress "127.0.0.1" -Action Allow
# Linux (firewalld) — gRPC ports are not opened, so no action needed
# Verify they are not exposed:
sudo firewall-cmd --list-ports
Firewall Rules — HA (Multi-Node) Deployment¶
In an HA deployment, cluster nodes must communicate with each other over gRPC, Redis, and the heartbeat channel.
Between Cluster Nodes¶
All traffic between nodes should be restricted to the cluster VLAN or specific node IP addresses. Never open these ports to the entire network.
| Rule | Source | Destination | Port | Protocol | Action |
|---|---|---|---|---|---|
| gRPC inter-node | All RP-PAM nodes | All RP-PAM nodes | 7001-7012 | TCP (mTLS) | Allow |
| Cluster heartbeat | All RP-PAM nodes | All RP-PAM nodes | 5201 | TCP | Allow |
| Redis | All RP-PAM nodes | Redis server | 6379 | TCP | Allow |
Inbound Rules (from Users)¶
| Rule | Source | Destination | Port | Protocol | Action |
|---|---|---|---|---|---|
| Web Portal / REST API | User network | Load balancer VIP | 443 or 7101 | TCP (HTTPS) | Allow |
| Load balancer to nodes | Load balancer | All RP-PAM nodes | 7101 | TCP (HTTPS) | Allow |
Outbound Rules¶
Same as single-node (LVS, AI, AD, Entra ID) — apply to all nodes.
Example: Windows Firewall Rules for HA Node¶
# Allow gRPC between cluster nodes only
New-NetFirewallRule -DisplayName "RP-PAM Cluster gRPC" `
-Direction Inbound -LocalPort 7001-7012 -Protocol TCP `
-RemoteAddress "10.0.1.10,10.0.1.11,10.0.1.12" -Action Allow
# Allow heartbeat between cluster nodes
New-NetFirewallRule -DisplayName "RP-PAM Cluster Heartbeat" `
-Direction Inbound -LocalPort 5201 -Protocol TCP `
-RemoteAddress "10.0.1.10,10.0.1.11,10.0.1.12" -Action Allow
# Allow web portal from all users
New-NetFirewallRule -DisplayName "RP-PAM Web Portal" `
-Direction Inbound -LocalPort 7101 -Protocol TCP `
-RemoteAddress "Any" -Action Allow
Example: Linux Firewall Rules for HA Node (firewalld)¶
# Allow gRPC between cluster nodes only
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" port port="7001-7012" protocol="tcp" accept'
# Allow heartbeat between cluster nodes
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" port port="5201" protocol="tcp" accept'
# Allow web portal from all users
sudo firewall-cmd --permanent --add-port=7101/tcp
# Reload
sudo firewall-cmd --reload
Air-Gapped / Offline Deployments¶
If RP-PAM is deployed in an air-gapped network with no internet access:
- LVS check-ins: Set
offlineMode: trueinrppam.configunder thelvssection. Use offline license activation instead (see License Activation — Offline). - AI provider: Use Ollama for self-hosted AI inference — no outbound internet required. Configure
ai.provider: "ollama"and pointollamaBaseUrlto your local Ollama instance. - Entra ID module: Cannot be used in a fully air-gapped environment (requires access to
graph.microsoft.com). Use the Active Directory module with on-premises domain controllers instead.
TLS Requirements¶
| Connection | Minimum TLS | Certificate Source |
|---|---|---|
| Web Portal (port 7101) | TLS 1.2 (TLS 1.3 preferred) | Your organisation's CA or a public CA |
| gRPC inter-service (ports 7001-7012) | TLS 1.3 | Internal Step-CA (auto-issued) |
| Redis (port 6379) | TLS 1.2 (if redis.tlsEnabled: true) |
Your organisation's CA |
| Database (port 1433/5432) | TLS 1.2 | Database server's certificate |
| LDAPS (port 636) | TLS 1.2 | Active Directory CA |
Verifying Connectivity¶
After configuring your firewall, verify that RP-PAM can reach all required services.
Windows PowerShell:
# Test web portal
Test-NetConnection -ComputerName localhost -Port 7101
# Test database (MSSQL example)
Test-NetConnection -ComputerName db-server.corp.local -Port 1433
# Test Active Directory
Test-NetConnection -ComputerName dc01.corp.local -Port 636
# Test Redis (HA only)
Test-NetConnection -ComputerName redis.corp.local -Port 6379
# Test LVS (if not air-gapped)
Test-NetConnection -ComputerName lvs.ravenphyre.net -Port 443
Linux:
# Test web portal
curl -sk https://localhost:7101/system/health/ping
# Test database (PostgreSQL example)
nc -zv db-server.corp.local 5432
# Test Active Directory
nc -zv dc01.corp.local 636
# Test Redis (HA only)
nc -zv redis.corp.local 6379
# Test LVS (if not air-gapped)
curl -s https://lvs.ravenphyre.net/health
Troubleshooting¶
| Problem | Likely Cause | Solution |
|---|---|---|
| Web portal not reachable | Port 7101 blocked by firewall | Add inbound rule for port 7101 |
| "License check-in failed" | Port 443 outbound blocked | Allow outbound HTTPS to lvs.ravenphyre.net, or enable offline mode |
| AD module cannot connect | Port 636 blocked or DC unreachable | Allow outbound to domain controllers on port 636 |
| HA cluster nodes cannot see each other | Ports 7001-7012 or 5201 blocked between nodes | Add inter-node firewall rules |
| Redis connection refused | Port 6379 blocked or Redis not running | Check Redis service status and firewall rules |
Next Steps¶
- Installation on Windows Server — Install RP-PAM on your first server
- Installation on Linux — Install RP-PAM on Linux
- HA Multi-Node Setup — Configure high availability
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.