Port/SNI mappings
Service | Source | Destination | Port | Protocol | Bi-directional |
Deployment | Internet WAN | GSLB - Intranet Load Balancers for WEBAPP | 443, 8544, 8944, 8945, 9987* | TCP | No |
Deployment | GSLB | Intranet DMZ Load Balancers for WEBAPP | 443, 8544, 8944, 8945, 9987* | TCP | No |
Deployment | Intranet DMZ Load Balancer for Webapps | WEBAPP | 443, 8544, 8944, 8945, 9987*, 9444 | TCP | No |
Deployment | WEBAPP + PERSISTENCE | Deployment Server (ex. WebApp Node1) | 20,21 (not necessary for rhel9 installation) | TCP | No |
Deployment | Deployment Server (ex. WebApp Node 1) | WEBAPP + PERSISTENCE | 22 | TCP | No |
Web Service | WEBAPP | PERSISTENCE | 2181, 9042, 9092, 9095 | TCP | No |
Persistence Service | PERSISTENCE | PERSISTENCE | 2181, 2888, 3888,7000, 7001, 7199, 9092, 9042, 9095 | TCP | No |
RAEP | Windows RAEP Servers | Intranet Balancer for WEBAPPS | 443 | TCP | No |
RAEP | Windows RAEP Servers | Load Balancer for ADCS - PKI (active-active setup) | 443, 135, 139, 49152 - 65535 | TCP | No |
RAEP | Windows clients W11/W10 | Load Balancers for Windows RAEP Servers | 443 | TCP | No |
RAEP | Load Balancers for Windows RAEP Servers | Windows RAEP Servers | 443 | TCP | No |
CP | Windows clients W10/W11 Credential Provider | Intranet DMZ Load Balancers for Webapps | 443,8533, 8944, 9987 | TCP | No |
WEBAPP Servers | WEBAPP | ADDS - LDAP | 636 or 3269 * | TCP | No |
DNS | All Nodes | DNS Server | 53 | UDP | Yes |
NTP | All Nodes | NTP Server | 123 | UDP | No |
SMTP | All Nodes | SMTP | 25 | UDP | No |
SIEM | All Nodes | SIEM | |||
SMS Gateway | WEBAPP | SMS Gateway | 443 | TCP | No |
SSO Integration | SSO | WEBAPP | 443 | TCP | No |
CITRIX Integration | CITRIX | WEBAPP | 443 | TCP | No |
RADIUS | Client Freeradius Server | WEBAPP | 2083 | TCP | No |
RADIUS | Client Freeradius Server | WEBAPP | 1812, 1813 | UDP | No |
Admin (WebAPP and Persistence Nodes) | Vendor PCs - MFA Admin PCs | WebAPP Nodes | 22, 443, 9444, 9987, 8544. 8543 | TCP | No |
Admin (WebAPP and Persistence Nodes) | Vendor PCs - MFA Admin PCs | Persistence nodes | 22 | TCP | No |
Admin (Windows RAEP Servers) | Vendor PCs - MFA Admin PCs | Windows RAEP Servers | 3389 | TCP | No |
Google push - Android Verdium Application | WEBAPP | Google ASN 15169 please check the list of IPs here: | 5228, 5229, 5230, 443 | TCP | No |
Apple push iOS Verdium Application | WEBAPP | https://support.apple.com/en-gb/HT203609 | 443, 5223 | TCP | No |
Email, SMS Messaging and Push Notification Services
For using the directory services PoC, you must configure the to send OTP codes via email (SMTP) or SMS messages to users during enrollment.
To use email, use the administration dashboard to enter your email server SMTP parameters into the appliance. Instructions are provided later in this guide.
Using Unique Names
To perform end-to-end testing, you will need to use a publicly trusted certificate and Public DNS records that match the name(s) on your certificate. Choose whether you use:
Port Mapping. One unique DNS record with port numbers for different service endpoints. In this instance you will use a certificate with one subject name for all endpoints. (eg vid.domain.com)
SNI Mapping. Multiple unique DNS record (SNI mappings) for different service endpoints. (eg admin-vid.domain.com). Use a multi-domain (SAN) certificate with subject alternative names for the different endpoints or a wildcard certificate (*.domain.com)
Based on your decision, obtain a valid, globally recognized SSL certificate for your server. Using a self-signed certificate will require configuring your smartphone to trust the root CA that generated the certificate, so it is generally easier to use a public certificate. Your certificate must be in PEM format and include any Intermediate and Root certificates in the chain as well as the unencrypted private key.
Obtain licenses from your Veridium sales engineer. As licenses are based on the certificate digest, you must have the certificate before Veridium can generate the licenses.
In the table below, the first URL is used for SNI service mapping and second URL is used for PORT service mapping depending on your configuration. Typically you would choose either SNI or the port based approach, not both. (Examples are shown for an environment name of poc and a domain of poc.veridium.com, substitute your values as appropriate.)