Default ports in Smart ID
This article is valid for Smart ID 21.04 and later.
This article describes the default ports that are used in a Smart ID deployment.
All components except Digital Access are behind an ingress/proxy Traefik by default.
Firewall Interface | From | To main component | To subcomponent | External Listening Port | Internal Listening Port | Protocol and Comment |
|---|---|---|---|---|---|---|
External | User client | Identity Manager | Operator | TCP 443 | TCP 7071 | External TLS communication between a user client to Identity Manager Operator. |
External | User client | Identity Manager | Self-Service | TCP 443 | TCP 7072 | External TLS communication between a user client to Smart ID Self-Service. |
External | User client | Identity Manager | Admin | TCP 8443 | TCP 7073 | External TLS communication between a user client to the Identity Manager Admin. |
External | User client | Identity Manager | Tenant | TCP 8443 | TCP 7074 | External TLS communication between a user client to the Identity Manager Tenant. |
External | User client | Physical Access | Admin | TCP 443 | - | TLS communication with Physical Access Admin. |
External | RabbitMQ | Physical Access | TCP 5672 and 15672 | - | External communication between Physical Access and RabbitMQ. These port numbers can NOT be changed. | |
Internal | SCIM API | Physical Access | - | TCP 90 | Internal communication between Physical Access and SCIM API. This port number can be changed. | |
External | Physical Access | SiPass PACS server | SiPass connector | - | TCP 8745 | External communication with Physical Access connector server. |
External | Digital Access or Identity Manager Operator | Messaging | Hermod | TCP 443 | TCP 20400 | TLS communication with Smart ID Messaging (Hermod). |
External | Administrator client | Digital Access | Administration service | TCP 8443 | - | External communication between an administrator client to Authentication service for configuration work on Hybrid Access Gateway. The port can be set up as web resource and therefore routed through the Access Point over port 443. |
External | User client, Nexus Access Client | Digital Access | Access point | TCP 443 | TCP 10443 | External communication between the user client/Nexus Access Client and the Access point over SSL. Since the Access point serves as a reverse proxy, all communication to resources is tunneled over the SSL communication. |
Internal and external | Third party service and Access point | Digital Access | Policy service | TCP 4443 | TCP 4443 | Internal and external communication to the web service (XPI) interface of Hybrid Access Gateway. This communication needs to be enabled within the Policy service (Manage Systems > Policy Service). The port can be set up as web resource and therefore routed through the Access point over port 443. The Access point talks to the Policy service over port 4443 when using, for example, /me API (loading desktop list of available resources). |
Internal and external | User client and Access point | Digital Access | Distribution service | TCP 9443 | TCP 9443 | Internal or external communication from the Access point and any user client to the Distribution service to access the Image API. This is required to receive images the user must compare during Personal Mobile and Personal Desktop authentication. This communication needs to be enabled within the Distribution service (Manage Systems > Distribution Service). The port can be set up as web resource and therefore routed through the Access point over port 443. |
Internal or external | Admin service, Policy service and Authentication service | Digital Access | (Internal) database | TCP 5432 TCP [port for external database] | TCP 5432 TCP [port for external database] | Internal or external communication between Administration service, Policy service and Authentication service to the internal Postgres database. These ports are not required if an external database is used (for example, in HA scenario). In this case, the port of the external database must be opened. |
Internal and external | Policy service and RADIUS clients | Digital Access | Authentication service | UDP 18118 - 18126 | UDP 18118 - 18126 | Internal and external communication between the Policy service and any RADIUS client to the Authentication service to verify an authentication attempt over RADIUS protocol. Third party RADIUS clients can ask the Authentication service for authentication if the corresponding authentication method is based on RADIUS, such as Password, OATH, Synchronized etc. |
Internal | All services | Digital Access | Administration service | - | TCP 8300 | Internal communication between all services and the Administration service over proprietary LCP protocol. |
Internal | Access point | Digital Access | Policy service | - | TCP 8301 | Internal communication between the Access point and Policy service over proprietary LCP protocol. |
Internal | Distribution service | Digital Access | Policy service | - | TCP 8301 | Internal communication between the Distribution service and Policy service over proprietary LCP protocol. This connection is used only in regards of the short URL feature. |
Internal | Policy service and Distribution service | Digital Access | Authentication service | - | TCP 8302 | Internal communication between the Policy service and the Distribution service to the Authentication service over proprietary LCP protocol. |