Skip to main content
Skip table of contents

Default ports in Smart ID

This article is valid for Smart ID 21.04 and later.

This article describes the default ports that are used in a Smart ID deployment

All components except Digital Access are behind an ingress/proxy Traefik by default.

Firewall Interface

From

To main component

To subcomponent

External Listening Port

Internal Listening Port

Protocol and Comment

External

User client

Identity Manager

Operator

TCP 443

TCP 7071

External TLS communication between a user client to Identity Manager Operator. 

External

User client

Identity Manager

Self-Service

TCP 443

TCP 7072

External TLS communication between a user client to Smart ID Self-Service. 

External

User client

Identity Manager

Admin

TCP 8443

TCP 7073

External TLS communication between a user client to the Identity Manager Admin. 

External

User client

Identity Manager

Tenant

TCP 8443

TCP 7074

External TLS communication between a user client to the Identity Manager Tenant. 

External 

User client

Physical Access

Admin

TCP 443

-

TLS communication with Physical Access Admin.

External

RabbitMQ

Physical Access


TCP 5672 and 15672

-

External communication between Physical Access and RabbitMQ.

These port numbers can NOT be changed.

Internal

SCIM API

Physical Access


-

TCP 90

Internal communication between Physical Access and SCIM API.

This port number can be changed.

External

Physical Access

SiPass PACS server

SiPass connector

-

TCP 8745

External communication with Physical Access connector server.

External

Digital Access or Identity Manager Operator

Messaging

Hermod

TCP 443

TCP 20400

TLS communication with Smart ID Messaging (Hermod).

External

Administrator client

Digital Access

Administration service

TCP 8443

-

External communication between an administrator client to Authentication service for configuration work on Hybrid Access Gateway. The port can be set up as web resource and therefore routed through the Access Point over port 443.

External

User client, Nexus Access Client

Digital Access

Access point

TCP 443

TCP 10443

External communication between the user client/Nexus Access Client and the Access point over SSL. Since the Access point serves as a reverse proxy, all communication to resources is tunneled over the SSL communication.

Internal and external

Third party service and Access point

Digital Access

Policy service

TCP 4443

TCP 4443

Internal and external communication to the web service (XPI) interface of Hybrid Access Gateway. This communication needs to be enabled within the Policy service (Manage Systems > Policy Service). The port can be set up as web resource and therefore routed through the Access point over port 443. The Access point talks to the Policy service over port 4443 when using, for example, /me API (loading desktop list of available resources).

Internal and external

User client and Access point

Digital Access

Distribution service

TCP 9443

TCP 9443

Internal or external communication from the Access point and any user client to the Distribution service to access the Image API. This is required to receive images the user must compare during Personal Mobile and Personal Desktop authentication. This communication needs to be enabled within the Distribution service (Manage Systems > Distribution Service). The port can be set up as web resource and therefore routed through the Access point over port 443.

Internal or external

Admin service, Policy service and Authentication service

Digital Access

(Internal) database

TCP 5432

TCP [port for external database]

TCP 5432

TCP [port for external database]

Internal or external communication between Administration service, Policy service and Authentication service to the internal Postgres database. These ports are not required if an external database is used (for example, in HA scenario). In this case, the port of the external database must be opened.

Internal and external

Policy service and RADIUS clients

Digital Access

Authentication service

UDP 18118 - 18126

UDP 18118 - 18126

Internal and external communication between the Policy service and any RADIUS client to the Authentication service to verify an authentication attempt over RADIUS protocol. Third party RADIUS clients can ask the Authentication service for authentication if the corresponding authentication method is based on RADIUS, such as Password, OATH, Synchronized etc.

Internal

All services

Digital Access

Administration service

-

TCP 8300

Internal communication between all services and the Administration service over proprietary LCP protocol.

Internal

Access point

Digital Access

Policy service

-

TCP 8301

Internal communication between the Access point and Policy service over proprietary LCP protocol.

Internal

Distribution service

Digital Access

Policy service

-

TCP 8301

Internal communication between the Distribution service and Policy service over proprietary LCP protocol. This connection is used only in regards of the short URL feature.

Internal

Policy service and Distribution service

Digital Access

Authentication service

-

TCP 8302

Internal communication between the Policy service and the Distribution service to the Authentication service over proprietary LCP protocol.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.