For basic PPM (Privileged Password Management) functionality when changing an OS account password, the following ports are required:
Windows Active Dir: TCP/389, TCP/445
Windows, Windows Desktop TCP/445
If TPAM is
- Managing service account passwords ("Change password for Windows Service started by this account" ticked)
- Managing scheduled task passwords ("Change password for Scheduled Tasks started by this account" ticked)
- Restarting a service ("Automatically restart such Services" ticked)
- Using Account Discovery on the target
- Using Event Capture on PSM sessions (Privileged Session Manager)
On any Windows machine (whether it be a dependent system, or a normal target platform), TPAM also uses WMI (Windows Management Instrumentation).
WMI / DCOM from DPA/TPAM will need access to TCP/135 to initiate communication on the target. The subsequent conversation then continues on a random negotiated port.
On Windows 2003/XP this would be in the range 1025 - 5000 on Windows 7/Windows 2008 and above : 49152 - 65535.
To limit the ports that can be used by WMI/DCOM refer to the following Microsoft KB, How to configure RPC dynamic port allocation to work with firewalls.
Or the following Microsoft MSDN document, Setting Up a Fixed Port for WMI.
For Windows Active Dir, if using Account Discovery or Auto Discovery CLDAP ping UDP/389 is also required.