Cloud Identity Engine System Requirements
System requirements for the Cloud Identity Engine.
Cloud Identity Agent Host System Requirements
You must disable SSL Decryption on the firewall for traffic to or from the agent host.
- Windows Server 2012, 2012 R2, 2016, or 2019.
- 10 GB or more of hard drive space (or space equivalent to the amount of data fetched from the Active Directory).
- 8 GB or more of RAM.
- Administrator privileges to install the agent, configure it, and import the certificate you generate in the Cloud Identity Engine app.
- A service account with permissions to execute LDAP queries against the domains where you want to collect attributes.
- Access to OCSP on port 80 for server certificate verification.
- Network connectivity to the domain controller and the Cloud Identity Engine app.
- TLS 1.2 to allow traffic from the agent host to the Cloud Identity Engine app.
- The required cipher suites for the agent.
- Access to the following TCP ports from the agent host:Destination PortProtocolDescription80TCPPort the agent uses for server certificate verification.443SSLDefault port the agent uses to connect to the Cloud Identity Engine.636LDAPSPort the agent uses when you select LDAPS as the secure protocol for communication between the agent and your Active Directory.389LDAP or LDAP with STARTTLSPort the agent uses when you select LDAP or LDAP with STARTTLS for communication between the agent and your Active Directory.If you use LDAP without STARTTLS, communication between the agent and the Active Directory is not encrypted.When you configure the Active Directory in the Cloud Identity agent, do not configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).If you are also using the Terminal Server (TS) agent, we recommend that you do not install the Cloud Identity agent on the same host as the TS agent. If you must install both agents on the same host, you must change the default listening port on the TS agent.
Smart Card Requirements
The Cloud Identity Engine, when integrated with GlobalProtect, supports certificate-based two-factor authentication using smart cards that meet the following requirements:
- Windows 10 or later versions
- macOS X or later versions
- Firefox, Chrome, or Safari
If you are not using a smart card, you must import the certificate to the system level for certificate-based authentication.
Directory System Requirements
Verify that you have enabled TLS 1.1 or TLS 1.2. Directory Sync Service requires one of these protocols, which are disabled by default on Windows Server 2012. We strongly recommend using TLS 1.3. If you are using Windows Server 2012, install the required update to enable TLS 1.1 or TLS 1.2.
An on-premises Windows server running Active Directory. Use one of the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
If you select a secure LDAP protocol for the communication between the agent and the Active Directory, verify that protocol is enabled on your Active Directory. For more information, refer to Microsoft support.
Active Directory System Requirements
Administrator privileges to the Azure Active Directory to grant the following permissions for the Cloud Identity Engine:
- Read your organization’s directory data.
- Maintain access to the directory data.
- View user email addresses.
- Sign users in to see basic user profile information.
Directory System Requirements
Read Only Administrator privileges to the Okta Directory to grant the following permissions for the Cloud Identity Engine:
- Allow the app to manage authorization servers.
- Allow the app to read information about groups and their members in your Okta organization.
- Allow the app to read information about System Log entries in your Okta organization.
- Allow the app to read any user's profile and credential information.
- Allow the app to read the currently signed-in user's profile and credential information.
Administrator privileges to Google Cloud Identity to grant the following permissions for the Cloud Identity Engine:
- Admin console privileges
- Organizational Units > Read
- Users > Read
- Services > Mobile Device Management > Manage Devices and Settings
- Services > Chrome Management > Settings > Manage Chrome OS > Devices > Manage Chrome OS Devices (read only)
- Domain Settings
- Admin API privileges
- Organization Units > Read
- Users > Read
- Groups > Create
- Groups > Read
- Groups > Update
- Groups > Delete
- Billing Management > Billing Read
- Domain Management
Regional Data Storage Requirements
The Cloud Identity Engine stores your directory data in a secure cloud-based infrastructure. The Cloud Identity Engine is hosted on Google Cloud Platform and data is stored in Mongo DB Atlas in the region you select. You can select one of the following regions for each Cloud Identity Engine instance:
- United States (US)
- European Union (EU)
- United Kingdom (UK)
- Singapore (SG)
- Canada (CA)
- Japan (JP)
- Australia (AU)
- Germany (DE)
- United States - Government
- India (IN)
If you authorize an application in a region other than the region of your Cloud Identity Engine instance, the Cloud Identity Engine transfers the directory data that the application needs to that region. For example, if you authorize an application running outside the EU, that application can access Cloud Identity Engine data stored in the EU. You can associate some applications, such as Cortex XDR, only with a Cloud Identity Engine instance in the same region as the application. To check the status of the Cloud Identity Engine, refer to https://status.paloaltonetworks.com.
Recommended For You
Recommended videos not found.