Cloud Identity Engine System Requirements

System requirements for the Cloud Identity Engine.

Cloud Identity Agent Host System Requirements

You must disable SSL Decryption on the firewall for traffic to or from the agent host.
  • Windows Server 2012, 2012 R2, 2016, or 2019.
  • 10 GB or more of hard drive space (or space equivalent to the amount of data fetched from the Active Directory).
  • 8 GB or more of RAM.
  • Administrator privileges to install the agent, configure it, and import the certificate you generate in the Cloud Identity Engine app.
  • A service account with permissions to execute LDAP queries against the domains where you want to collect attributes.
  • Access to OCSP on port 80 for server certificate verification.
  • Network connectivity to the domain controller and the Cloud Identity Engine app.
  • TLS 1.2 to allow traffic from the agent host to the Cloud Identity Engine app.
  • The required cipher suites for the agent.
  • Access to the following TCP ports from the agent host:
    Destination Port
    Protocol
    Description
    443
    SSL
    Default port the agent uses to connect to the Cloud Identity Engine.
    636
    LDAPS
    Port the agent uses when you select LDAPS as the secure protocol for communication between the agent and your Active Directory.
    389
    LDAP or LDAP with STARTTLS
    Port the agent uses when you select LDAP or LDAP with STARTTLS for communication between the agent and your Active Directory.
    If you use LDAP without STARTTLS, communication between the agent and the Active Directory is not encrypted.
    When you configure the Active Directory in the Cloud Identity agent, do not configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).
    If you are also using the Terminal Server (TS) agent, we recommend that you do not install the Cloud Identity agent on the same host as the TS agent. If you must install both agents on the same host, you must change the default listening port on the TS agent.

Supported Directories

The Cloud Identity Engine supports the following directory types:

Active Directory System Requirements

Verify that you have enabled TLS 1.1 or TLS 1.2. Directory Sync Service requires one of these protocols, which are disabled by default on Windows Server 2012. We strongly recommend using TLS 1.3. If you are using Windows Server 2012, install the required update to enable TLS 1.1 or TLS 1.2.
  • An on-premises Windows server running Active Directory. Use one of the following:
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
If you select a secure LDAP protocol for the communication between the agent and the Active Directory, verify that protocol is enabled on your Active Directory. For more information, refer to Microsoft support.

Azure Active Directory System Requirements

  • Administrator privileges to the Azure Active Directory to grant the following permissions for the Cloud Identity Engine:
    • Read your organization’s directory data.
    • Maintain access to the directory data.
    • View user email addresses.
    • Sign users in to see basic user profile information.

Okta Directory System Requirements

  • Read Only Administrator privileges to the Okta Directory to grant the following permissions for the Cloud Identity Engine:
    • Allow the app to manage authorization servers.
    • Allow the app to read information about groups and their members in your Okta organization.
    • Allow the app to read information about System Log entries in your Okta organization.
    • Allow the app to read any user's profile and credential information.
    • Allow the app to read the currently signed-in user's profile and credential information.

Cloud Identity Engine App System Requirements

Access to the Cloud Identity Engine app requires the following:

Regional Data Storage Requirements

The Cloud Identity Engine stores your directory data in a secure cloud-based infrastructure. The Cloud Identity Engine is hosted on Google Cloud Platform and data is stored in Mongo DB Atlas in the region you select. You can select one of the following regions for each Cloud Identity Engine instance:
  • United States (US)
  • European Union (EU)
  • United Kingdom (UK)
  • Singapore (SG)
  • Canada (CA)
  • Japan (JP)
  • Australia (AU)
  • Germany (DE)
  • United States - Government
  • India (IN)
If you authorize an application in a region other than the region of your Cloud Identity Engine instance, the Cloud Identity Engine transfers the directory data that the application needs to that region. For example, if you authorize an application running outside the EU, that application can access Cloud Identity Engine data stored in the EU. You can associate some applications, such as Cortex XDR, only with a Cloud Identity Engine instance in the same region as the application. To check the status of the Cloud Identity Engine, refer to https://status.paloaltonetworks.com.

Recommended For You