Cloud Identity Engine System Requirements
System requirements for the Cloud Identity Engine.
Cloud Identity Agent Host System Requirements
You must disable SSL decryption on the firewall for traffic to or from the agent host.
- Windows Server 2016, 2019, or 2022.
Windows Server 2012 and 2012 R2
are no longer supported for Cloud Identity agent versions 1.8.2 or later.
- 10 GB or more of hard drive space (or space equivalent to the
amount of data fetched from the Active Directory).
- 8 GB or more of RAM.
- Administrator privileges to install the agent, configure it,
and import the certificate you generate in the Cloud Identity Engine
app.
- A service account with permissions to execute LDAP queries against
the domains where you want to collect attributes.
- Access to OCSP on port 80 for server certificate verification.
- Network connectivity to the domain controller and the Cloud
Identity Engine app.
- TLS 1.2 to allow traffic from the agent host to the Cloud Identity
Engine app.
- The required cipher suites for the
agent.
- Access to the following TCP ports from the agent host:
| Destination Port | Protocol | Description |
|---|
| 80 | TCP | Port the agent uses for server certificate
verification. |
| 443 | SSL | Default port the agent uses to connect to the
Cloud Identity Engine. |
| 636 | LDAPS | Port the agent uses when you
select LDAPS as the secure protocol for communication
between the agent and your directory. |
| 389 | LDAP or LDAP with STARTTLS | Port the agent uses when you select LDAP or
LDAP with STARTTLS for communication between the agent and
your directory.
If you use LDAP without
Start TLS, communication between the agent and the
directory isn’t encrypted. |
When you configure the Active Directory in the Cloud Identity
agent, don’t configure the agent to use the Global Catalog port (3268 for
LDAP or 3269 for LDAPS).
If you’re also using the Terminal
Server (TS) agent, we recommend that you don’t install the Cloud Identity
agent on the same host as the TS agent. If you must install both agents on
the same host, you must
change the default listening port
on the TS agent.
Smart Card Requirements
- Windows
10 or later versions
- Mac OS X or later versions
- Firefox, Chrome, or Safari
If you aren’t using a smart card, you must import the certificate to the system level for
certificate-based authentication.
Supported Directories
The Cloud Identity
Engine supports the following directory types:
On-Premises
Directory System Requirements
Verify that you have enabled TLS 1.1 or TLS 1.2. Directory Sync Service requires one of these
protocols, which are disabled by default on Windows Server 2012. We strongly
recommend using TLS 1.3. If you’re using Windows Server 2012, install the
required
update to enable TLS 1.1 or TLS 1.2.
An
on-premises Windows server running Active Directory or OpenLDAP.
Use one of the following:
Windows Server 2012 and 2012 R2 are no longer supported for
Cloud Identity agent versions 1.8.2 or later.
- Windows Server 2022
- Windows Server 2016
- Windows Server 2019
If you select a secure LDAP protocol for the communication between the agent and the
directory, verify that protocol is enabled on your directory. For more information,
refer to Microsoft
support.
Azure
Active Directory System Requirements
Administrator privileges
to the Azure Active Directory to grant the following permissions
for the Cloud Identity Engine:
- Read your organization’s
directory data.
- Maintain access to the directory data.
- View user email addresses.
- Sign users in to see basic user profile information.
Okta
Directory System Requirements
Read-Only Administrator privileges to the Okta Directory to grant the following permissions for
the Cloud Identity Engine:
- Allow the app to manage
authorization servers.
- Allow the app to read information about groups and their members
in your Okta organization.
- Allow the app to read information about System Log entries in
your Okta organization.
- Allow the app to read any user's profile and credential information.
- Allow the app to read the currently signed-in user's profile
and credential information.
Google
Cloud Identity
Administrator privileges to Google Cloud
Identity to grant the following permissions for the Cloud Identity
Engine:
- Admin console privileges
- Organizational
Units > Read
- Users > Read
- Groups
- Services > Mobile Device Management > Manage Devices and Settings
- Services > Chrome Management > Settings > Manage Chrome OS > Devices
> Manage Chrome OS Devices (read only)
- Domain Settings
- Admin API privileges
- Organization Units > Read
- Users > Read
- Groups
- Groups > Create
- Groups > Read
- Groups > Update
- Groups > Delete
- Billing Management > Billing Read
- Domain Management
Cloud Identity Engine App System Requirements
Access
to the Cloud Identity Engine app requires the following:
Regional Data Storage Requirements
The
Cloud Identity Engine stores your directory data in a secure cloud-based infrastructure.
The Cloud Identity Engine is hosted on Google Cloud Platform and data
is stored in Mongo DB Atlas in the region you select. You can select
one of the following regions for each Cloud Identity Engine instance:
If you authorize an application
in a region other than the region of your Cloud Identity Engine
instance, the Cloud Identity Engine transfers the directory data
that the application needs to that region. For example, if you authorize
an application running outside the EU, that application can access
Cloud Identity Engine data stored in the EU. You can associate some
applications, such as Cortex XDR, only with a Cloud Identity Engine
instance in the same region as the application. To check the status
of the Cloud Identity Engine, refer to
https://status.paloaltonetworks.com.
