Encryption and Ports in Bomgar Privileged Access (Cloud)
Bomgar can be configured such that it enforces the use of SSL for every connection made to the site. Bomgar requires that the SSL certificate being used to encrypt the transport is valid.
Bomgar can natively generate certificate signing requests. Configuration options also are available to disable the use of TLSv1 and/or TLSv1.1. Bomgar always has TLSv1.2 enabled to ensure proper operation of the software. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.
The Bomgar software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the site Domain Name System (DNS) name and the SSL certificate, which is used by the respective Bomgar client to validate the connection that is made to the Cloud site.
The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the Bomgar Cloud infrastructure. This drastically reduces the potential exposed attack surface of the site.
Below are example firewall rules for use with Bomgar Cloud, including port numbers, descriptions, and required rules.
|Internal Network to the Bomgar Cloud Instance|
|TCP Port 443 (required)*||Used for all session traffic.|
|Bomgar Cloud Instance to the Internal Network|
|TCP Port 25, 465, or 587 (optional)||Allows the appliance to send admin mail alerts. The port is set in SMTP configuration.|
|TCP Port 443 (optional)||Appliance to web services for outbound events.|