Network and Port Requirements
Access Analyzer requires outbound internet access during installation and operation, and specific internal ports for service communication.
Outbound Endpoints (Internet)
All outbound traffic uses HTTPS (port 443). The Access Analyzer server must be able to reach the following endpoints:
| Endpoint | Category | Purpose | When Required |
|---|---|---|---|
api.keygen.sh | Keygen / Licensing | License validation API | Installation and updates |
oci.pkg.keygen.sh | Keygen / Licensing | Netwrix OCI registry — Helm charts and application images | Installation and updates |
raw.pkg.keygen.sh | Keygen / Licensing | Installer binary download | Installation and updates |
keygen-dist.c3c9112df8df715f42d1162cdce5dba1.r2.cloudflarestorage.com | Keygen / Licensing CDN | Keygen artifact storage | Installation and updates |
api.github.com | GitHub | GitHub API | Installation only |
github.com | GitHub | Repository and release access | Installation only |
raw.githubusercontent.com | GitHub | ArgoCD bootstrap manifests | Installation only |
release-assets.githubusercontent.com | GitHub | Release asset downloads | Installation only |
pkg-containers.githubusercontent.com | GitHub Container Registry | GitHub Packages CDN | Installation and updates |
ghcr.io | GitHub Container Registry | Container images | Installation and updates |
get.k3s.io | K3s / Rancher | K3s installer download | Installation only |
rpm.rancher.io | K3s / Rancher | K3s package repository | Installation only |
storage.googleapis.com | K3s / Rancher | K3s artifact storage | Installation only |
Internal Ports
Access Analyzer uses these ports within the VM for service-to-service communication:
| Port | Protocol | Service | Description |
|---|---|---|---|
| 443 | TCP | Traefik | HTTPS ingress for web UI and API |
| 6443 | TCP | K3s API | Kubernetes API server |
| 8090 | TCP | ArgoCD | ArgoCD UI (via port-forward) |
| 5432 | TCP | PostgreSQL | Database connections |
| 8123 | TCP | ClickHouse | HTTP interface |
| 9000 | TCP | ClickHouse | Native protocol |
| 6379 | TCP | Redis | Cache and queue connections |
All internal ports are bound to the local cluster network. Only port 443 (Traefik) is exposed externally for the web interface.
Connector Network Requirements
Depending on the connectors you configure, the Access Analyzer VM must also have outbound access to your data sources:
| Connector | Port | Protocol | Notes |
|---|---|---|---|
| CIFS / SMB | 445 | TCP | SMB file sharing |
| Active Directory | 389 | TCP | LDAP |
| Active Directory | 636 | TCP | LDAPS (encrypted) |
| Active Directory | 135–139 | TCP | RPC |
| Active Directory | 49152–65535 | TCP | RPC dynamic ports |
| SharePoint Online | 443 | TCP | Microsoft Graph API |
| Entra ID | 443 | TCP | Microsoft identity platform |
| Local Groups | 5985 | TCP | WinRM (HTTP) |
| Local Groups | 5986 | TCP | WinRM (HTTPS) |
Proxy Configuration
If a proxy routes outbound traffic, set the following environment variables before running the installer:
export HTTP_PROXY="http://<PROXY_HOST>:<PROXY_PORT>"
export HTTPS_PROXY="http://<PROXY_HOST>:<PROXY_PORT>"
export NO_PROXY="localhost,127.0.0.1,.svc,.cluster.local,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
Antivirus Exclusions
If an endpoint detection or antivirus product is running on the Access Analyzer host, configure exclusions for the following paths before installation. The installer's preflight checks detect common products (CrowdStrike Falcon, SentinelOne, Sophos, and others) and will prompt you to confirm exclusions are in place.
| Path | Reason |
|---|---|
/var/lib/rancher/ | K3s runtime data |
/var/lib/containerd/ | Container image layers |
/run/k3s/ | K3s socket and runtime files |
/usr/local/bin/k3s | K3s binary |
Configure exclusions manually before running the installer. The installer's preflight check detects common antivirus products and will prompt you to confirm exclusions are in place before proceeding.
Firewall Configuration
Allow outbound HTTPS (port 443) to all endpoints in the Outbound Endpoints table. The following examples show how to configure this on common platforms.
Azure (NSG Rule)
az network nsg rule create \
--resource-group <RESOURCE_GROUP> \
--nsg-name <NSG_NAME> \
--name AllowOutboundHTTPS \
--priority 100 \
--direction Outbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 443
AWS (EC2 Security Group)
aws ec2 authorize-security-group-egress \
--group-id <SECURITY_GROUP_ID> \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
On-Premises (ufw)
sudo ufw allow out 443/tcp
sudo ufw reload
Verify Connectivity
After configuring firewall rules, verify that the Access Analyzer server can reach the required endpoints:
curl -I https://oci.pkg.keygen.sh
curl -I https://ghcr.io
curl -I https://get.k3s.io
All commands should return an HTTP response (2xx or 3xx). A connection timeout or refusal indicates a firewall rule is blocking the endpoint.