Thycotic PAM(Privileged Access Management) Distributed Engine makes SSH and RDP discovery to the systems we have access to. My systems enable password change. While making Discovery, it brings all the operations into a sequence thanks to “RabbitMQ” and does it in order. It makes active directory connections. It is load balancing.

Machine requirements for Distributed Engine
Below are the machine requirements for Distributed Engine.
Server OS: Windows Server 2016-2022
CPU: 8 CPU Cores
You can find the required ports below.
1- Ports that need to be opened from DE Server to Targets whose passwords will be changed
Type of Traffic Port Number
RPC Dynamic Port Range TCP/49152-65535, UDP/49152-65535
Telnet TCP/23
Microsoft SQL TCP/1433, UDP/1434
SMB/Microsoft-DS TCP/445, UDP/445
LDAP TCP/389, UDP/389
LDAPS TCP/636, UDP/636
Sybase TCP/2638, TCP/5000
Oracle Listener TCP/1521
Kerberos Password Change TCP/464, UDP/464
Windows Privileged Account (WinNT ADSI Service Provider) TCP/139
2- Ports that need to be opened from DE Server to Targets for Discovery
Type of Traffic Port Number
RPC Dynamic Port Range TCP/49152-65535, UDP/49152-65535
SMB/Microsoft-DS TCP/445, UDP/445
RPC Endpoint Mapper TCP/135
3- Active Directory Sync ports from DE Server.
Type of Traffic Port Number
Kerberos TCP/88, UDP/88
LDAP TCP/389, UDP/389
LDAPS TCP/636, UDP/636
SMB/Microsoft-DS TCP445, UDP/445
4- Ports must be opened from DE Server to the Secret Server Web servers.
Type of Traffic Port Number
5- Default ports for sending Syslog from DE Server.
Type of Traffic Port Number
Syslog TCP/514, UDP/514
6- Access ports to Rabbit MQ from DE Server.
Type of Traffic Port Number
RabbitMQ TCP/5672 (non-SSL), TCP/5671 (SSL)