Securing Passport services


If you’re installing Passport on your own server, use the following guide as a baseline for securing the services. Please contact if you have additional questions.

Required ports

See the Configuration Reference for more information on default port configuration. The documentation below assumes the default port configuration.

Passport Backend

To access Passport Backend you’ll need to open port 9011. If you have more than one instance of Passport Backend installed you will need to ensure that each instance of Passport Backend can communicate on port 9011.

Passport Search Engine

If Passport Search Engine is running on the same system as the Passport Backend service and you’re only running a single instance of Passport Backend then no external ports should be allowed for Passport Search Engine. In this scenario, Passport Backend will access the Elastic Search service on port 9021 on the localhost address. The default configuration should cause Passport Search Engine to only bind to or other localhost addresses.

If Passport Backed is installed on multiple servers and those servers can communicate across a private network using a site local address then the default Passport Search Engine Configuration will not bind to any public IP addresses. In this scenario you will need to allow access to ports 9020 and 9021 on the site local IP address.

It is not recommended to expose the Passport Search Engine service to any public network. If this is a requirement, then a firewall should be used to limit traffic based upon the source and destination IP address to the service.

The 9020 port is utilized by Elastic Search for internal communication including clustering. The 9021 port is the HTTP port utilized by Passport Backend to make API requests to the search index.