Delegate Connection Requirements

Updated 8 months ago by Michael Cretzman

This article lists the permissions and ports required by the Harness Delegate to access your artifact servers, cloud providers, verification, and security providers.

How does Harness Connect to Providers?

The Harness Manager connects to the artifact servers, cloud providers, verification, and security providers using the Harness Delegate. You download the Harness Delegate from the Harness Manager and install it in your network or VPC.

For information on Harness architecture, see Harness Architecture.

The Delegate only connects to the Harness Manager via an outbound HTTPS connection over port 443. There is no inbound connection from the Harness Manager to the Delegate.

In the Harness Manager, you configure artifact servers, cloud providers, verification, and security providers using your account credentials with those providers. The Delegate uses those credentials when it uses your providers in the Harness deployment, verification, and security processes.

Harness Delegate Connection to Harness Manager

The Delegate runs from within your enterprise network or VPC and only connects to the Harness Manager with a secure outbound HTTPS connection over port 443.

  • HTTPS port 443 outbound from locally-installed delegate to the Harness Manager.
  • HTTPS port 443 from your browser to the Harness Manager.
The Harness Delegate does NOT require root account access.

Permissions and Ports for Harness Connections

The following table lists the permissions and ports needed for the Harness Delegate to access artifact servers, cloud providers, verification, and security providers. You configure these settings in the Harness Manager.

  • Artifact servers: The Delegate pulls artifacts and metadata from artifact servers using the account and ports required by the artifact server.
  • Deployments: Most Harness deployments to Virtual Machines (for example, AWS, GCP, Azure, Datacenter) are performed using SSH over port 22. The VPC firewall setting might also require additional open ports for administration, such as HTTP 443.
  • Verifications: The Delegate makes API calls to verification providers using the access keys required by the providers.
  • Security: For security, such as SAML and LDAP, the Delegate uses the account and ports required by the provider, such as a Active Directory domain controller running in a Azure or AWS VPC.
In general, if you are already connecting to your artifact servers, cloud, verification, and security providers from within your network or VPC, and you install the Harness Delegate inside that network or VPC, there is little network or VPC configuration needed. You simply need to specify accounts and ports when configuring Harness to use the providers.


Permissions and Harness Docs

Ports for Delegate Connections to Services

Provider References

Active Directory LDAP

User account in the Active Directory.

Ports and Permissions

HTTPS: 443.

LDAP without SSL: 389.

Secure LDAP (LDAPS): 636.

By default, LDAP traffic is transmitted unsecured. For Windows Active Directory, you can make LDAP traffic confidential and secure by using SSL/TLS. You can enable LDAP over SSL by installing a certificate from a Microsoft certification authority (CA) or a non-Microsoft CA.

Users and Groups


General permission: View, Edit and Delete permissions for new applications can be set as part of the default permissions for a custom role.

Add AppDynamics to Verification Providers

HTTP: 80

HTTPS: 443

General Permissions

AWS Cloud

IAM user to be able to make API requests to AWS.

AWS Permissions

Depends on the firewall settings of your VPC, but typically, HTTP: 443.

Creating an IAM User in Your AWS Account

Configure Ports and Endpoints

AWS CodeDeploy


HTTPS: 443.

AWS Managed (Predefined) Policies for AWS CodeDeploy


Policy: AmazonEC2FullAccess

AWS EC2 Provisioned and Static Hosts

HTTP: 80.

HTTP: 443.

TCP: 9090.

Controlling Access to Amazon EC2 Resources


Policy for Elastic Load Balancer, Application Load Balancer, and Elastic Container Service:



Well-known ports: 25, 80, 443, 465, and 587.

Ephemeral ports (1024-65535).

Amazon ECS Service Scheduler IAM Role

Listeners for Your Classic Load Balancer


Policy: AmazonS3ReadOnlyAccess

Amazon S3

HTTP: 443.

Creating an IAM User in Your AWS Account


Client (Application) and Tenant (Directory) IDs, and Key.

Azure Cloud Provider

Windows VMs (WinRM ports): HTTP: 5985, HTTPS: 5986.

Linux VMs: SSH: 22.

Get application ID and authentication key

How to set up endpoints on a classic Windows virtual machine in Azure


Username and password for account.

Build permissions: View Plan, Build Plan

Bamboo Permissions

HTTP: 443.

TCP: 8085.

Bamboo permissions


Data Access API Auth Token.

Bugsnag Verification

The Bugsnag Data Access API is exposed on the same TCP port as the dashboard, 49080.

Data Access API Authentication


API Key.

Application Key.

Datadog Verification

HTTPS: 443.

Open Ports


Docker Registry

User permission level.

TCP: 8083.

Permission levels


Access token.

Dynatrace Verification

HTTPS: 443.

Access tokens

How do I fetch the list of monitored processes?

ELK Elasticsearch

User (Read permission) or Token Header and Token Value.

ELK Elasticsearch Verification

TCP: 9200.

User authentication

Talking to Elasticsearch

Github Repo

User account: repository owner.

Organization account: read and write.

Sync Your Code with Harness

HTTP: 443.

Permission levels for a user account repository

Repository permission levels for an organization

Google Cloud Platform (GCP)


SSH: 22.

TCP: 9090.

Understanding Roles

Using Firewall Rules

JFrog Artifactory

Privileged User: Read permission.

Artifactory Permissions

HTTP: 443.

Managing Permissions


Matrix-based: Read permission.

Execute Permission, if jobs are triggered from Workflow.

Jenkins Permissions

HTTPS: 443.

Matrix-based security

Kubernetes Cluster

One of the following:

  • Same cluster as kubernetes delegate. Use this option if you installed the Harness delegate in your cluster.
  • Username and password.
  • CA certificate, client certificate, and client key. Key passphrase and key algorithm are optional.
  • For OpenShift: Kubernetes service account token.

Kubernetes Cluster

Depends where the cluster is hosted, such as GCP or AWS.

HTTPS: 443.

SSH: 22.




HTTPS: 443.

TCP: 4209.

Announcing the Search API


Kubernetes service account token.

OpenShift Support

HTTPS: 443.

SSH: 22.

Enabling Service Account Authentication

New Relic

API key.

Connect to New Relic

HTTPS: 443.

Access to REST API keys



User account with Repository View Privilege or read for repository.

Nexus Permissions

TCP: 8081.

HTTPS: 443.

Nexus Managing Security

Pivotal Cloud Foundry

User account with Admin, Org Manager, or Space Manager role. The user account must be able to update spaces, orgs, and applications.

PCF Permissions

HTTP: 80 or 443.

Orgs, Spaces, Roles, and Permissions



Connect to Prometheus

Depends on where the Prometheus server is hosted. For example, on AWS, port 9090 might be required.

HTTP: 80.




TCP: 25.


User account with Read permissions on eventtypes objects.


TCP: 8089 for API.

Set permissions for objects in a Splunk app

Configure deployment clients

Sumo Logic

User account with access ID and key and query permissions.

Connect to Sumo Logic

HTTPS: 443.

API Authentication

Sumo Logic Endpoints and Firewall Security


User account in the same Active Directory domain as the Windows instances the connection uses.

Set Up WinRM on Instances and Network

HTTP: 5985.

HTTPS: 5986 and 443.

SSH: 22.

Installation and Configuration for Windows Remote Management

How did we do?