On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certifications:
- ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3, valid until 2025-07-28.
- ISO/IEC 27017 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.
- ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.
Source control and build systems can only be accessed by Quest employees on Quest’s corporate network (domain security). If a developer (or any other employee with access to Disaster Recovery for Identity for Active Directory) leaves the company, the individual immediately loses access to the systems.
All code is versioned in source control.
Access to Disaster Recovery for Identity for Active Directory data is restricted to:
- Quest Operations team members.
- Particular Quest Support team members working closely with Disaster Recovery for Identity for Active Directory product issues.
- The product development team to provide support for the product.
Access to Disaster Recovery for Identity for Active Directory data is restricted through the dedicated Quest Azure Active Directory security groups. For different types of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned. Quest employees do not have access to backups.
Quest Operations team members have access to the Quest’s production Azure Subscription and monitor this as part of normal day to day operations. Disaster Recovery for Identity for Active Directory developers have no access to Quest’s production Azure Subscription.
To access Disaster Recovery for Identity for Active Directory, a customer representative opens the On Demand website and signs up for an On Demand account. The account is verified via email; thus, a valid email address must be provided during registration.
An organization is automatically created once the new account is created.
Permissions and Requirements for Hybrid Agent
A service account used to run the hybrid agent service must be a local administrator account on the computer where the hybrid agent is installed.
Hybrid agent endpoint requirements
The hybrid agent must be able to access the following endpoints associated with the region where your On Demand organization resides.
| 389 |
Outbound |
Domain Controllers |
LDAP port to domain controllers to discover environment. |
| 445 |
Outbound |
Domain Controllers |
SMB port to domain controllers to install domain controller agents. |
| 443 |
Outbound |
AU
odjrs-auprod-au-iothub.azure-devices.net
https://odjrsauprodaugrssto.blob.core.windows.net
https://odrjsauprodausto.blob.core.windows.net
CA
odjrs-caprod-ca-iothub.azure-devices.net
https://odjrscaprodcagrssto.blob.core.windows.net
https://odrjscaprodcasto.blob.core.windows.net
EU
odjrs-euprod-eu-iothub.azure-devices.net
https://odjrseuprodeugrssto.blob.core.windows.net
https://odjrseuprodeusto.blob.core.windows.net
UK
odjrs-ukprod-uk-iothub.azure-devices.net
https://odjrsukprodukgrssto.blob.core.windows.net
https://odjrsukproduksto.blob.core.windows.net
US
odjrs-usprod-us-iothub.azure-devices.net
https://odjrsusprodusgrssto.blob.core.windows.net
https://odjrsusprodussto.blob.core.windows.net |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
| 80 |
Outbound |
AU
odjrsauprodauiotinst-odjrsauprodauiotacct.b.nlu.dl.adu.microsoft.com
CA
odjrscaprodcaiotinst-odjrscaprodcaiotacct.b.nlu.dl.adu.microsoft.com
EU
odjrseuprodeuiotinst--odjrseuprodeuiotacct.b.nlu.dl.adu.microsoft.com
UK
odjrsukprodukiotinst--odjrsukprodukiotacct.b.nlu.dl.adu.microsoft.com
US
odjrsusprodusiotinst--odjrsusprodusiotacct.b.nlu.dl.adu.microsoft.com |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
Permissions and Requirements for Domain Controller Agent
A service account used to run the domain controller agent is always a Local System account.
An account used to install the domain controller agent remotely should be a member of the Domain Administrators group on the target domain controller, or a member of the Local Administrators group if the target computer is a Clean OS computer.
Domain controller agent endpoint requirements
The domain controller agent must be able to access the following endpoints associated with the region where your On Demand organization resides.
| 445 |
Inbound |
|
SMB port to allow automatic agent installation. |
| 135 |
Inbound |
|
RPC Endpoint Mapper port used by the RPC runtime. |
| 49152-65535 |
Inbound |
|
RPC dynamic port range to accept RPC connection from hybrid agent. |
| 443 or proxy server port |
Outbound |
AU
https://odradprodausa.blob.core.windows.net
CA
https://odradprodcasa.blob.core.windows.net
EU
https://odradprodeusa.blob.core.windows.net
UK
https://odradproduksa.blob.core.windows.net
US
https://odradprodussa.blob.core.windows.net |
Download and upload backups from Azure Blob Storage accounts. |
