Overview
Active Directory runs on a single domain controller reachable by the ZTNA Connector deployed on a secure host within your network.
imper.ai requires secure, encrypted connectivity to the domain controller in order to perform directory verification and identity validation operations.
This document describes the secure connectivity model used to establish that integration while maintaining strict network boundaries and minimizing exposure.
The design is based on the following principles:
Connectivity is restricted to a single, defined directory endpoint
Communication is limited to encrypted LDAP transport only
No general network access into the VPC is introduced
No access is provided to other systems or connected networks
All directory activity remains auditable within the domain controller
The integration leverages a ZTNA Connector deployed inside your VPC to initiate secure, outbound communication with Imper.ai, ensuring that no inbound access to your network is required.
This approach ensures that the integration is secure, narrowly scoped, and aligned with enterprise network security best practices.
What This Integration Does
The ZTNA Connector enables secure communication between Imper.ai and your Active Directory domain controller:
Connects to a single domain controller
Uses a single IP address within your network
Supports one directory transport: LDAPS (TCP 636) or LDAP with StartTLS (TCP 389)
It does not provide:
General access into your VPC
Access to other internal systems
Access to additional networks connected to your VPC
Architecture
The ZTNA Connector is deployed on a secure host within your network.
Key aspects of the design:
The connector initiates outbound TLS connectivity to Imper.ai on TCP 443
The connector communicates locally with the domain controller over exactly one directory transport (TCP 636 or TCP 389)
No inbound connectivity is established from Imper.ai into your network
All traffic remains encrypted and scoped to the required endpoints.
Network Restrictions
The permitted connectivity flows for the connector are:
Connector → Domain controller on the selected LDAP port (TCP 636 or TCP 389)
Connector → Imper.ai service endpoints on TCP 443
No other internal IP addresses or ports are reachable from the connector. The domain controller is not directly reachable from Imper.ai networks.
Access Control
Imper.ai authenticates and authorizes all requests before they reach the connector
The connector accepts requests only over a mutually authenticated TLS channel
Each request is validated against an explicit authorization decision before initiating a connection to the domain controller
The connector does not provide general TCP proxying, port forwarding, or arbitrary destination access
Firewall Configuration
Your firewall policy should allow:
Connector → Domain controller on the selected LDAP port (TCP 636 or TCP 389)
Connector → Imper.ai service endpoints on TCP 443
All other inbound and outbound traffic from the connector to internal systems is denied.
DNS and Addressing
The connector resolves Imper.ai service endpoints for outbound TCP 443
If the domain controller is addressed by hostname, internal DNS must resolve that name within your network.
No additional DNS configuration is required for direct IP connections to the domain controller.
Encryption and Certificate Validation
All directory communication is encrypted:
LDAPS (TCP 636): The domain controller presents a valid TLS certificate, and the connector validates the certificate chain
LDAP with StartTLS (TCP 389): TLS is negotiated on TCP 389, and certificate validity and chain validation apply
Certificate validation ensures protection against man-in-the-middle attacks.
Security and Audit
Each request produces an auditable record tied to the connector identity, target domain controller, selected transport, timestamp, and outcome
Domain controller security logs remain the authoritative record of any directory changes
No standing administrative access is granted to Imper.ai
This design ensures all activity is auditable and confined to the intended scope.
Why This Design Is Secure
This architecture provides:
Single-system exposure — only the domain controller is reachable
Single-port exposure — only the selected LDAP transport is allowed
Encrypted communication only
No lateral network access — Imper.ai cannot reach other VPC systems
No public internet exposure — all internal access is outbound via the connector
Full auditability