diff --git a/docs/images/on-premises/on-prem-architecture-diagram.drawio.svg b/docs/images/on-premises/on-prem-architecture-diagram.drawio.svg new file mode 100644 index 00000000..1a02a3be --- /dev/null +++ b/docs/images/on-premises/on-prem-architecture-diagram.drawio.svg @@ -0,0 +1,4 @@ + + + +

SharpHound Enterprise
Windows service

LDAP(S) 389/636SMB/RPC 445/135

Active Directory
& AD CS (on-premises DCs)

GitHub, Jamf, Okta
Cloud platforms

HTTPS 443

Microsoft Entra ID
Cloud, read-only

AzureHound Enterprise
Windows or container

OpenHound
Container

IDENTITY & SOURCE SYSTEMSCOLLECTOR HOSTS
HTTPS 443
LEGENDHTTPS 443
HTTPS 443
HTTPS 443
Collector initiated; 
read-only data pull
Collector initiated;
data push to 
BloodHound Enterprise
Collector initiated;
data flow to collector
Embedded Cluster
BloodHound Enterprise REST API
Ingress Controller
PostgreSQL 18 Database
Installation Wizard
BloodHound Enterprise UI
SPECTEROPS - BLOODHOUND ENTERPRISE PORTAL

Security Center
CVE and compliance reports

Install
Download and install instructions

Release History
Version-specific release notes

Support & licensing
Support resources and license details

BLOODHOUND ENTERPRISE HOST
All collected data is stored on the on-premises host

Entra ID and Okta are external directories; read-only queries

No agents on domain controllers or endpointsAir-gapped or internet-connected deployment supported


HTTPS 443NOTES
\ No newline at end of file diff --git a/docs/on-premises/architecture.mdx b/docs/on-premises/architecture.mdx index 1a54bf64..ef10ae8b 100644 --- a/docs/on-premises/architecture.mdx +++ b/docs/on-premises/architecture.mdx @@ -9,10 +9,29 @@ On-premises deployments of BloodHound Enterprise give you full control over your ## Deployment architecture -On-premises deployments of BloodHound Enterprise consist of two primary parts: +An on-premises deployment of BloodHound Enterprise centers on a dedicated host that runs the application stack and one or more separate collector hosts that gather identity data from your environment. -- **BloodHound Enterprise host** - Runs the BloodHound application, database, and supporting infrastructure -- **Collector hosts** - Run lightweight collector services (SharpHound, AzureHound, or OpenHound) to gather data from your identity infrastructure + + The following diagram shows where the components run and how collected data moves toward BloodHound Enterprise. The sections that follow the diagram describe the components and data flow in more detail. + + +A diagram showing the architecture of an on-premises deployment of BloodHound Enterprise + + + + + + Data flows toward BloodHound Enterprise, but the collector initiates every session. The collector pulls data from your environment and then sends the results to BloodHound Enterprise. + + + No. The inbound rules in an on-premises deployment apply to the BloodHound Enterprise host, not to your domain controllers. + + Communication with domain controllers is outbound from a collector that you own, using services and ports that your domain controllers already expose. From a firewall perspective, this typically looks like read-only collector traffic to domain services plus a single HTTPS (`443`) egress path to BloodHound Enterprise. + + ### Core components @@ -20,7 +39,7 @@ All on-premises deployments include the following core application components: | Component | Purpose | |-----------|---------| -| **BloodHound Enterprise API** | Application server, UI, graph analysis, and collector ingestion | +| **BloodHound Enterprise** | Application server, REST API, user interface (UI), graph analysis, and collector ingestion | | **PostgreSQL 18.x** | Database server for application data and graph storage | ### Deployment-specific components