This article covers steps on how to get started with Data Control Tower as a SaaS Application. Begin with the Prerequisites and complete those steps before proceeding to the Onboarding process.


This section provides prerequisites for Data Control Tower

  • Delphix Engines: Delphix Engines must be running on version 5.3.5 or greater. Since Data Control Tower is a cloud-based service, new features typically can be delivered without upgrading Delphix Engines. However, there may be some features that may require a future upgrade of the engines. 
  • Internet Access: To connect a Delphix Engine to Delphix Data Control Tower, the network must be configured to permit outbound connections to the following:

    • - The Delphix Engine makes outbound API calls to The following ports need outbound connections through firewalls:

      • TCP: 443
      • TCP: 443
    •  (strongly recommended) - Delphix Appliances deployed on Customer Networks validate the authenticity and integrity of software update bundles before they are installed. This provides the benefit of additional protection against cyber threats. Delphix uses industry-grade cryptography to secure its software update process. Software update packages are signed with certificates issued by DigiCert, which is a trusted provider of this service. When the software bundle is installed, Delphix Appliance analyzes the certificate with which the software is signed to make sure it has not been compromised, invalidated by DigiCert, etc. In order to do this, the Appliance needs to reach on port 80. This DNS resolves to a range of IP addresses that DigiCert updates on a regular basis.

      If unable to open network connections to on port 80, the Delphix Appliance installing the software update will automatically fallback to using on port 443, which will marshal certificate validation requests to on port 80 on your behalf using Delphix network connections. This capability is available from version 6.0.4 onwards. While functionally feasible, this is a less preferred method, as Delphix infrastructure will be vouching for the integrity and validity of certificates it signs its own software with. Procedurally, Delphix recommends connecting directly to DigiCert, which will provide the highest assurance levels and protections against cyber threats associated with exploiting automated software update capabilities.

      On versions 5.3.5 to 6.0.3, the above fallback capability does not exist. Instead, any of the following IP addresses are acceptable if static routing is required, and networks must be configured allowing outbound connections to:

      • TCP: 80
      • TCP: 80
      • TCP: 80
      • TCP: 80
      • TCP: 80

DigiCert reserves the right to change any of these IP addresses. These must be monitored for changes.

If the Engine connecting to Data Control Tower is of version 6.0.4 or newer, a web proxy between the Delphix Engine and Data Control Tower servers can be configured. If a web proxy is configured, the above Internet access requirements apply to the web proxy instead of the Delphix Engine. Please refer to instructions on how to configure a web proxy for Data Control Tower connectivity.


Once the prerequisites are complete, please file a support ticket to proceed with the next two steps.

  1. Tenant Provisioning
    Delphix provisions a separate tenant for all organizations that wish to use Data Control Tower. All users from a single email domain must belong to the same tenant and if needed, more than one email domain may belong to a tenant. These are provisioned as demanded.
  2. Identity Provider (IDP) Integration
    Data Control Tower uses SAML2-based Identity Provider (For example Okta, Ping, or OneLogin) authentication. Once Delphix has provisioned a tenant for the organization, the next step will be to work with Delphix to integrate with your Identity Provider. Once integrated, users will be able to automatically access Data Control Tower.