The Connector and the Distributed Engine are two of the most commonly confused components of the Delinea Platform. They often live on the same server, they're both deployed on domain-joined Windows boxes, and they're both required in many deployments — but they do completely different things. This guide explains what each one does, when you need them, and why customers frequently mix them up.
What Can Live on the Engine Server?
The Engine Server is a domain-joined Windows member server that hosts one or more Delinea Platform components. Not every component is required in every deployment — what you install depends on how your environment is configured.
The components that can run on an Engine Server include:
Connector. AD authentication proxy, user and group lookups, and MFA proxy.
Distributed Engine. Discovery, heartbeat, password changing, and session proxy.
Audit Collector. Routes recorded SSH and RDP sessions back to the Platform.
Command Relay. Creates, edits, and deletes Privileged Control for Servers (PCS) policies.
AD Rapid Discovery. Monitors Active Directory changes for PCS servers in near real-time.
Identity Threat Protection. Discovers AD objects for ITP and reporting.
This article focuses on the first two — the Connector and the Distributed Engine — because they account for the bulk of the confusion.
Connector vs. Distributed Engine: Side-by-Side
The clearest way to understand the difference is to look at the two components across the dimensions that matter: what they do, when you need them, what ports they use, and how they scale.
| Connector | Distributed Engine | |
|---|---|---|
| Primary role | Identity and authentication bridge between on-prem AD and the Platform | Operational workhorse for Secret Server vault functions |
| Key functions | AD authentication proxy; AD user/group lookups; MFA proxy for target servers; RADIUS client for third-party MFA | Account discovery; heartbeat checks; remote password changing; SSH/RDP session proxying |
| Required when | On-premises AD is used for Platform authentication | Secret Server Cloud (required for most features); Secret Server On-Prem (optional but recommended) |
| Ports | 8443 TCP (HTTPS MFA); 8080 TCP (HTTPS proxy); 9521 TCP (internal NetTCP) | 135, 445 TCP (Windows targets); 22 TCP (Linux targets); 3390 TCP (RDP proxy inbound) |
| Scaling | 2 per separate network | 2+ per network, scale as needed |
When Do You Need Each Component?
Whether you need a Connector, an Engine, both, or neither depends entirely on how authentication and your vault are configured. The four scenarios below cover the most common setups.
Secret Server Cloud + On-Prem AD Authentication
Connector: Required. Engine: Required.
The Connector handles AD authentication proxy. The Engine handles discovery, heartbeat, remote password changing, and session proxy. This is the most common "everything on" deployment.
Secret Server Cloud + Federated/SAML Authentication Only
Connector: Not needed. Engine: Required.
If you're authenticating through a federated or SAML identity provider, there is no on-prem AD authentication for the Connector to proxy. The Engine is still required for vault operations.
Secret Server On-Prem (single site, no remote networks)
Connector: Not needed. Engine: Optional.
The IIS web server handles all operations locally. An Engine is optional but recommended for performance.
Platform + PCS Agent MFA
Connector: Required. Engine: Optional.
Agents query AD for Connectors and authenticate via the Connector for MFA flows. The Engine isn't needed unless you also have vault operations to handle.
Common Confusion
A few misconceptions come up repeatedly in support tickets. Worth addressing them head-on.
"The Connector does everything the old Site Connector did"
The Platform Connector is not the same as the Secret Server Site Connector. The Secret Server Site Connector (RabbitMQ, MemoryMQ, or Azure Service Bus) routes work items to engines. The Platform Connector handles AD authentication proxy only. They share a name fragment and nothing else.
"I need a Connector to run Discovery"
Discovery, heartbeat, and password changing are Distributed Engine functions, not Connector functions. The Connector is only for AD authentication and MFA proxy. If your discovery isn't working, the Connector is almost never the culprit.
"They both live on the same server, so they do the same thing"
They coexist on the Engine Server, but they serve completely different roles. The Connector talks to AD and the Platform for identity. The Engine talks to target systems for vault operations. Sharing a host doesn't mean sharing a function.
Quick Reference: Key Takeaways
Connector. Identity bridge. Handles AD authentication, user and group lookups, and MFA proxy between on-prem AD and the Delinea Platform.
Distributed Engine. Vault workhorse. Handles discovery, heartbeat, remote password changing, and session proxying for Secret Server.
Both deploy on the Engine Server. A domain-joined Windows member server. Recommended deployment: two per separate network segment for redundancy.
The key difference, in one sentence: the Connector talks to AD for who you are. The Engine talks to target systems for what you can do.