Port numbers, URLs, and IP addresses

Deep Security as a Service listen ports):

• 443/HTTPS (heartbeat and activation)

Deep Security Manager (on-premise) listen ports:

• 4119/HTTPS (Deep Security Manager GUI and API listen port. Also used for shared and global Application Control rulesets, unless your rulesets are downloaded from a relay.)
• 4120/HTTPS (Deep Security Manager heartbeat and activation port)

Deep Security AMI for AWS Marketplace ports:

• 443/HTTPS
• 4120/HTTPS (Deep Security Manager heartbeat and activation port)
• 8080/HTTP (AWS web installer port)

Deep Security VM for Azure Marketplace listen ports:

• 443/HTTPS
• 4120/HTTPS (Deep Security Manager heartbeat and activation port)
• 8443/HTTPS (Azure web installer port)

Deep Security as a Service destination ports:

• 80/HTTP, 443/HTTPS*
• 514/Syslog* (SIEM or syslog server port)
• 4118/HTTPS* (Deep Security Agent port)
• 4122/HTTPS* (Deep Security Relay port)

Deep Security Manager (on-premise), Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace destination ports:

• 25/SMTP* (email server port)
• 53/DNS (DNS server port)
• 80/HTTP, 443/HTTPS*
• 123/NTP* (NTP server port; the NTP server can be Trend Micro Control Manager)
• 162/SNMP* (SNMP manager port)
• 389/LDAP, 636/LDAPS* (Active Directory)
• 514/Syslog* (SIEM or syslog server port)
• 1433/SQL (Microsoft SQL database port; click here or here for details)
• 1521/SQL (Oracle database port; click here or here for details)
• 4118/HTTPS* (Deep Security Agent port)
• 4122/HTTPS* (Deep Security Relay port)
• 11000-11999/SQL, 14000-14999/SQL* (Azure SQL Database port)

* Notes:

• Open 25 if you want email notifications. 25 is configurable in the manager or Deep Security as a Service.
• 80 and 443 are used by various Deep Security cloud services, Smart Protection Network services, AWS API, Azure API, Control Manager, Deep Discovery Analyzer, VMware components (vCenter, ESXi, NSX), and Whois servers. 80 and 443 are configurable depending on the service being accessed. To configure the Control Manager and Deep Discovery Analyzer ports, click here. For the NSX and vCenter ports, click here. To configure the Whois port, click here. Note: Control Manager, Deep Discovery Analyzer, and VMware are only supported with Deep Security on-premise, and a Whois server is not necessary if you're using Deep Security as a Service.
• Open 123 if you want to synchronize the manager with an NTP server.
• Open 162 if you want to SNMP settings.
• Open 389 and 636 if you want to add computers from Active Directory to the manager. 389 and 636 are configurable in the manager if your Active Directory server uses a different port.
• Open 514 if you want to forward Deep Security events to an external SIEM or syslog server. 514 is configurable in the manager or Deep Security as a Service.
• Open 4118 if you are using bidirectional or manager-initiated communication. By default, agent-initiated communication is used with Deep Security as a Service, so 4118 can be closed. For all other deployment types (on-premise, and so on) the default is bidirectional communication, so 4118 must be opened. See Agent-Manager communication for details.
• Open 4122 if you are hosting relays in your local network. Local relays are mandatory in all environments except Deep Security as a Service, where they are optional. For details, see Configure relays.
• Open 11000-11999, 14000-14999 if you are using Azure SQL Database with the manager deployed on Azure, for example, the Deep Security Manager VM for Azure Marketplace. If the manager runs inside the Azure cloud boundary, it uses a direct route to interact with the Azure SQL Database server. For more information, see this Azure document.

• 4118/HTTPS (Agent/appliance listen port for heartbeats and activations)

4118 can be closed if you are using agent-initiated communication. By default, agent-initiated communication is used with Deep Security as a Service, so 4118 can be closed. For all other deployment types (on-premise, and so on) bidirectional communication is used by default, so 4118 must be opened. See Agent-Manager communication for details.

• 53/DNS (DNS server port)
• 80/HTTP, 443/HTTPS (Smart Protection Network port, Deep Security as a Service port, Deep Security AMI for AWS Marketplace port, Deep Security VM for Azure Marketplace port)
• 123/NTP* (NTP server port)
• 514/syslog* (SIEM or syslog server port)
• 4119/HTTPS* (Deep Security Manager GUI and API port)
• 4120/HTTPS* (Deep Security Manager heartbeat and activation port)
• 4122/HTTPS* (Deep Security Relay port)
• 5274/HTTP, 5275/HTTPS* (Smart Protection Server ports)

* Notes:

• Open 123 if you want to synchronize the agent with an NTP server.
• Open 514 if you want the agent to send its security events directly to your SIEM or syslog server. 514 is configurable in the manager or Deep Security as a Service.
• Open 4119 if you are using Deep Security Manager on-premise. For all other deployment types (Deep Security as a Service and so on), this port can be closed.
• Open 4120 if you are using agent-initiated or bidirectional communication. By default, agent-initiated communication is used with Deep Security as a Service, and bidirectional communication is used with all other deployment types (on-premise and so on), so 4120 must be opened. See Agent-Manager communication for details.
• Open 4122 if you are hosting relays in your local network. Local relays are mandatory in all environments except Deep Security as a Service, where they are optional. For details, see Configure relays.
• Open 5274 and 5275 if you are hosting a Smart Protection Server in your local network or Virtual Private Network (VPC), instead of having your agents/appliance connect to the cloud-based Smart Protection Network over 80/HTTP and 443/HTTPS. For details, see the Smart Protection Server documentation, or Deploy a Smart Protection Server in AWS.

Relays are mandatory, unless you're using Deep Security as a Service, where they are optional. For details on relays, click here.

• Open all the agent listen ports, since they apply to the relay as well
• 4122/HTTPS (relay port)
• 4123 (port for communication between the agent and its own internal relay)

4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

Relays are mandatory, unless you're using Deep Security as a Service, where they are optional. For details on relays, click here.

• Allow all the agent destination ports, since they apply to the relay too
• 80/HTTP, 443/HTTPS (Trend Micro Update Server/Active Update and Download Center ports)
• 4122 (port of other relays)

• app.deepsecurity.trendmicro.com
• agents.deepsecurity.trendmicro.com
• dsmim.deepsecurity.trendmicro.com
• relay.deepsecurity.trendmicro.com

In the list above, app.deepsecurity[...] is the Deep Security as a Service URL, agents.deepsecurity[...] and dsmim.deepsecurity[...] are the Deep Security as a Service heartbeat and activation server URLs, and relay.deepsecurity[...] is the URL of the relays hosted by Deep Security as a Service. For details on the heartbeat and activation servers, see Can you describe your SSL implementation and the credential provisioning system between the Agent and Manager?.

Deep Security as a Service URLs:

• app.deepsecurity.trendmicro.com/webservice/Manager?WSDL
• app.deepsecurity.trendmicro.com/api
• app.deepsecurity.trendmicro.com/rest

Deep Security Manager (on-premise) URLs:

• <manager FQDN or IP>:4119/webservice/Manager?WSDL
• <manager FQDN or IP>:4119/api
• <manager FQDN or IP>:4119/rest

Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace URLs:

• <manager FQDN or IP>:443/webservice/Manager?WSDL
• <manager FQDN or IP>:443/api
• <manager FQDN or IP>:443/rest

Deep Security Manager (on-premise) URL:

• <manager FQDN or IP>:4119/rest/status/manager/ping

Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace URL:

• <manager FQDN or IP>:443/rest/status/manager/ping

Deep Security as a Service does not support Status Monitoring.

Download Center or web server

Hosts software.

• files.trendmicro.com

Smart Protection Network -
Certified Safe Software Service (CSSS)

Used for event tagging with Integrity Monitoring.

• gacl.trendmicro.com
• grid-global.trendmicro.com
• grid.trendmicro.com

Smart Protection Network -
Global Census Service

Used for behavior monitoring.

• ds1000-en.census.trendmicro.com
• ds1000-jp.census.trendmicro.com
• ds1000-sc.census.trendmicro.com
• ds1000-tc.census.trendmicro.com

Smart Protection Network -
Good File Reputation Service

Used for behavior monitoring and process memory scans.

• deepsec10-en.grid-gfr.trendmicro.com
• deepsec10-jp.grid-gfr.trendmicro.com
• deepsec10-cn.grid-gfr.trendmicro.com

The agent/appliance

• deepsecurity1000-en.fbs20.trendmicro.com 
• deepsecurity1000-jp.fbs20.trendmicro.com
• deepsecurity1000-sc.fbs20.trendmicro.com

10.0 agents/appliances connect to:

• ds10.icrc.trendmicro.com
• ds10.icrc.trendmicro.com/tmcss/
• ds10-jp.icrc.trendmicro.com/tmcss/
• ds10-sc.icrc.trendmicro.com.cn/tmcss/

9.6 and 9.5 agents/appliances connect to:

• iaufdbk.trendmicro.com
• ds96.icrc.trendmicro.com
• ds96-jp.icrc.trendmicro.com
• ds96-sc.icrc.trendmicro.com.cn
• ds95.icrc.trendmicro.com
• ds95-jp.icrc.trendmicro.com
• ds95-sc.icrc.trendmicro.com.cn

10.0 agents/appliances connect to:

• ds100-en.url.trendmicro.com
• ds100-sc.url.trendmicro.com
• ds100-jp.url.trendmicro.com

9.6 and 9.5 agents/appliances connect to:

• ds96-en.url.trendmicro.com
• ds96-jp.url.trendmicro.com
• ds95-en.url.trendmicro.com
• ds95-jp.url.trendmicro.com

Deep Security as a Service, Deep Security Manager

• help.deepsecurity.trendmicro.com
• success.trendmicro.com/product-support/deep-security

Deep Security as a Service, Deep Security Manager

• licenseupdate.trendmicro.com
• clp.trendmicro.com
• olr.trendmicro.com

Optional. There are links to the URLs below within the manager and Deep Security as a Service UI, and on the agent's 'Your administrator has blocked access to this page for your safety' page.

• sitesafety.trendmicro.com
• jp.sitesafety.trendmicro.com

Update Server (also called Active Update)

Hosts security updates.

• iaus.activeupdate.trendmicro.com
• iaus.trendmicro.com
• ipv6-iaus.trendmicro.com
• ipv6-iaus.activeupdate.trendmicro.com

Deep Security as a Service, Deep Security Manager

AWS and Azure URLs

Used for
adding AWS accounts and Azure accounts to Deep Security Manager or Deep Security as a Service.

AWS URLs

• URLs of AWS endpoints listed on this AWS page, under these headings:
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • AWS Security Token Service (AWS STS)
  • AWS Identity and Access Management (IAM)
  • Amazon WorkSpaces

Azure URLs

• login.windows.net (authentication)
• management.azure.com (Azure API)
• management.core.windows.net (Azure API)
• azureconnector.deepsecurity.trendmicro.com (Azure connector 'Quick' option)

The management.core.windows.net URL is only required if you used the v1 Azure connector available in Deep Security Manager 9.6 to add an Azure account to the manager. With Deep Security Manager 10.0 and later, a v2 connector is used, and does not require access to this URL.