Port numbers, URLs, and IP addresses

Deep Security default port numbers, URLs, IP addresses, and protocols are listed in the sections below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.

If your network uses a proxy or load balancer, you can configure Deep Security to use it instead of the default ports and URLs listed on this page. For details, see Proxy settings and Load Balancers.

Deep Security port numbers

Port type Default port number
Deep Security as a Service and Deep Security Manager listen ports

Deep Security as a Service listen ports):

  • 443/HTTPS (heartbeat)

Deep Security Manager (on-premise) listen ports:

  • 4119/HTTPS (Deep Security Manager GUI and API listen port)
  • 4120/HTTPS (Deep Security Manager heartbeat port)

Deep Security AMI for AWS Marketplace ports:

  • 443/HTTPS
  • 4120/HTTPS (Deep Security Manager heartbeat port)
  • 8080/HTTP (AWS web installer port)

Deep Security VM for Azure Marketplace listen ports:

  • 443/HTTPS
  • 4120/HTTPS (Deep Security Manager heartbeat port)
  • 8443/HTTPS (Azure web installer port)
Deep Security as a Service and Deep Security Manager destination ports

Deep Security as a Service destination ports:

  • 80/HTTP, 443/HTTPS*
  • 514/Syslog* (SIEM or syslog server port)
  • 4118/HTTPS* (Deep Security Agent port)
  • 4122/HTTPS* (Deep Security Relay port)

Deep Security Manager (on-premise), Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace destination ports:

  • 25/SMTP* (email server port)
  • 53/DNS (DNS server port)
  • 80/HTTP, 443/HTTPS*
  • 123/NTP* (NTP server port; the NTP server can be Trend Micro Control Manager)
  • 162/SNMP* (SNMP manager port)
  • 389/LDAP, 636/LDAPS* (Active Directory)
  • 514/Syslog* (SIEM or syslog server port)
  • 1433/SQL (Microsoft SQL database port; click here or here for details)
  • 1521/SQL (Oracle database port; click here or here for details)
  • 4118/HTTPS* (Deep Security Agent port)
  • 4122/HTTPS* (Deep Security Relay port)
  • 11000-11999/SQL, 14000-14999/SQL* (Azure SQL Database port)

* Notes:

  • Open 25 if you want email notifications. 25 is configurable in the manager or Deep Security as a Service.
  • 80 and 443 are used by various Deep Security cloud services, Smart Protection Network services, AWS API, Azure API, Control Manager, Deep Discovery Analyzer, VMware components (vCenter, ESXi, NSX), and Whois servers. 80 and 443 are configurable depending on the service being accessed. To configure the Control Manager and Deep Discovery Analyzer ports, click here. For the NSX and vCenter ports, click here. To configure the Whois port, click here. Note: Control Manager, Deep Discovery Analyzer, and VMware are only supported with Deep Security on-premise, and a Whois server is not necessary if you're using Deep Security as a Service.
  • Open 123 if you want to synchronize the manager with an NTP server.
  • Open 162 if you want to SNMP settings.
  • Open 389 and 636 if you want to add computers from Active Directory to the manager. 389 and 636 are configurable in the manager if your Active Directory server uses a different port.
  • Open 514 if you want to forward Deep Security events to an external SIEM or syslog server. 514 is configurable in the manager or Deep Security as a Service.
  • Open 4118 if you are using bidirectional or manager-initiated communication. By default, agent-initiated communication is used with Deep Security as a Service, so 4118 can be closed. For all other deployment types (on-premise, and so on) the default is bidirectional communication, so 4118 must be opened. See Agent-Manager communication for details.
  • Open 4122 if you are hosting relays in your local network. Local relays are mandatory in all environments except Deep Security as a Service, where they are optional. For details, see Configure relays.
  • Open 11000-11999, 14000-14999 if you are using Azure SQL Database with the manager deployed on Azure, for example, the Deep Security Manager VM for Azure Marketplace. If the manager runs inside the Azure cloud boundary, it uses a direct route to interact with the Azure SQL Database server. For more information, see this Azure document.
Deep Security Agent/appliance listen port
  • 4118/HTTPS (Agent/appliance listen port for heartbeats)

4118 can be closed if you are using agent-initiated communication. By default, agent-initiated communication is used with Deep Security as a Service, so 4118 can be closed. For all other deployment types (on-premise, and so on) bidirectional communication is used by default, so 4118 must be opened. See Agent-Manager communication for details.

Deep Security Agent/appliance destination ports
  • 53/DNS (DNS server port)
  • 80/HTTP, 443/HTTPS (Smart Protection Network port, Deep Security as a Service port, Deep Security AMI for AWS Marketplace port, Deep Security VM for Azure Marketplace port)
  • 123/NTP* (NTP server port)
  • 514/syslog* (SIEM or syslog server port)
  • 4119/HTTPS* (Deep Security Manager GUI and API port)
  • 4120/HTTPS* (Deep Security Manager heartbeat port)
  • 4122/HTTPS* (Deep Security Relay port)
  • 5274/HTTP, 5275/HTTPS* (Smart Protection Server ports)

* Notes:

  • Open 123 if you want to synchronize the agent with an NTP server.
  • Open 514 if you want the agent to send its security events directly to your SIEM or syslog server. 514 is configurable in the manager or Deep Security as a Service.
  • Open 4119 if you are using Deep Security Manager on-premise. For all other deployment types (Deep Security as a Service and so on), this port can be closed.
  • Open 4120 if you are using agent-initiated or bidirectional communication. By default, agent-initiated communication is used with Deep Security as a Service, and bidirectional communication is used with all other deployment types (on-premise and so on), so 4120 must be opened. See Agent-Manager communication for details.
  • Open 4122 if you are hosting relays in your local network. Local relays are mandatory in all environments except Deep Security as a Service, where they are optional. For details, see Configure relays.
  • Open 5274 and 5275 if you are hosting a Smart Protection Server in your local network or Virtual Private Network (VPC), instead of having your agents/appliance connect to the cloud-based Smart Protection Network over 80/HTTP and 443/HTTPS. For details, see the Smart Protection Server documentation, or Deploy a Smart Protection Server in AWS.
Deep Security Relay listen ports

Relays are mandatory, unless you're using Deep Security as a Service, where they are optional. For details on relays, click here.

  • Open all the agent listen ports, since they apply to the relay as well
  • 4122/HTTPS (relay port)
  • 4123 (port for communication between the agent and its own internal relay)

4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

Deep Security Relay destination ports

Relays are mandatory, unless you're using Deep Security as a Service, where they are optional. For details on relays, click here.

  • 80/HTTP, 443/HTTPS (Trend Micro Update Server/Active Update and Download Center ports)
  • 4122 (port of other relays)

Deep Security URLs

If you need to restrict the URLs that are allowed in your environment, read this section.

You'll need to make sure your firewall allows traffic to the following: Trend Micro, Deep Security, AWS, and Azure server URLs on port 443 (HTTPS) and port 80 (HTTP).

Source Destination server or service name Destination URL
Deep Security as a Service, agents, relays Deep Security as a Service
  • app.deepsecurity.trendmicro.com
  • agents.deepsecurity.trendmicro.com
  • dsmim.deepsecurity.trendmicro.com
  • relay.deepsecurity.trendmicro.com

In the list above, app.deepsecurity[...] is the Deep Security as a Service URL, agents.deepsecurity[...] and dsmim.deepsecurity[...] are the Deep Security as a Service heartbeat server URLs, and relay.deepsecurity[...] is the URL of the relays hosted by Deep Security as a Service.

SOAP and REST API clients Deep Security SOAP and REST APIs

Deep Security as a Service URLs:

  • app.deepsecurity.trendmicro.com/webservice/Manager?WSDL
  • app.deepsecurity.trendmicro.com/api
  • app.deepsecurity.trendmicro.com/rest

Deep Security Manager (on-premise) URLs:

  • <manager FQDN or IP>:4119/webservice/Manager?WSDL
  • <manager FQDN or IP>:4119/api
  • <manager FQDN or IP>:4119/rest

Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace URLs:

  • <manager FQDN or IP>:443/webservice/Manager?WSDL
  • <manager FQDN or IP>:443/api
  • <manager FQDN or IP>:443/rest
REST API clients Deep Security Status Monitoring API

Deep Security Manager (on-premise) URL:

  • <manager FQDN or IP>:4119/rest/status/manager/ping

Deep Security AMI for AWS Marketplace, and Deep Security VM for Azure Marketplace URL:

  • <manager FQDN or IP>:443/rest/status/manager/ping

Deep Security as a Service does not support Status Monitoring.

Deep Security as a Service, Deep Security Manager, agent/appliance, relay

Download Center or web server

Hosts software.

  • files.trendmicro.com
Deep Security as a Service, Deep Security Manager

Smart Protection Network -
Certified Safe Software Service (CSSS)

Used for event tagging with Integrity Monitoring.

  • gacl.trendmicro.com
  • grid-global.trendmicro.com
  • grid.trendmicro.com
The agent/appliance

Smart Protection Network -
Global Census Service

Used for behavior monitoring.

  • ds1000-en.census.trendmicro.com
  • ds1000-jp.census.trendmicro.com
  • ds1000-sc.census.trendmicro.com
  • ds1000-tc.census.trendmicro.com
The agent/appliance

Smart Protection Network -
Good File Reputation Service

Used for behavior monitoring and process memory scans.

  • deepsec10-en.grid-gfr.trendmicro.com
  • deepsec10-jp.grid-gfr.trendmicro.com
  • deepsec10-cn.grid-gfr.trendmicro.com

Deep Security as a Service, Deep Security Manager

Smart Protection Network -
Smart Feedback
  • deepsecurity1000-en.fbs20.trendmicro.com 
  • deepsecurity1000-jp.fbs20.trendmicro.com
  • deepsecurity1000-sc.fbs20.trendmicro.com
The agent/appliance Smart Protection Network -
Smart Scan Service

10.0

  • ds10.icrc.trendmicro.com
  • ds10.icrc.trendmicro.com/tmcss/
  • ds10-jp.icrc.trendmicro.com/tmcss/
  • ds10-sc.icrc.trendmicro.com.cn/tmcss/

9.6 and 9.5

  • iaufdbk.trendmicro.com
  • ds96.icrc.trendmicro.com
  • ds96-jp.icrc.trendmicro.com
  • ds96-sc.icrc.trendmicro.com.cn
  • ds95.icrc.trendmicro.com
  • ds95-jp.icrc.trendmicro.com
  • ds95-sc.icrc.trendmicro.com.cn
The agent/appliance Smart Protection Network -
Web Reputation Service

10.0

  • ds100-en.url.trendmicro.com
  • ds100-sc.url.trendmicro.com
  • ds100-jp.url.trendmicro.com

9.6 and 9.5

  • ds96-en.url.trendmicro.com
  • ds96-jp.url.trendmicro.com
  • ds95-en.url.trendmicro.com
  • ds95-jp.url.trendmicro.com

Deep Security as a Service, Deep Security Manager

Help and support
  • help.deepsecurity.trendmicro.com
  • success.trendmicro.com/product-support/deep-security

Deep Security as a Service, Deep Security Manager

Licensing and registration servers
  • licenseupdate.trendmicro.com
  • clp.trendmicro.com
  • olr.trendmicro.com
Browser on agent computers and the computer used to log in to the manager or Deep Security as a Service Site Safety

Optional. There are links to the URLs below within the manager and Deep Security as a Service UI, and on the agent's 'Your administrator has blocked access to this page for your safety' page.

  • sitesafety.trendmicro.com
  • jp.sitesafety.trendmicro.com
The relay, and agent/appliance, and Deep Security as a Service

Update Server (also called Active Update)

Hosts security updates.

  • iaus.activeupdate.trendmicro.com
  • iaus.trendmicro.com
  • ipv6-iaus.trendmicro.com
  • ipv6-iaus.activeupdate.trendmicro.com

Deep Security as a Service, Deep Security Manager

AWS and Azure URLs

Used for
adding AWS accounts and Azure accounts to Deep Security Manager or Deep Security as a Service.

 

AWS URLs

  • URLs of AWS endpoints listed on this AWS page, under these headings:
    • Amazon Elastic Compute Cloud (Amazon EC2)
    • AWS Security Token Service (AWS STS)
    • AWS Identity and Access Management (IAM)
    • Amazon WorkSpaces

Azure URLs

  • login.windows.net (authentication)
  • management.azure.com (Azure API)
  • management.core.windows.net (Azure API)
  • azureconnector.deepsecurity.trendmicro.com (Azure connector 'Quick' option)

The management.core.windows.net URL is only required if you used the v1 Azure connector available in Deep Security Manager 9.6 to add an Azure account to the manager. With Deep Security Manager 10.0 and later, a v2 connector is used, and does not require access to this URL.

Deep Security as a Service IP addresses

If you are using Deep Security as a Service, and you need to restrict the IP addresses that are allowed in your environment, read this section.

If a firewall or AWS security group restricts outbound traffic from your network, you must configure the firewall to allow traffic outbound on port 443 to these Deep Security as a Service IPv4 addresses.

Deep Security as a Service sends data from its job nodes on subnet 34.205.5.0/27. If you configured a SIEM or syslog server, make sure it is able to receive inbound traffic from that subnet on your syslog port (by default, 514). Also, if you configured your agents to use bidirectional or manager-initiated communication, then make sure your agents are also able to receive traffic from 34.205.5.0/27 on the agent listen port (by default, 4118). (By default, agents use agent-initiated communication.)

By default, Deep Security as a Service uses Trend Micro's cloud-based Smart Protection Network which does not have static IP addresses. If you want to use the Smart Protection Network but need to restrict your outbound communication, we suggest you deploy a Smart Protection Server in your environment. For information on how to do this, see Deploy a Smart Protection Server in AWS.

Source Purpose Destination IP addresses
Administrator's computer and agents GUI for Deep Security as a Service

34.198.27.224

34.205.210.199

34.205.239.162

50.17.162.194

52.0.124.201

52.0.33.128

52.72.111.249

52.72.211.36

52.87.46.150

52.207.138.122

54.80.120.113

54.175.211.84

Agents and relays Security package updates

34.194.74.60

34.196.197.189

34.204.219.38

34.205.83.195

52.2.63.133

52.21.149.243

52.44.144.238

52.55.188.35

52.201.199.128

52.206.54.30

54.86.152.157

54.87.173.241

Agents Heartbeat

34.192.67.219

34.196.25.105

34.199.44.254

34.204.244.61

34.206.23.113

34.206.95.140

34.206.146.6

34.206.215.233

52.23.102.52

52.54.141.100

52.54.240.176

54.86.2.200

Agents Fast heartbeat

34.192.145.157

34.199.111.255

34.204.221.63

34.206.179.241

52.44.129.132

52.45.95.227

52.55.183.116

52.73.88.81

52.202.143.169

52.206.208.21

54.208.106.230

54.152.108.196