Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Port numbers
If connecting Deep Security Manager, Relay, or Agents through a:
- firewall or AWS Security Group
- router
- proxy
- other network address translation (NAT) device
you'll need to know the required domain names or IP addresses, ports, and protocols.
Firewall policies, proxies, and port forwarding often require this information. This is especially true for connections to services on the Internet, such as DNS, time servers, the Trend Micro Active Update servers, Trend Micro Smart Protection Network, and Deep Security as a Service. If a computer has other installed software that listens on the same ports, you must resolve the port conflict.
Default port numbers are in these tables. If the default port numbers don't work with your network or installation, you have a proxy, or if you require SSL or TLS secured versions of the traffic, the tables indicate if you can configure it.
Deep Security Manager ports
Incoming (listening ports)
Transport Protocol | Destination Port Number | Service | Source | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
TCP | ||||||
443 | HTTPS | |||||
Trend Micro Control Manager, SOAP API client, or other REST API client |
|
No | No | |||
Web browser |
Administrative connections to the Deep Security GUI or API. |
No | No | |||
Agent/Appliance |
Deep Security Agent/Appliance installer downloads. |
No | No | |||
4119 | HTTPS | |||||
Agent/Appliance | Deep Security Agent/Appliance installer downloads. | No | ||||
NSX Manager | Communication from VMware NSX Manager. | Yes | No | |||
vCenter server | Communication from VMware vCenter server. |
Yes |
No | |||
ESXi server | Communication from VMware ESXi server | Yes | No | |||
4120 | HTTPS | Agent/Appliance |
|
Yes | Yes | |
8443 | HTTPS | Web installer |
Software installation via the web installer. Once Deep Security Manager installation is complete, or if you use the Quick Start instead, you can block this port. |
Outgoing
Transport Protocol | Destination Port Number | Service | Destination | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
TCP | 25 | SMTP | E-mail server |
Alerts for events. AWS throttles (rate limits) e-mail on SMTP's IANA standard port number, port 25. If you use AWS Marketplace, you may have faster alerts if you use SMTP over STARTTLS (secure SMTP) instead. For more information, see:
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-issues.html |
Yes | No |
UDP | 53 | DNS | DNS server | Domain name resolution of Trend Micro services, e-mail server, NTP server, and others. |
Yes (configure in the operating system) |
Yes (configure in the operating system) |
TCP | 80 | HTTP |
Trend Micro Smart Feedback www.smartprotectionnetwork.com (in English) cn.trendmicro.com (in Chinese) www.trendmicro.co.jp (in Japanese) |
Smart Protection feedback. | No | No |
Control Manager |
Get suspicious objects list for connected threat defense. Source port is 4119. |
Yes | Yes | |||
Whois server (could be http://reports.internic.net/cgi/whois?whois_nic=[IP]&type=nameserver) |
Reverse name resolution of IP addresses into hostnames for event logs and computer discovery. | Yes | No | |||
80 or 443 | HTTP or HTTPS |
Trend Micro licensing and registration server licenseupdate.trendmicro.com |
Licensing and product registration. | No | Yes | |
HTTP or HTTPS |
iaus.trendmicro.com/iau_server.dll |
Security package updates. Alternatively, use a relay. |
Yes | |||
HTTP or HTTPS |
Trend Micro Download Center or web server files.trendmicro.com |
Deep Security Agent/Appliance installer downloads. |
No |
No | ||
HTTP or HTTPS |
Trend Micro Certified Safe Software Service (CSSS) Deep Security 9.6 — gacl.trendmicro.com:443 (HTTPS) Deep Security 10.0 — grid-global.trendmicro.com:443 (HTTPS) |
Automatic event tagging for integrity monitoring | No | Yes | ||
UDP | 123 | NTP |
NTP server (can be Trend Micro Control Manager server) |
Accurate time for SSL or TLS connections, schedules, and event logs. |
Yes (configure in the operating system) |
No |
162 |
SNMP | SNMP manager | Traps for events. | Yes | No | |
TCP | 389 | LDAP | Microsoft Active Directory server |
|
Yes | No |
HTTPS | AWS Marketplace, Microsoft Azure Marketplace, and other clouds |
Communication with cloud accounts to retrieve a list of computers. |
No | Yes | ||
TCP | 443 | HTTPS | NSX Manager | Communication to VMware NSX Manager. | Yes | No |
vCenter server | Communication to VMware vCenter server. |
Yes |
No | |||
ESXi server | Communication to VMware ESXi server. |
No |
||||
Deep Discovery Analyzer | File submission for sandboxing with connected threat defense. | Yes | Yes | |||
UDP | 514 | Syslog | SIEM or log server | External logging and reporting. | Yes | No |
TCP | 636 | LDAPS | Microsoft Active Directory server |
|
Yes | No |
1433 | SQL | Microsoft SQL database |
Deep Security Manager application to its storage. Although it is not visible from the GUI, you can configure an encrypted database connection. |
Yes | No |
|
1521 | SQL | Oracle database |
Deep Security Manager application to its storage. Although it is not visible from the GUI, you can configure an encrypted database connection. |
Yes | No | |
5432 | SQL | PostgreSQL database | Deep Security Manager application to its storage. Although it is not visible from the GUI, you can configure an encrypted database connection. |
Yes | No | |
11000-11999, 14000-14999 |
SQL | Azure SQL Database |
If your Deep Security Manager runs inside the Azure cloud boundary, it uses a direct route to interact with the Azure SQL Database server. For more information, see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-develop-direct-route-ports-adonet-v12. This is only required when using Azure SQL Database with Deep Security Manager deployed on Azure, for example, the Deep Security Manager VM for Azure Marketplace. |
No | No | |
4118 | HTTPS | Agent/Appliance |
Manager to Agent/Appliance heartbeat. Send events and get configuration updates from the Manager. See also Agent-Manager communication . Depending on your deployment type, you may be able to close port 4118, and only use agent-initiated heartbeats. |
No | ||
4122 | HTTPS | Relay |
Security package updates such as anti-malware engine and signatures via a Deep Security Relay. Alternatively, the Deep Security Manager can connect directly to the Trend Micro Active Update servers. See also Agent-Manager communication . |
Yes | Yes | |
TCP UDP |
All | All | Agent/Appliance | Port scan to detect open (listening) ports on computers. | Yes | No |
Deep Security Relay ports
Relays require all of the ports for an agent and these port numbers.
Incoming (listening)
Transport Protocol | Destination Port Number | Service | Source | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
TCP | 4122 | HTTPS | Manager, Agent, Appliance, or Relay |
See also Agent-Manager communication . |
Yes | Yes*
In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays.You must either:
|
4123 | Localhost Relay |
Communication of Agent to its own integrated Relay. This port should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have a host firewall on the Deep Security Manager server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict). |
No | No |
Outgoing
Transport Protocol | Destination Port Number | Service | Destination | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
TCP | 80 or 443 | HTTP or HTTPS |
Trend MicroActive Update iaus.trendmicro.com/iau_server.dll |
Security package updates such as anti-malware engine and signatures. Alternatively, use another relay. |
Yes | |
4122 | HTTPS | Relay |
Relay-to-Relay communication for synchronizing Deep Security Agent software installers and security components such as anti-malware engine and signatures. See also Agent-Manager communication . |
Yes | Yes*
In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays.You must either:
|
Deep Security Agent ports
Incoming (listening ports)
Transport Protocol | Destination Port Number | Service | Source | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
TCP | ||||||
4118 | HTTPS | Manager |
Manager to agent or appliance heartbeat. Send events and get configuration updates from the Manager. See also Agent-Manager communication . |
No | ||
5985 | WinRM HTTP | deployment tools such as RightScale, Chef, Puppet, and Ansible | Remote installation of the agent (Windows only). | Yes (configure in the operating system) |
Yes (configure in the operating system) |
Outgoing
Transport Protocol | Destination Port Number | Service | Destination | Purpose | Configurable? | Proxy configurable? |
---|---|---|---|---|---|---|
UDP | 53 | DNS | DNS server | Domain name resolution of the Deep Security Manager, Trend Micro Smart Protection servers, and others. |
Yes (configure in the operating system) |
Yes (configure in the operating system) |
TCP | 80 | HTTP |
Good File Reputation Service deepsec10-en.grid-gfr.trendmicro.com deepsec10-jp.grid-gfr.trendmicro.com deepsec10-cn.grid-gfr.trendmicro.com |
Communicates with the Good File Reputation Service during file scans started by Behavior Monitoring. |
No | |
File Census ds1000-en.census.trendmicro.com ds1000-jp.census.trendmicro.com ds1000-sc.census.trendmicro.com ds1000-tc.census.trendmicro.com |
Communicates with the Global Census Server during file scans started by Behavior Monitoring. | No | ||||
80 or 443 | HTTP or HTTPS |
Trend Micro Download Center or web server files.trendmicro.com |
Deep Security Agent/Appliance installer downloads. |
(append port number to URL) |
No | |
Trend Micro Active Update iaus.trendmicro.com/iau_server.dll |
Security package updates such as anti-malware engine and ignatures. Alternatively, use a relay. |
Yes | ||||
Web server | Connectivity test to determine context (whether the computer is on the private network or not) for policies | Yes | No | |||
Trend MicroSmart Protection Network
|
File reputation service and Smart Protection feedback. Alternatively, connect to a Smart Protection server on your local network, or a Smart Protection server on AWS. |
Yes | Yes | |||
Smart Protection server |
You can connect to a Smart Protection server on your local network, or a Smart Protection server on AWS. |
Yes | Yes | |||
UDP | 123 | NTP |
NTP server (can be Trend Micro Control Manager server) |
Accurate time for SSL or TLS connections, schedules, and event logs. |
Yes (configure in the operating system) |
No |
TCP | ||||||
HTTPS | ||||||
443 | ||||||
UDP | 514 | Syslog | SIEM or log server |
External logging and reporting. This is only used if you want the agents to send directly to an external SIEM, instead of uploading event logs to the Deep Security Manager. |
Yes | No |
TCP | ||||||
4119 | HTTPS | Manager |
Deep Security Agent installer downloads. |
No | ||
4120 | HTTPS | Manager |
|
Yes |
Yes* In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays.You must either:
|
|
4122 | HTTPS | Relay |
Agent-to-relay communication for Deep Security Agent software installers and security package updates such as anti-malware engine and signatures. See also Agent-Manager communication . |
Yes | Yes*
In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays.You must either:
|
|
5274 | HTTPS |
Trend MicroSmart Protection Network
|
Web reputation service. Alternatively, connect to a Smart Protection server on your local network, or a Smart Protection server on AWS. |
Yes | Yes | |
Smart Protection server |
Web reputation service. You can connect to a Smart Protection server on your local network, or a Smart Protection server on AWS. |
Yes | No |