Port numbers, URLs, and IP addresses

• 4119/HTTPS (Deep Security Manager GUI and API listen port. Also used for shared and global Application Control rulesets, unless your rulesets are downloaded from a relay.)
• 4120/HTTPS (Deep Security Manager heartbeat and activation port)

• 25/SMTP* (email server port)
• 53/DNS (DNS server port)
• 80/HTTP, 443/HTTPS* (these ports are used by various Deep Security cloud services, Smart Protection Network services, Control Manager, Deep Discovery Analyzer, VMware components (vCenter, ESXi, NSX), Whois server, AWS API, and Azure API)
• 123/NTP* (NTP server port; the NTP server can be Trend Micro Control Manager)
• 162/SNMP* (SNMP manager port)
• 389/LDAP, 636/LDAPS* (Active Directory)
• 514/Syslog* (SIEM or syslog server port)
• 1433/SQL (Microsoft SQL database, Azure SQL Database port)
• 1521/SQL (Oracle database port)
• 5432/SQL (PostgreSQL database port)
• 4118/HTTPS* (Deep Security Agent port)
• 4122/HTTPS (Deep Security Relay port)
• 11000-11999/SQL and 14000-14999/SQL* (additional Azure SQL Database ports)

* Notes:

• Allow port 25 if you want email notifications. 25 is configurable in the manager.
• 80 and 443 are configurable depending on the service being accessed. To configure the Control Manager and Deep Discovery Analyzer ports, click here. For the NSX and vCenter ports, click here. To configure the Whois port, click here.
• Allow port 123 if you want to synchronize the manager with an NTP server.
• Allow port 162 if you want to Forward system events to a remote computer via SNMP.
• Allow port 389 and 636 if you want to add computers from Active Directory to the manager. 389 and 636 are configurable in the manager if your Active Directory server uses a different port.
• Allow port 514 if you want to forward Deep Security events to an external SIEM or syslog server. This is configurable in the manager.
• Allow port 4118 if you are using bidirectional or manager-initiated communication. By default, bidirectional communication is used, so 4118 must be opened. See Agent-manager communication for details.
• Allow port 4119 if you are using Deep Security Virtual Appliance. This port is used to obtain the OVF during Deep Security Appliance deployment.
• Allow ports 11000-11999 and 14000-14999—in addition to 1433—if you are using Azure SQL Database and your manager runs within the Azure cloud boundary (which will be the case if you are using Deep Security Manager VM for Azure Marketplace). If your manager runs outside the Azure cloud boundary, you only need to allow port 1433 to Azure SQL Database. For more information on Azure SQL Database ports, see this Azure document.

• 4118/HTTPS (Agent/appliance listen port for heartbeats and activations)

4118 can be closed if you are using agent-initiated communication. By default, bidirectional communication is used, so 4118 should be opened. See Agent-manager communication for details.

• 53/DNS (DNS server port)
• 80/HTTP, 443/HTTPS (Smart Protection Network port)
• 123/NTP* (NTP server port)
• 514/syslog* (SIEM or syslog server port)
• 4119/HTTPS (Deep Security Manager GUI and API port) (Also used to download agent software when using deployment scripts)
• 4120/HTTPS* (Deep Security Manager heartbeat and activation port)
• 4122/HTTPS (Deep Security Relay port)
• 5274/HTTP, 5275/HTTPS* (Smart Protection Server ports)

* Notes:

• Allow port 123 if you want to synchronize the agent with an NTP server.
• Allow port 514 if you want the agent to send its security events directly to your SIEM or syslog server. This is configurable in the manager.
• Allow port 4120 if you are using bidirectional or agent-initiated communication. By default, bidirectional communication is used, so 4120 must be opened. See Agent-manager communication for details.
• Allow ports 5274 and 5275 if you are hosting a Smart Protection Server in your local network or Virtual Private Network (VPC), instead of having your agents/appliance connect to the cloud-based Smart Protection Network over 80/HTTP and 443/HTTPS. For details, see the Smart Protection Server documentation, or Deploy a Smart Protection Server in AWS.

• Allow all the agent listening ports, since they apply to the relay as well
• 4122/HTTPS (relay port)
• 4123 (port for communication between the agent and its own internal relay)

Port 4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

• Allow all the agent destination ports, since they apply to the relay too
• 80/HTTP, 443/HTTPS (Trend Micro Update Server/Active Update and Download Center ports)
• 4119/HTTPS — Deep Security Manager GUI and API port
• 4122 (port of other relays)

• <manager FQDN or IP>:4119/webservice/Manager?WSDL
• <manager FQDN or IP>:4119/api
• <manager FQDN or IP>:4119/rest

• <manager FQDN or IP>:4119/rest/status/manager/ping

Download Center or web server

Hosts software.

• files.trendmicro.com

Smart Protection Network -
Certified Safe Software Service (CSSS)

Used for event tagging with Integrity Monitoring.

• gacl.trendmicro.com
• grid-global.trendmicro.com
• grid.trendmicro.com

Smart Protection Network -
Global Census Service

Used for behavior monitoring, and predictive machine learning.

11.0 agents/appliances connect to:

• ds1100-en-census.trendmicro.com
• ds1100-jp-census.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

• ds1020-en-census.trendmicro.com
• ds1020-jp-census.trendmicro.com
• ds1020-sc-census.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

• ds1000-en.census.trendmicro.com
• ds1000-jp.census.trendmicro.com
• ds1000-sc.census.trendmicro.com
• ds1000-tc.census.trendmicro.com

Smart Protection Network -
Good File Reputation Service

Used for behavior monitoring, predictive machine learning, and process memory scans.

11.0 agents/appliances connect to:

• deepsec11-en.gfrbridge.trendmicro.com
• deepsec11-jp.gfrbridge.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

• deepsec102-en.gfrbridge.trendmicro.com
• deepsec102-jp.gfrbridge.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

• deepsec10-en.grid-gfr.trendmicro.com
• deepsec10-jp.grid-gfr.trendmicro.com
• deepsec10-cn.grid-gfr.trendmicro.com

11.0 agents/appliances connect to:

• deepsecurity1100-en.fbs25.trendmicro.com
• deepsecurity1100-jp.fbs25.trendmicro.com

10.0 agents/appliances connect to:

• deepsecurity1000-en.fbs20.trendmicro.com 
• deepsecurity1000-jp.fbs20.trendmicro.com
• deepsecurity1000-sc.fbs20.trendmicro.com

11.0 agents/appliances connect to:

• ds110.icrc.trendmicro.com
• ds110-jp.icrc.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

• ds102.icrc.trendmicro.com
• ds102-jp.icrc.trendmicro.com
• ds102-sc.icrc.trendmicro.com.cn

10.1 and 10.0 agents/appliances connect to:

• ds10.icrc.trendmicro.com
• ds10.icrc.trendmicro.com/tmcss/
• ds10-jp.icrc.trendmicro.com/tmcss/
• ds10-sc.icrc.trendmicro.com.cn/tmcss/

9.6 and 9.5 agents/appliances connect to:

• iaufdbk.trendmicro.com
• ds96.icrc.trendmicro.com
• ds96-jp.icrc.trendmicro.com
• ds96-sc.icrc.trendmicro.com.cn
• ds95.icrc.trendmicro.com
• ds95-jp.icrc.trendmicro.com
• ds95-sc.icrc.trendmicro.com.cn

Smart Protection Network -
predictive machine learning

Used for predictive machine learning.

11.0 agents/appliances connect to:

• ds110-en-b.trx.trendmicro.com
• ds110-jp-b.trx.trendmicro.com
• ds110-en-f.trx.trendmicro.com
• ds110-jp-f.trx.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

• ds102-en-f.trx.trendmicro.com
• ds102-jp-f.trx.trendmicro.com
• ds102-sc-f.trx.trendmicro.com

11.0 agents/appliances connect to:

• ds11-0-en.url.trendmicro.com
• ds11-0-jp.url.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

• ds10-2-en.url.trendmicro.com
• ds10-2-sc.url.trendmicro.com.cn
• ds10-2-jp.url.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

• ds100-en.url.trendmicro.com
• ds100-sc.url.trendmicro.com
• ds100-jp.url.trendmicro.com

9.6 and 9.5 agents/appliances connect to:

• ds96-en.url.trendmicro.com
• ds96-jp.url.trendmicro.com
• ds95-en.url.trendmicro.com
• ds95-jp.url.trendmicro.com

• help.deepsecurity.trendmicro.com
• success.trendmicro.com/product-support/deep-security

• licenseupdate.trendmicro.com
• clp.trendmicro.com
• olr.trendmicro.com

• news.deepsecurity.trendmicro.com
• news.deepsecurity.trendmicro.com/news.atom
• news.deepsecurity.trendmicro.com/news_ja.atom

Optional. There are links to the URLs below within the manager UI and on the agent's 'Your administrator has blocked access to this page for your safety' page.

• sitesafety.trendmicro.com
• jp.sitesafety.trendmicro.com

Update Server (also called Active Update)

Hosts security updates.

• iaus.activeupdate.trendmicro.com
• iaus.trendmicro.com
• ipv6-iaus.trendmicro.com
• ipv6-iaus.activeupdate.trendmicro.com

AWS and Azure URLs

Used for
adding AWS accounts and Azure accounts to Deep Security Manager.

AWS URLs

• URLs of AWS endpoints listed on this AWS page, under these headings:
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • AWS Security Token Service (AWS STS)
  • AWS Identity and Access Management (IAM)
  • Amazon WorkSpaces

Azure URLs

• login.windows.net (authentication)
• management.azure.com (Azure API)
• management.core.windows.net (Azure API)
• azureconnector.deepsecurity.trendmicro.com (Azure connector 'Quick' option)

The management.core.windows.net URL is only required if you used the v1 Azure connector available in Deep Security Manager 9.6 to add an Azure account to the manager. With Deep Security Manager 10.0 and later, a v2 connector is used, and does not require access to this URL.