Port numbers

If connecting Deep Security Manager, Deep Security Relay, or Deep Security Agents through a:

  • firewall or AWS/Azure/NSX Security Group
  • router
  • proxy
  • other network address translation (NAT) device

you'll need to know the required domain names or IP addresses, ports, and protocols.

In addition to the ports on this page, Deep Security uses ephemeral ports when opening a socket (source port). If a firewall rule is restricting the source port of the TCP packet, connectivity issues will occur. This problem is not common when working with firewall rules or cloud security groups, however, it can occur if you place network restrictions on ephemeral ports. For details, see Activation Failed - Blocked port

Firewall policies, proxies, and port forwarding often require this information. This is especially true for connections to services on the Internet, such as DNS, time servers, the Trend Micro Active Update servers, Trend Micro Smart Protection Network, and Deep Security as a Service. If a computer has other installed software that listens on the same ports, you must resolve the port conflict.

Default port numbers are in these tables. If the default port numbers don't work with your network or installation, you have a proxy, or if you require SSL or TLS secured versions of the traffic, the tables indicate if you can configure it.

Deep Security Manager ports

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 443 HTTPS Trend Micro Control Manager, SOAP API client, or other REST API client
  • WSDL access at:
    https://<manager FQDN or IP>:443/webservice/Manager?WSDL
  • Status monitoring at:
    https://<manager FQDN or IP>:443/rest/status/manager/ping
  • Control Manager uploads sandboxing results from Deep Discovery Analyzer with connected threat defense.
No No
TCP 443 HTTPS Web browser

Administrative connections to the Deep Security GUI or API.

No No
TCP 443 HTTPS Agent/appliance

Agent/appliance installer downloads.

No No
TCP 4120 HTTPS Agent/appliance
  • Discovery and agent/appliance activation.
  • Agent/appliance to manager heartbeat. Receives events and provides configuration updates to them. See also Agent-manager communication.
Yes Yes
TCP 8080 HTTP Web installer

Software installation via the web installer. Once the manager installation is complete, or if you use the Quick Start instead, you can block this port.

No No

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
TCP 25 SMTP E-mail server

Alerts for events.

AWS throttles (rate limits) e-mail on SMTP's IANA standard port number, port 25. If you use AWS Marketplace, you may have faster alerts if you use SMTP over STARTTLS (secure SMTP) instead. For more information, see:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-issues.html
Yes No
UDP 53 DNS DNS server Domain name resolution of Trend Micro services, e-mail server, NTP server, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

TCP 80 HTTP

Trend Micro Smart Feedback

  • deepsecurity1100-en.fbs25.trendmicro.com
  • deepsecurity1100-jp.fbs25.trendmicro.com
Smart Protection feedback. No No
TCP 80 HTTP

Whois server

(could be http://reports.internic.net/cgi/whois?whois_nic=[IP]&type=nameserver)

Reverse name resolution of IP addresses into hostnames for event logs and computer discovery. Yes No
TCP 443 HTTPS

Trend Micro licensing and registration server

licenseupdate.trendmicro.com

Licensing and product registration. No Yes
TCP 443 HTTPS news.deepsecurity.trendmicro.com Deep Security news feed No Yes
TCP 80 or 443 HTTP or HTTPS

Trend Micro Active Update

  • https://iaus.activeupdate.trendmicro.com/
  • https://ipv6-iaus.trendmicro.com

 

Security package updates.

Alternatively, use a relay.

Yes

Yes

SOCKS support

TCP 80 or 443 HTTP or HTTPS

Trend Micro Download Center or web server

files.trendmicro.com

Agent/appliance installer downloads.

Yes

(append port number to URL)

No
TCP 80 or 443 HTTP or HTTPS

Trend Micro Certified Safe Software Service (CSSS)

  • https://grid-global.trendmicro.com:443
Automatic event tagging for Integrity Monitoring. No Yes
UDP 123 NTP

NTP server

(can be Trend Micro Control Manager server)

Accurate time for SSL or TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No
UDP

162

SNMP SNMP manager Traps for events. Yes No
TCP 389 LDAP Microsoft Active Directory server

Discovery of and (optionally) synchronization of computer groups in the directory.

LDAPS can also be used. See below for details.

Yes No
TCP 389 HTTPS AWS Marketplace, Microsoft Azure Marketplace, and other clouds

Communication with cloud accounts to retrieve a list of computers.

No Yes
TCP 443 HTTPS NSX Manager Communication to VMware NSX Manager. Yes No
TCP 443 HTTPS vCenter server Communication to VMware vCenter server.

Yes

No
TCP 443 HTTPS ESXi server Communication to VMware ESXi server.

No

 
UDP 514 Syslog SIEM or log server External logging and reporting. Yes No
TCP 636 LDAPS Microsoft Active Directory server
  • Discovery and (optionally) synchronization of computer groups in the directory.
  • Import and (optionally) synchronization of user groups, including contacts and passwords.

LDAP can also be used. See above for details.

Yes No
TCP 1433 SQL Microsoft SQL database

The manager application to its storage.

Although it is not visible from the GUI, you can configure an encrypted database connection.

Yes No
TCP 1521 SQL Oracle database

The manager application to its storage.

Although it is not visible from the GUI, you can configure an encrypted database connection.

Yes No
TCP 5432 SQL PostgreSQL database The manager application to its storage.

Although it is not visible from the GUI, you can configure an encrypted database connection.

Yes No
TCP 11000-11999,
14000-14999
SQL Azure SQL Database

If the manager runs inside the Azure cloud boundary, it uses a direct route to interact with the Azure SQL Database server. For more information, see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-develop-direct-route-ports-adonet-v12.

This is only required when using Azure SQL Database with the manager deployed on Azure, for example, the Deep Security Manager VM for Azure Marketplace.

No No
TCP 4118 HTTPS Agent/appliance

Manager to agent/appliance heartbeat. Send events and get configuration updates from the manager. See also Agent-manager communication.

Depending on your deployment type, you may be able to close port 4118, and only use agent-initiated heartbeats.

Yes

No
TCP 4122 HTTPS Relay

Security package updates such as Anti-Malware engine and signatures via the relay. Alternatively, the manager can connect directly to the Trend Micro Active Update servers.

See also Agent-manager communication.

Yes Yes

TCP

UDP

All All Agent/appliance Port scan to detect open (listening) ports on computers. Yes No

Deep Security Relay ports

Relays require all of the ports for an agent and these port numbers. (See Deep Security Agent ports.)

Incoming (listening)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 4122 HTTPS Manager, agent, appliance, or relay
  • Relay-to-relay communication and agent-to-relay communication for synchronizing agent software installers and security package updates such as Anti-Malware engine and signatures.
  • Manager, agent, or appliance downloading security package updates such as Anti-Malware engine and signatures from the relay.

See also Agent-manager communication.

Yes Yes*

See Note.

TCP 4123   Localhost relay

Communication of agent to its own integrated relay.

This port should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

No No

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
TCP 80 or 443 HTTP or HTTPS

Trend Micro Active Update

  • https://iaus.activeupdate.trendmicro.com/
  • https://ipv6-iaus.trendmicro.com

Security package updates such as Anti-Malware engine and signatures.

Alternatively, use another relay.

Yes

Yes

SOCKS support

TCP 4122 HTTPS Relay

Relay-to-relay communication for synchronizing agent software installers and security components such as Anti-Malware engine and signatures.

See also Agent-manager communication.

Yes Yes*

See Note.


Deep Security Agent ports

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 22 SSH Manager, deployment tools such as RightScale, Chef, Puppet, Ansible and SSH

Remote installation of the agent (Linux only).

No No
TCP 4118 HTTPS Manager

Manager to agent/appliance heartbeat. Send events and get configuration updates from the manager. See also Agent-manager communication.

Yes

No
TCP 3389 RDP Manager

Remote installation of the agent (Windows only).

No No
TCP 5985 WinRM HTTP deployment tools such as RightScale, Chef, Puppet, and Ansible Remote installation of the agent (Windows only).

Yes

(configure in the operating system)

Yes

(configure in the operating system)

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
UDP 53 DNS DNS server Domain name resolution of the manager, Trend Micro Smart Protection Servers, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

TCP 80 HTTP

Good File Reputation Service

11.0 and higher

  • deepsec11-en.gfrbridge.trendmicro.com
  • deepsec11-jp.gfrbridge.trendmicro.com

10.2 and 10.3

  • deepsec102-en.gfrbridge.trendmicro.com
  • deepsec102-jp.gfrbridge.trendmicro.com
  • deepsec102-cn.gfrbridge.trendmicro.com

10.1 and 10.0

  • deepsec10-en.grid-gfr.trendmicro.com
  • deepsec10-jp.grid-gfr.trendmicro.com
  • deepsec10-cn.grid-gfr.trendmicro.com

Communicates with the Good File Reputation Service during file scans started by Behavior Monitoring.

No

Yes

SOCKS support

TCP 80 HTTP

File Census

11.0 and higher

  • ds1100-en-census.trendmicro.com
  • ds1100-jp-census.trendmicro.com

10.2 and 10.3

  • ds1020-en-census.trendmicro.com
  • ds1020-sc-census.trendmicro.com
  • ds1020-jp-census.trendmicro.com

10.1 and 10.0

  • ds1000-en.census.trendmicro.com
  • ds1000-jp.census.trendmicro.com
  • ds1000-sc.census.trendmicro.com
  • ds1000-tc.census.trendmicro.com
Communicates with the Global Census Server during file scans started by Behavior Monitoring. No

Yes

SOCKS support

TCP 80 or 443 HTTP or HTTPS

Trend Micro Download Center or web server

files.trendmicro.com

Agent/appliance installer downloads.

Yes

(append port number to URL)

No
TCP 80 or 443 HTTP or HTTPS

Trend Micro Active Update

  • https://iaus.activeupdate.trendmicro.com/
  • https://ipv6-iaus.trendmicro.com

Security package updates such as Anti-Malware engine and signatures.

Alternatively, use a relay.

Yes

Yes

SOCKS support

TCP 80 or 443 HTTP or HTTPS Web server Connectivity test to determine context (whether the computer is on the private network or not) for policies Yes No
TCP 80 or 443 HTTP or HTTPS

Predictive machine learning

11.0 and higher

  • ds110-en-f.trx.trendmicro.com
  • ds110-jp-f.trx.trendmicro.com
  • ds110-sc-f.trx.trendmicro.com

10.2 and 10.3

  • ds102-en-f.trx.trendmicro.com
  • ds102-jp-f.trx.trendmicro.com
  • ds102-sc-f.trx.trendmicro.com
Communicates with the Global Machine Learning Server during real-time file scans No

Yes

SOCKS support

TCP 80 or 443 HTTP or HTTPS

Trend Micro Smart Protection Network

11.0 and higher

  • ds110.icrc.trendmicro.com
  • ds110-jp.icrc.trendmicro.com

10.2 and 10.3

  • ds102.icrc.trendmicro.com
  • ds102-jp.icrc.trendmicro.com
  • ds102-sc.icrc.trendmicro.com.cn

10.1 and 10.0

  • ds10.icrc.trendmicro.com
  • ds10.icrc.trendmicro.com/tmcss/
  • ds10-jp.icrc.trendmicro.com/tmcss/
  • ds10-sc.icrc.trendmicro.com/tmcss/

File reputation service and Smart Protection feedback.

Alternatively, you can connect to a Smart Protection Server on your local network, or a Smart Protection Server on AWS.

Yes Yes
TCP 80 or 443 HTTP or HTTPS Smart Protection Server

File reputation service.

You can connect to a Smart Protection Server on your local network, or a Smart Protection Server on AWS.

Yes Yes
UDP 123 NTP

NTP server

(can be Trend Micro Control Manager server)

Accurate time for SSL or TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No
TCP 443 HTTPS Manager
  • Discovery and agent/appliance activation.
  • Agent/appliance to manager heartbeat. Receives events and provides configuration updates to them. See also Agent-manager communication.
  • Agent-to-relay communication for agent software installers and security package updates such as Anti-Malware engine and signatures.
Yes

Yes*

See Note.

UDP 514 Syslog SIEM or log server

External logging and reporting.

This is only used if you want the agents to send directly to an external SIEM, instead of uploading event logs to the manager.

Yes No
TCP 5274 HTTPS

Trend Micro Smart Protection Network

11.0 and higher

  • ds11-0-en.url.trendmicro.com
  • ds11-0-jp.url.trendmicro.com

10.2 and 10.3

  • ds10-2-en.url.trendmicro.com
  • ds10-2-sc.url.trendmicro.com.cn
  • ds10-2-jp.url.trendmicro.com

10.1 and 10.0

  • ds100-en.url.trendmicro.com
  • ds100-sc.url.trendmicro.com
  • ds100-jp.url.trendmicro.com

Web Reputation service.

Alternatively, you can connect to a Smart Protection Server on your local network, or a Smart Protection Server on AWS.

Yes Yes
TCP 5274 HTTPS Smart Protection Server

Web Reputation service.

You can connect to a Smart Protection Server on your local network, or a Smart Protection Server on AWS..

Yes No

Note: In Deep Security Agent 10.0 GM and earlier, agents didn't have support for connections through a proxy to relays. You must either: