Port numbers, URLs, and IP addresses

You can watch Deep Security 12 - Scoping Environment Pt2 - Network Communication on YouTube to review the network communication related to the different Deep Security components.

Deep Security default port numbers, URLs, IP addresses, and protocols are listed in the sections below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.

If your network uses a proxy or load balancer, you can configure Deep Security to use it instead of the default ports and URLs listed on this page. For details, see Proxy settings and Load Balancers.

In addition to the ports on this page, Deep Security uses ephemeral ports when opening a socket (source port). Under rare circumstances these may be blocked, causing connectivity issues. For details, see Blocked port.

Deep Security port numbers

The following diagram shows the default ports in a Deep Security system. For details, see the table below the diagram.

Port type Default port number
Manager listen ports
  • 4119/HTTPS (Deep Security Manager GUI and API listen port. Also used for shared and global Application Control rulesets, unless your rulesets are downloaded from a relay.)
  • 4120/HTTPS (Deep Security Manager heartbeat and activation)
Manager destination ports
  • 25/SMTP* (email server port)
  • 53/DNS (DNS server port)
  • 443/HTTPS* (these ports are used by various Deep Security cloud services, Smart Protection Network services, Trend Micro Apex Central, Deep Discovery Analyzer, VMware components (vCenter, ESXi, NSX), AWS API, and Azure API)
  • 123/NTP* (NTP server port; the NTP server can be Trend Micro Apex Central)
  • 162/SNMP* (SNMP manager port)
  • 389/LDAP, 636/LDAPS* (Active Directory)
  • 514/Syslog* (SIEM or syslog server port)
  • 1433/SQL (Microsoft SQL database, Azure SQL Database port)
  • 1521/SQL (Oracle Database port)
  • 5432/SQL (PostgreSQL database port)
  • 4118/HTTPS* (Deep Security Agent port)
  • 4119/HTTPS (used to obtain the OVF during Deep Security Virtual Appliance deployment)
  • 4122/HTTPS (Deep Security Relay port)
  • 11000-11999/SQL, 14000-14999/SQL* (Azure SQL Database ports)
  • 80/HTTP, 443/HTTPS (Whois server)

* Notes:

Deep Security Agent/appliance listen port
  • 4118/HTTPS (Agent/appliance listen port for heartbeats and activations)

4118 can be closed if you are using agent-initiated communication. By default, bidirectional communication is used, so 4118 must be opened. See Agent-manager communication for details.

Deep Security Agent/appliance destination ports
  • 53/DNS (DNS server port)
  • 443/HTTPS (Smart Protection Network port, Smart Protection Server for File Reputation, Deep Security Manager port)
  • 123/NTP* (NTP server port)
  • 514/syslog* (SIEM or syslog server port)
  • 4119/HTTPS (Deep Security Manager GUI and API port) (This port is also used to download agent software when using deployment scripts)
  • 4120/HTTPS* (Deep Security Manager heartbeat and activation port)
  • 4122/HTTPS(Deep Security Relay port)
  • 5274/HTTP, 5275/HTTPS* (Smart Protection Server ports for Web Reputation)

When using the AWS AMI and Azure VM versions of the manager, open port 443 instead of port 4119.

* Notes:

Deep Security Relay listen ports
  • Allow all the agent listening ports, since they apply to the relay too
  • 4122/HTTPS (relay port)
  • 4123 (port for communication between the agent and its own internal relay)

Port 4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

Deep Security Relay destination ports
  • Allow all the agent destination ports, since they apply to the relay too
  • 443/HTTPS (Trend Micro Update Server/Active Update and Download Center ports)
  • 4119/HTTPS — Deep Security Manager GUI and API port
  • 4122 (port of other relays)

When using the AWS AMI and Azure VM versions of the manager, open port 443 instead of port 4119.

Deep Security URLs

If you need to restrict the URLs that are allowed in your environment, read this section.

You'll need to make sure your firewall allows traffic to the following: Trend Micro, Deep Security, AWS, and Azure server URLs on port 443 (HTTPS).

Source Destination server or service name Destination URL
API clients Deep Security APIs
  • <manager FQDN or IP>:4119/webservice/Manager?WSDL
  • <manager FQDN or IP>:4119/api
  • <manager FQDN or IP>:4119/rest
Legacy REST API clients Deep Security legacy REST API's Status Monitoring API
  • <manager FQDN or IP>:4119/rest/status/manager/ping
The manager, agent/appliance, and relay

Download Center or web server

Hosts software.

  • files.trendmicro.com
The manager

Smart Protection Network -
Certified Safe Software Service (CSSS)

Used for event tagging with Integrity Monitoring.

  • gacl.trendmicro.com
  • grid-global.trendmicro.com
  • grid.trendmicro.com
The agent/appliance

Smart Protection Network -
Global Census Service

Used for behavior monitoring, and predictive machine learning.

12.0 and later agents/appliances connect to:

  • ds1200-en-census.trendmicro.com
  • ds1200-jp-census.trendmicro.com

11.0 and later agents/appliances connect to:

  • ds1100-en-census.trendmicro.com
  • ds1100-jp-census.trendmicro.com

10.2 and 10.3 agents/appliances connects to:

  • ds1020-en-census.trendmicro.com
  • ds1020-jp-census.trendmicro.com
  • ds1020-sc-census.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

  • ds1000-en.census.trendmicro.com
  • ds1000-jp.census.trendmicro.com
  • ds1000-sc.census.trendmicro.com
  • ds1000-tc.census.trendmicro.com
The agent/appliance

Smart Protection Network -
Good File Reputation Service

Used for behavior monitoring, predictive machine learning, and process memory scans.

12.0 and later agents/appliances connect to:

  • deepsec12-en.gfrbridge.trendmicro.com
  • deepsec12-jp.gfrbridge.trendmicro.com

11.0 and later agents/appliances connect to:

  • deepsec11-en.gfrbridge.trendmicro.com
  • deepsec11-jp.gfrbridge.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

  • deepsec102-en.gfrbridge.trendmicro.com
  • deepsec102-jp.gfrbridge.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

  • deepsec10-en.grid-gfr.trendmicro.com
  • deepsec10-jp.grid-gfr.trendmicro.com
  • deepsec10-cn.grid-gfr.trendmicro.com

The agent/appliance

Smart Protection Network -
Smart Feedback

12.0 and later agents/appliances connect to:

  • ds120-en.fbs25.trendmicro.com
  • ds120-jp.fbs25.trendmicro.com

11.0 and later agents/appliances connect to:

  • deepsecurity1100-en.fbs25.trendmicro.com
  • deepsecurity1100-jp.fbs25.trendmicro.com

10.0 agents/appliances connect to:

  • deepsecurity1000-en.fbs20.trendmicro.com 
  • deepsecurity1000-jp.fbs20.trendmicro.com
  • deepsecurity1000-sc.fbs20.trendmicro.com
The agent/appliance Smart Protection Network -
Smart Scan Service

12.0 and later agents/appliances connect to:

  • ds120.icrc.trendmicro.com
  • ds120-jp.icrc.trendmicro.com

11.0 and later agents/appliances connect to:

  • ds110.icrc.trendmicro.com
  • ds110-jp.icrc.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

  • ds102.icrc.trendmicro.com
  • ds102-jp.icrc.trendmicro.com
  • ds102-sc.icrc.trendmicro.com.cn

10.1 and 10.0 agents/appliances connect to:

  • ds10.icrc.trendmicro.com
  • ds10.icrc.trendmicro.com/tmcss/
  • ds10-jp.icrc.trendmicro.com/tmcss/
  • ds10-sc.icrc.trendmicro.com.cn/tmcss/

9.6 and 9.5 agents/appliances connect to:

  • iaufdbk.trendmicro.com
  • ds96.icrc.trendmicro.com
  • ds96-jp.icrc.trendmicro.com
  • ds96-sc.icrc.trendmicro.com.cn
  • ds95.icrc.trendmicro.com
  • ds95-jp.icrc.trendmicro.com
  • ds95-sc.icrc.trendmicro.com.cn
The agent/appliance

Smart Protection Network -
predictive machine learning

12.0 and later agents/appliances connect to:

  • ds120-en-b.trx.trendmicro.com
  • ds120-jp-b.trx.trendmicro.com
  • ds120-en-f.trx.trendmicro.com
  • ds120-jp-f.trx.trendmicro.com

11.0 and later agents/appliances connect to:

  • ds110-en-b.trx.trendmicro.com
  • ds110-jp-b.trx.trendmicro.com
  • ds110-en-f.trx.trendmicro.com
  • ds110-jp-f.trx.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

  • ds102-en-f.trx.trendmicro.com
  • ds102-jp-f.trx.trendmicro.com
  • ds102-sc-f.trx.trendmicro.com
The agent/appliance Smart Protection Network -
Web Reputation Service

12.0 and later agents/appliances connect to:

  • ds12-0-en.url.trendmicro.com
  • ds12-0-jp.url.trendmicro.com

11.0 and later agents/appliances connect to:

  • ds11-0-en.url.trendmicro.com
  • ds11-0-jp.url.trendmicro.com

10.2 and 10.3 agents/appliances connect to:

  • ds10-2-en.url.trendmicro.com
  • ds10-2-sc.url.trendmicro.com.cn
  • ds10-2-jp.url.trendmicro.com

10.1 and 10.0 agents/appliances connect to:

  • ds100-en.url.trendmicro.com
  • ds100-sc.url.trendmicro.com
  • ds100-jp.url.trendmicro.com

9.6 and 9.5 agents/appliances connect to:

  • ds96-en.url.trendmicro.com
  • ds96-jp.url.trendmicro.com
  • ds95-en.url.trendmicro.com
  • ds95-jp.url.trendmicro.com
The manager Help and support
  • help.deepsecurity.trendmicro.com
  • success.trendmicro.com/product-support/deep-security
The manager Licensing and registration servers
  • licenseupdate.trendmicro.com
  • clp.trendmicro.com
  • olr.trendmicro.com
The manager News feed
  • news.deepsecurity.trendmicro.com
  • news.deepsecurity.trendmicro.com/news.atom
  • news.deepsecurity.trendmicro.com/news_ja.atom
Browser on agent computers and the computer used to log in to the manager Site Safety

Optional. There are links to the URLs below within the manager UI and on the agent's 'Your administrator has blocked access to this page for your safety' page.

  • sitesafety.trendmicro.com
  • jp.sitesafety.trendmicro.com
The relay, and agent/appliance

Update Server (also called Active Update)

Hosts security updates.

  • iaus.activeupdate.trendmicro.com
  • iaus.trendmicro.com
  • ipv6-iaus.trendmicro.com
  • ipv6-iaus.activeupdate.trendmicro.com
The manager

AWS and Azure URLs

Used for
adding AWS accounts and Azure accounts to Deep Security Manager.

 

AWS URLs

  • URLs of AWS endpoints listed on this AWS page, under these headings:
    • Amazon Elastic Compute Cloud (Amazon EC2)
    • AWS Security Token Service (AWS STS)
    • AWS Identity and Access Management (IAM)
    • Amazon WorkSpaces

Azure URLs

  • login.windows.net (authentication)
  • management.azure.com (Azure API)
  • management.core.windows.net (Azure API)

The management.core.windows.net URL is only required if you used the v1 Azure connector available in Deep Security Manager 9.6 to add an Azure account to the manager. With Deep Security Manager 10.0 and later, a v2 connector is used, and does not require access to this URL.

The manager

Telemetry service

Used for anonymous Deep Security Product Usage Data Collection.

  • telemetry.deepsecurity.trendmicro.com