Port numbers

If connecting Deep Security Manager, Deep Security Relay, or Deep Security Agents through a:

  • firewall or AWS/Azure/NSX Security Group
  • router
  • proxy
  • other network address translation (NAT) device

you'll need to know the required domain names or IP addresses, ports, and protocols.

In addition to the ports on this page, Deep Security uses ephemeral ports when opening a socket (source port). If a firewall rule is restricting the source port of the TCP packet, connectivity issues will occur. This problem is not common when working with firewall rules or cloud security groups, however, it can occur if you place network restrictions on ephemeral ports. For details, see Activation Failed - Blocked port

Firewall policies, proxies, and port forwarding often require this information. This is especially true for connections to services on the Internet, such as DNS, time servers, the Trend Micro Active Update servers, Trend Micro Smart Protection Network, and Deep Security as a Service. If a computer has other installed software that listens on the same ports, you must resolve the port conflict.

Default port numbers are in these tables. If the default port numbers don't work with your network or installation, you have a proxy, or if you require SSL or TLS secured versions of the traffic, the tables indicate if you can configure it.

Deep Security Relay ports

Relays require all of the ports for an agent and these port numbers.

Deep Security as a Service provides relays. Adding your own local relays is not required, unless either agents must connect through a proxy, or you need to reduce agents' WAN bandwidth usage.

Incoming (listening)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 4122 HTTPS Manager, agent, appliance, or relay
  • Relay-to-relay communication and agent-to-relay communication for synchronizing agent software installers and security package updates such as Anti-Malware engine and signatures.
  • Manager, agent, or appliance downloading security package updates such as Anti-Malware engine and signatures from the relay.
Yes Yes*

See Note.

TCP 4123   Localhost relay

Communication of agent to its own integrated relay.

This port should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the manager's server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

No No

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
TCP 80 or 443 HTTP or HTTPS

Trend Micro Active Update

  • https://iaus.activeupdate.trendmicro.com/
  • https://ipv6-iaus.trendmicro.com

Security package updates such as Anti-Malware engine and signatures.

Alternatively, use another relay.

Yes

Yes

SOCKS support

TCP 4122 HTTPS Relay

Relay-to-relay communication for synchronizing agent software installers and security components such as Anti-Malware engine and signatures.

Yes Yes*

See Note.


Deep Security Agent ports

If you use an external SIEM or syslog server to indirectly receive agents' logs via Deep Security as a Service, your SIEM or syslog server must be able to receive UDP 514 from 54.221.196.0/24.

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 22 SSH deployment tools such as RightScale, Chef, Puppet, Ansible, and SSH

Remote installation of the agent (Linux only).

Yes

(configure in the operating system)

Yes

(configure in the operating system)

TCP 4118 HTTPS Deep Security as a Service

54.221.196.0/24

Manager to agent/appliance heartbeat. Send events and get configuration updates from the manager.

Not required unless you use bi-directional heartbeats.

No

Contact your support provider if this port assignment is problematic.

Yes*
TCP 3389 RDP deployment tools

Remote installation of the agent (Windows only).

Yes

(configure in the operating system)

Yes

(configure in the operating system)

TCP 5985 WinRM HTTP deployment tools such as RightScale, Chef, Puppet, and Ansible Remote installation of the agent (Windows only).

Yes

(configure in the operating system)

Yes

(configure in the operating system)

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
UDP 53 DNS DNS server Domain name resolution of Deep Security as a Service, NTP servers, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

UDP 123 NTP

NTP server

Accurate time for SSL or TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No

TCP 80 or 443 HTTP or HTTPS Web server Connectivity test to determine context (whether the computer is on the private network or not) for policies Yes No
TCP 80 or 443 HTTP or HTTPS Trend MicroDownload Center or web server

Agent installer downloads.

Yes

(append port number to URL)

No
TCP 80 or 443 HTTP or HTTPS Deep Security as a Service

For IP addresses associated with each feature, see Deep Security as a Service IP addresses.

  • Administrative connections to the Deep Security as a Service GUI.
  • Discovery and agent/appliance activation.
  • Agent/appliance communications with its manager (Deep Security as a Service), including the discovery, heartbeat, and configuration updates.
  • Agent software installer downloads.
  • Security package updates such as Anti-Malware engine and signatures. Alternatively, use a relay.
  • Web Reputation service, file reputation service and Smart Protection feedback.
If you use bi-directional connections, your firewalls or routers must allow both incoming and outgoing traffic between your agents and Deep Security as a Service .

No

Contact your support provider if this port assignment is problematic.

Yes*

See Note.

UDP 514 Syslog SIEM or log server

External logging and reporting.

This is only used if you want the agents to send directly to an external SIEM, instead of uploading event logs through Deep Security as a Service.

Yes No
TCP 4122 HTTPS Relay

Agent-to-relay communication for agent software installers and security package updates such as Anti-Malware engine and signatures.

This is not used by default, and not necessary unless you want to use your own relay group. See also Use the API to create shared and global rulesets .
Yes Yes*

See Note.

Note: In Deep Security Agent 10.0 GM and earlier, agents didn't have support for connections through a proxy to relays. You must either: