Port numbers

If connecting Deep Security Manager / Relay /Agents through a:

  • firewall or AWS Security Group
  • router
  • proxy
  • other network address translation (NAT) device

you'll need to know the required domain names / IP addresses, ports, and protocols.

Firewall policies, proxies, and port forwarding often require this information. This is especially true for connections to services on the Internet, such as DNS, time servers, the Trend Micro Active Update servers, Trend Micro Smart Protection Network, and Deep Security as a Service. If a computer has other installed software that listens on the same ports, you must resolve the port conflict.

Default port numbers are in these tables. If the default port numbers don't work with your network or installation, you have a proxy, or if you require SSL / TLS secured versions of the traffic, the tables indicate if you can configure it.

Deep Security Manager ports

Does not apply to Deep Security as a Service

 If ports vary by platform (Azure Marketplace vs. on-premise, for example), the difference is indicated.

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 443 HTTPS Trend Micro Control Manager / SOAP API client / other REST API client
  • WSDL access at:
    https://<manager FQDN or IP>:443/webservice/Manager?WSDL
  • Status monitoring at:
    https://<manager FQDN or IP>:443/rest/status/manager/ping

Applies to Deep Security AMI from AWS Marketplace and Azure Marketplace only

No No
Web browser

Administrative connections to the Deep Security GUI or API.

Applies to Deep Security AMI from AWS Marketplace and Azure Marketplace only

No No
Agent/Appliance

Deep Security Agent/Appliance installer downloads.

Applies to Deep Security AMI from AWS Marketplace and Azure Marketplace only

No No
4119 HTTPS Web browser

Administrative connections to the Deep Security GUI or API.

Applies to on-premise Deep Security software installations only

Yes No
Trend Micro Control Manager / SOAP API client / other REST API client
  • WSDL access at:
    https://<manager FQDN or IP>:4119/webservice/Manager?WSDL
  • Status monitoring at:
    https://<manager FQDN or IP>:4119/rest/status/manager/ping

Applies to on-premise Deep Security software installations only

Yes No
Agent/Appliance Deep Security Agent/Appliance installer downloads.

Yes

No
VMware ESXi server

Requests for the Deep Security filter driver while preparing an ESXi server for IPS, firewall, or web reputation.

Applies to VMware vCNS deployments only

Yes No
4120 HTTPS Agent/Appliance
  • Discovery and Agent/Appliance activation.
  • Agent/Applianceto Manager heartbeat. Receives events and provides configuration updates to them. See also Agent-Manager communication .
Yes No
8080 HTTP Web installer

Software installation via the web installer. Once Deep Security Manager installation is complete, or if you use the Quick Start instead, you can block this port.

Applies to Deep Security AMI from AWS Marketplace only

No No
8443 HTTPS Web installer

Software installation via the web installer. Once Deep Security Manager installation is complete, or if you use the Quick Start instead, you can block this port.

Applies to Deep Security Manager VM for Azure Marketplace only

   

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable??
TCP 25 SMTP E-mail server

Alerts for events.

AWS throttles (rate limits) e-mail on SMTP's IANA standard port number, port 25. If you use AWS Marketplace, you may have faster alerts if you use SMTP over STARTTLS (secure SMTP) instead. For more information, see:
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-issues.html
Yes No
UDP 53 DNS DNS server Domain name resolution of Trend Micro services, e-mail server, NTP server, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

  TCP 80 HTTP

Trend Micro Smart Feedback

www.smartprotectionnetwork.com (in English)

cn.trendmicro.com (in Chinese)

www.trendmicro.co.jp (in Japanese)

Smart Protection feedback. No No

Whois server

(could be http://reports.internic.net/cgi/whois?whois_nic=[IP]&type=nameserver)

Reverse name resolution of IP addresses into hostnames for event logs and computer discovery. Yes No
80 / 443 HTTP / HTTPS

Trend Micro licensing and registration server

licenseupdate.trendmicro.com

Licensing and product registration. No Yes

HTTP / HTTPS

Trend Micro Active Update

iaus.trendmicro.com/iau_server.dll

Security package updates.

Alternatively, use a relay.

Yes

Yes

SOCKS support

HTTP / HTTPS

Trend Micro Download Center / web server

files.trendmicro.com

Deep Security Agent/Appliance installer downloads.

Yes

(append port number to URL)

No
HTTP / HTTPS

Trend Micro Certified Safe Software Service (CSSS)

grid.trendmicro.com (HTTP)

gacl.trendmicro.com (HTTPS)

Automatic event tagging for integrity monitoring No Yes
UDP 123 NTP

NTP server

(can be Trend Micro Control Manager server)

Accurate time for SSL / TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No

162

SNMP SNMP manager Traps for events. Yes No
TCP 389 LDAP Microsoft Active Directory server
  • Discovery of and (optionally) synchronization of computer groups in the directory.
Yes No
  HTTPS AWS Marketplace, Microsoft Azure Marketplace, and other clouds

Communication with cloud accounts to retrieve a list of computers.

Applies to Deep Security AMI from AWS Marketplace and Azure Marketplace only

No Yes
UDP 514 Syslog SIEM / log server External logging and reporting. Yes No
TCP 636 LDAPS Microsoft Active Directory server
  • Discovery and (optionally) synchronization of computer groups in the directory.
  • Import and (optionally) synchronization of user groups, including contacts and passwords.
Yes No
1433 SQL Microsoft SQL database

Deep Security Manager application to its storage.

Although it is not visible from the GUI, you can configure an encrypted database connection.

Yes No
1521 SQL Oracle database

Deep Security Manager application to its storage.

Although it is not visible from the GUI, you can configure an encrypted database connection.

Yes No
4118 HTTPS Agent/Appliance

Manager to Agent/Appliance heartbeat. Send events and get configuration updates from the Manager. See also Agent-Manager communication .

Depending on your deployment type, you may be able to close port 4118, and only use agent-initiated heartbeats.

Yes

No
4122 HTTPS Relay

Security package updates such as anti-malware engine and signatures via a Deep Security Relay. Alternatively, the Deep Security Manager can connect directly to the Trend Micro Active Update servers.

See also Agent-Manager communication .

Yes Yes

TCP

UDP

All All Agent/Appliance Port scan to detect open (listening) ports on computers. Yes No

Deep Security Relay ports

Relays require all of the ports for an agent and these port numbers.

Incoming (listening)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 4122 HTTPS Manager / Agent / Appliance / Relay
  • Relay-to-Relay communication for synchronizing Deep Security Agent software installers and security package updates such as anti-malware engine and signatures.
  • Manager / Agent / Appliance downloading security package updates such as anti-malware engine and signatures from Relay.

See also Agent-Manager communication .

Yes Yes
4123   Localhost Relay

Communication of Agent to its own integrated Relay.

This port should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have a host firewall on the Deep Security Manager server itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).

No No

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
  TCP 80 / 443 HTTP / HTTPS

Trend MicroActive Update

iaus.trendmicro.com/iau_server.dll

Security package updates such as anti-malware engine and signatures.

Alternatively, use another relay.

Yes

Yes

SOCKS support

4122 HTTPS Relay

Relay-to-Relay communication for synchronizing Deep Security Agent software installers and security components such as anti-malware engine and signatures.

See also Agent-Manager communication .

Yes Yes

Deep Security Agent ports

Does not apply to Deep Security as a Service

Compared to on-premise installations with these default settings, Deep Security as a Service requires fewer port numbers. See Deep Security Agent ports (with Deep Security as a Service).

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 22 SSH Manager

Remote installation of the agent (Linux only).

Applies to Deep Security AMI from AWS Marketplace only

No No
4118 HTTPS Manager

Manager to Agent / Appliance heartbeat. Send events and get configuration updates from the Manager. See also Agent-Manager communication .

Yes

No
3389 RDP Manager

Remote installation of the agent (Windows only).

Applies to Deep Security AMI from AWS Marketplace only

No No

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
UDP 53 DNS DNS server Domain name resolution of the Deep Security Manager, Trend Micro Smart Protection servers, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

  TCP 80 HTTP

Trend MicroSmart Protection Network

  • ds96-en.url.trendmicro.com
  • ds96-jp.url.trendmicro.com (in Japanese)
Web reputation service.

Alternatively, connect to a Smart Protection server on your local network, or a Smart Protection server on AWS.

Yes Yes
  80 / 443 HTTP / HTTPS

Trend Micro Download Center / web server

files.trendmicro.com

Deep Security Agent/Appliance installer downloads.

Yes

(append port number to URL)

No

Trend Micro Active Update

iaus.trendmicro.com/iau_server.dll

Security package updates such as anti-malware engine and ignatures.

Alternatively, use a relay.

Yes

Yes

SOCKS support

Web server Connectivity test to determine context (whether the computer is on the private network or not) for policies Yes No
UDP 123 NTP

NTP server

(can be Trend Micro Control Manager server)

Accurate time for SSL / TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No
TCP 443 HTTPS Manager
  • Discovery and Agent/Appliance activation.
  • Agent/Applianceto Manager heartbeat. Receives events and provides configuration updates to them. See also Agent-Manager communication .
  • Agent-to-relay communication for Deep Security Agent software installers and security package updates such as anti-malware engine and signatures.

Applies to Deep Security as a Service and Deep Security AMI from AWS Marketplace only

Yes No
 

Trend Micro Smart Protection Network

  • ds96.icrc.trendmicro.com (in English)
  • ds96-sc.icrc.trendmicro.com.cn (in Chinese)
  • ds96-jp.icrc.trendmicro.com (in Japanese)

File reputation service and Smart Protection feedback.

Alternatively, connect to a Smart Protection server on your local network, or a Smart Protection server on AWS.

Yes Yes
Smart Protection server

File reputation service.

You can connect to a Smart Protection server on your local network, or a Smart Protection server on AWS.

Yes Yes
UDP 514 Syslog SIEM / log server

External logging and reporting.

This is only used if you want the agents to send directly to an external SIEM, instead of uploading event logs to the Deep Security Manager.

Yes No
TCP 4119 HTTPS Manager

Deep Security Agent installer downloads.

Applies to on-premise software installations and Deep Security Manager VM for Azure Marketplace only

Yes

No
4120 HTTPS Manager
  • Discovery and Agent/Appliance activation.
  • Agent/Applianceto Manager heartbeat. Receives events and provides configuration updates to them. See also Agent-Manager communication .

Applies to on-premise software installations and Deep Security Manager VM for Azure Marketplace only

Yes No
4122 HTTPS Relay

Agent-to-relay communication for Deep Security Agent software installers and security package updates such as anti-malware engine and signatures.

See also Agent-Manager communication .

Applies to on-premise software installations and Deep Security Manager VM for Azure Marketplace only

Yes Yes
5274   Smart Protection server

Web reputation service.

You can connect to a Smart Protection server on your local network, or a Smart Protection server on AWS.

Yes No

Deep Security Agent ports (with Deep Security as a Service)

Applies to Deep Security as a Service only

If you use an external SIEM or syslog server to indirectly receive agents' logs via Deep Security as a Service, your SIEM / syslog server must be able to receive UDP 514 from 54.221.196.0/24.

Incoming (listening ports)

Transport Protocol Destination Port Number Service Source Purpose Configurable? Proxy configurable?
TCP 22 SSH deployment tools such as RightScale, Chef, Puppet, and SSH

Remote installation of the agent (Linux only)

Yes

(configure in the operating system)

Yes

(configure in the operating system)

4118 HTTPS Deep Security as a Service

54.221.196.0/24

Manager to Agent/Applianceheartbeat. Send events and get configuration updates from the Manager. See also Agent-Manager communication .

Not required unless you use bi-directional heartbeats. See Agent-Manager communication .

No

Contact your support provider if this port assignment is problematic.

No
3389 RDP deployment tools

Remote installation of the agent (Windows only)

Yes

(configure in the operating system)

Yes

(configure in the operating system)

Outgoing

Transport Protocol Destination Port Number Service Destination Purpose Configurable? Proxy configurable?
UDP 53 DNS DNS server Domain name resolution of Deep Security as a Service, NTP servers, and others.

Yes

(configure in the operating system)

Yes

(configure in the operating system)

123 NTP

NTP server

Accurate time for SSL / TLS connections, schedules, and event logs.

Yes

(configure in the operating system)

No

TCP 80 / 443 HTTP / HTTPS Web server Connectivity test to determine context (whether the computer is on the private network or not) for policies Yes No
Trend MicroDownload Center / web server

Deep Security Agent installer downloads.

Yes

(append port number to URL)

No
443 HTTPS Deep Security as a Service

For IP addresses associated with each feature, see Deep Security as a Service IP addresses.

  • Administrative connections to the Deep Security as a Service GUI.
  • Discovery and Agent/Appliance activation.
  • Agent/Appliance communications with its manager (Deep Security as a Service), including the discovery, heartbeat, and configuration updates.
  • Deep Security Agent software installer downloads.
  • Security package updates such as anti-malware engine and signatures. Alternatively, use a relay.
  • Web reputation service, file reputation service and Smart Protection feedback.
If you use bi-directional connections, your firewalls / routers must allow both incoming and outgoing traffic between your agents and Deep Security as a Service .

No

Contact your support provider if this port assignment is problematic.

No
UDP 514 Syslog SIEM / log server

External logging and reporting.

This is only used if you want the agents to send directly to an external SIEM, instead of uploading event logs through Deep Security as a Service.

Yes No
TCP 4122 HTTPS Relay

Agent-to-relay communication for Deep Security Agent software installers and security package updates such as anti-malware engine and signatures.

This is not used by default, and not necessary unless you want to use your own relay group. See also Agent-Manager communication .
Yes Yes