Open listening ports
Network ports serve as communication channels that allow information to flow from one system to another. This section provides a list of ports that must be configured in your environment to access the features and services on Protegrity appliances.
For more information about Protegrity products and various components, refer Glossary.
Ports for accessing ESA
The following is the list of ports that must configured for the system users to access ESA.
| Port Number | Protocol | Source | Destination | NIC | Description |
|---|---|---|---|---|---|
| 22 | TCP | System User | ESA | Management NIC (ethMNG) | Access to CLI Manager |
| 443 | TCP | System User | ESA | Management NIC (ethMNG) | Access to Web UI for Security Officer or ESA administrator |
Ports for accessing Protectors
The following are the list of ports that must be configured between the ESA and the non-appliance based protectors such as, Big Data Protector (BDP), Application Protector (AP), and so on.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) | |
8443 | TCP | Non-appliance-based Protectors such as, Big Data
Protector (BDP), Application Protector (AP), z/OS and so
on. | Service Dispatcher in ESA | Management NIC (ethMNG) |
| ||
25400 | TCP | Non-appliance-based Protectors such as, Big Data
Protector (BDP), Application Protector (AP), z/OS and so
on. | Resilient Package Proxy (RPP) in the ESA | Management NIC (ethMNG) |
| The protectors need to access this port. Ensure that the firewall of the customer is not blocking this port. | |
| 9200 | TCP | Log Forwarder service on the machine | Insight in ESA | Management NIC (ethMNG) of ESA | To send audit logs received from the Log Server and forward it to Insight in the ESA. | ||
| 9300 | TCP | Log Forwarder service on the machine | Insight in ESA | Management NIC (ethMNG) of ESA | To send audit logs received from the Log Server and forward it to Insight in the ESA. |
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
22 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | |
22 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | |
10100 | UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
10100 | UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
8300 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Used by servers to handle incoming request. | This port allows internal communication between Consul server nodes. |
8300 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Handle incoming requests | This is used by servers to handle incoming requests from other agents. |
8301 | TCP and UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8301 | TCP and UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8302 | TCP and UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8302 | TCP and UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8600 | TCP and UDP | ESA | DSG | Management NIC (ethMNG) | Listens to the DNS server port. | Used to resolve DNS queries. |
8600 | TCP and UDP | DSG | ESA | Management NIC (ethMNG) | Listens to the DNS server port. | Used to resolve DNS queries. |
9000 | TCP and UDP | Management NIC (ethMNG) | Checks consul cluster's internal shared storage and configurations. | If the TAC utilizes Consul services, you must enable this port. |
Additional Ports
Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.
| Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
| 25 | TCP | ESA | SMTP Server | Management NIC (ethMNG) of ESA | To configure the email server. | Default port for SMTP server. |
| 123 | UDP | ESA | Time servers | Management NIC (ethMNG) of ESA | NTP Time Sync Port | This port can be configured based on the enterprise network policies or according to your use case. |
| 389 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA |
| This port can be configured based on the enterprise network policies or according to your use case. |
| 636 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA |
| This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case. |
| 1812 | TCP | ESA | RADIUS server | Management NIC (ethMNG) of ESA | Authentication with RADIUS server. | This port can be configured based on the enterprise
network policies or according to your use case. |
| 514 | UDP | ESA | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | This port can be configured based on the enterprise network policies or according to your use case. |
| FutureX (9111) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port can be configured based on the enterprise network policies or according to your use case. |
| Safenet (1792) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
| nCipher non-privileged port (8000) | TCP | ESA | HSM sever | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
| nCipher privileged port (8001) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
| Utimaco (288) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
Ports for DSG
If you are utilizing the DSG appliance, the following ports must be configured in your environment.
Port Number | Protocol | Source | Destination | NIC | Description |
22 | TCP | System User | DSG | Management NIC (ethMNG) | Access to CLI Manager. |
443 | TCP | System User | DSG | Management NIC (ethMNG) | Access to Web UI. |
Ports for communication between DSG and ESA
The following are the list of ports that must be configured for communication between DSG and ESA.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) | |
22 | TCP | ESA | DSG | Management NIC (ethMNG) |
| ||
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | ||
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Downloading certificates from ESA | ||
8443 | TCP | DSG | ESA | Management NIC (ethMNG) |
| ||
9200 | TCP | DSG | ESA | Management NIC (ethMNG) | To send audit logs received from the Log Server and forward
it to Insight in the ESA. | ||
389 | TCP | DSG | ESA | Management NIC (ethMNG) | Authentication and authorization by ESA | ||
| 5671 | TCP | DSG | ESA | Management NIC (ethMNG) | Notifications sent from DSG to ESA | Notifications related to OS backup. Notifications from cron jobs are sent to the ESA dashboard. | |
| 10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
DSG Ports for Communication in TAC
The following are the list of ports that must also be configured when DSG is configured in a TAC.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
22 | TCP | DSG | ESA | Management NIC (ethMNG) | Communication in TAC | |
8585 | TCP | ESA | DSG | Management NIC (ethMNG) | Retrieving Cloud Gateway cluster information | |
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | |
10100 | UDP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. |
Additional Ports for DSG
In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.
Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.
| Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
| 123 | UDP | DSG | Time servers | Management NIC (ethMNG) of ESA | NTP Time Sync Port | This port can be configured based on the enterprise network policies or according to your use case. |
| 514 | UDP | DSG | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | This port can be configured based on the enterprise network policies or according to your use case. |
| 514 | TCP | DSG | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | This port can be configured based on the enterprise network policies or according to your use case. |
| Application/System Ports | TCP | DSG | Applications/Systems | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different
applications in the organization. | This port can be configured based on the enterprise network policies or according to your use case. |
| Tunnel Ports | TCP | Applications/System | DSG | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different
applications in the organization. | This port can be configured based on the enterprise network policies or according to your use case. |
Ports for the Internet
The following ports must be configured on ESA for communication with the Internet.
If the FIPS mode is enabled, then the Antivirus is disabled on the appliance. If the FIPS mode is enabled, this port can be disabled. For more information about Antivirus, refer Working with Antivirus.
| Port Number | Protocol | Source | Destination | NIC | Description |
| 80 | TCP | ESA | ClamAV Database | Management NIC (ethMNG) of ESA | Updating the Antivirus database on ESA. |
Additional Ports for Strengthening Firewall Rules
The following ports are recommended for strengthening the firewall configurations.
| Port Number | Protocol | Source | Destination | NIC | Description |
| 67 | UDP | Appliance/System | DHCP server | Management NIC (ethMNG) | Allows server requests from the DHCP server. |
| 68 | UDP | Appliance/System | DHCP server | Management NIC (ethMNG) | Allows client requests on the DHCP server. |
| 161 | UDP | ESA/DSG | SNMP | Management NIC (ethMNG) | Allows SNMP requests. |
| 162 | UDP | ESA/DSG | SNMPTrap | Management NIC (ethMNG) | Allows SNMPTrap requests. |
| 10161 | TCP and UDP | ESA/DSG | SNMP | Management NIC (ethMNG) | Allows SNMP requests over DTLS. |
Insight in ESA Ports
The following ports must be configured for communication for Insightin the ESA.
| Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
| 9200 | TCP | ESA node in Audit Store cluster | ESA node in the same Audit Store cluster | Management NIC (ethMNG) of Insight in ESA | Audit Store REST communication. | This port can be configured based on the enterprise network policies or according to your use case. |
| 9300 | TCP | ESA node in Audit Store cluster | ESA node in the same Audit Store cluster | Management NIC (ethMNG) of Insight in ESA | Internode communication between the Audit Store nodes. | This port can be configured based on the enterprise network policies or according to your use case. |
| 24224 | UDP | Protector | ESA | Management NIC (ethMNG) of Insight in ESA | Communication between a protector and the td-agent. | This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM). |
| 24284 | TCP | Protector | ESA | Management NIC (ethMNG) of Insight in ESA | Communication between protector and td-agent. | This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM) over TLS. |