Open listening ports

The ports in a network are communication channels which information flows through, from one system to another. This section provides the list of ports that must be configured in your environment to access the features and services on the Protegrity appliances.

Ports for accesing ESA

The following are the list of ports that must configured for the system users to access ESA.

Port NumberProtocolSourceDestinationNICDescription
22TCPSystem UserESAManagement NIC (ethMNG)Access to CLI Manager
443TCPSystem UserESAManagement NIC (ethMNG)Access to Web UI for Security Officer or ESA administrator

Ports for accesing Insight

The following are the list of ports that must configured for the system users to access Insight.

Port NumberProtocolSourceDestinationNICDescription
22TCPSystem UserInsightManagement NIC (ethMNG)Access to CLI Manager
443TCPSystem UserInsightManagement NIC (ethMNG)Access to Web UI for Security Officer or Insight administrator

Ports for accesing Protectors

The following are the list of ports that must be configured between the ESA and the non-appliance based protectors such as, Big Data Protector (BDP), Application Protector (AP), and so on.

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
8443
TCP
Non-appliance-based Protectors such as, Big Data Protector (BDP), Application Protector (AP), z/OS and so on.
ESA
Management NIC (ethMNG)
  • Downloading certificates and policies from ESA.
  • Sending audit logs from the protectors to ESA.
 
25400
TCP
Non-appliance-based Protectors such as, Big Data Protector (BDP), Application Protector (AP), z/OS and so on.
Resilient Package Proxy (RPP) in the ESA
Management NIC (ethMNG)
  • Downloading certificates and policies from the ESA via the RPP service in the ESA.
  • Sending audit logs from the protectors to the ESA via the RPP service in the ESA.
The protectors need to access this port. Ensure that the firewall of the customer is not blocking this port.
6379
TCPESABDP Lead NodeManagement NIC (ethMNG)Communication between ESA and BDP lead node.If HDFSFP is used, this port must be opened.
Starting from the Big Data Protector 7.2.0 release, the HDFS File Protector (HDFSFP) is deprecated. The HDFSFP-related sections are retained to ensure coverage for using an older version of Big Data Protector with the ESA 7.2.0.
If a port other than 6379 is configured while installing BDP, ensure that the configured port is open.
9200TCPLog ForwarderAudit StoreManagement NIC (ethMNG) of ESATo send audit logs received from the Log Server and forward it to the ESA/Audit Store. 

Ports for ESA on TAC

The following are the list of ports that must be configured for the ESA appliances in a Trusted Appliances Cluster (TAC).

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
 
22
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
 
443TCPingPrimary ESASecondary ESAManagement NIC (ethMNG)Communication in TACUsed for joining a cluster.
443TCPingSecondary ESAPrimary ESAManagement NIC (ethMNG)Communication in TACUsed for joining a cluster.
10100
UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.
10100
UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.
8300
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Used by servers to handle incoming request.
This is used by servers to handle incoming requests from other agents.
8300
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Handle incoming requests
This is used by servers to handle incoming requests from other agents.
8301
TCP and UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all agents.
8301
TCP and UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all agents.
8302
TCP and UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Gossip on WAN.
This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8302
TCP and UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Gossip on WAN.
This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8600
TCP and UDPESADSGManagement NIC (ethMNG)
Listens to the DNS server port.
Used to resolve DNS queries.
8600
TCP and UDPDSGESAManagement NIC (ethMNG)
Listens to the DNS server port.
Used to resolve DNS queries.
9000
TCP and UDPESADSGManagement NIC (ethMNG)
Checks local certificates.
If your TAC utilizes Consul services, you must enable this port.
9000
TCP and UDPDSGESAManagement NIC (ethMNG)
Checks local certificates.
If your TAC utilizes Consul services, you must enable this port.

Additional Ports

Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
123UDP
ESA
Time servers
Management NIC (ethMNG) of ESA
NTP Time Sync Port
This port can be configured based on the enterprise network policies or according to your use case.
389TCP
ESA
Active Directory server
Management NIC (ethMNG) of ESA
Authentication for External AD and synchronization with External Groups.
This port can be configured based on the enterprise network policies or according to your use case.
389TCP
ESA
Active Directory server
Management NIC (ethMNG) of ESA
Synchronization with External AD Groups for policy users.
This port can be configured based on the enterprise network policies or according to your use case.
636TCPESAActive Directory serverManagement NIC (ethMNG) of ESAAuthentication for External AD and synchronization with External Groups.This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case.
636TCPESAActive Directory serverManagement NIC (ethMNG) of ESASynchronization with External AD Groups for policy users.This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case.
1812TCP
ESA
RADIUS server
Management NIC (ethMNG) of ESA
Authentication with RADIUS server.
This port can be configured based on the enterprise network policies or according to your use case.
514UDP
ESA
Syslog servers
Management NIC (ethMNG) of ESA
Storing logs
This port can be configured based on the enterprise network policies or according to your use case.
FutureX (9111)TCP
ESA
HSM server
Management NIC (ethMNG) of ESA
HSM communication
This port can be configured based on the enterprise network policies or according to your use case.
Safenet (1792)TCP
ESA
HSM server
Management NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
nCipher non-privileged port (8000)TCPESAHSM severManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
nCipher privileged port (8001)TCPESAHSM severManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
Utimaco (288)TCPESAHSM severManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
 

Ports for Users

If you are utilizing the DSG appliance, the following ports must be configured in your environment.

Port Number
Protocol
Source
Destination
NIC
Description
22
TCP
System User
DSG
Management NIC (ethMNG)
Access to CLI Manager.
443
TCP
System User
DSG
Management NIC (ethMNG)
Access to Web UI.

Ports for Communication with ESA

The following are the list of ports that must be configured for communication between DSG and ESA.

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
ESA
DSG
Management NIC (ethMNG)
  • Replication or Rulesets from DSG to ESA
  • DSG Patching from ESA
 
443
TCP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
DSG
ESA and Virtual IP address of ESA
Management NIC (ethMNG)
Downloading certificates from ESA
 
8443
TCP
DSG
ESA and Virtual IP address of ESA
Management NIC (ethMNG)
  • Establishing communication with ESA
  • Retrieving policy from ESA
  • Sending audit logs to ESA
 
389
TCP
DSG
Virtual IP address of ESA
Management NIC (ethMNG)
Authentication and authorization by ESA
 
5671TCPDSGESAManagement NIC (ethMNG)Messages sent from DSG to ESA
This port is required to support backward compatibility, where ESA v7.2.1 communicates with the earlier versions of appliances other than ESA.
For example, port 5671 is required for user notifications from a DSG system to appear on the ESA v7.2.1 Dashboard.
10100UDPDSGESAManagement NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.

DSG Ports for Communication in TAC

The following are the list of ports that must also be configured when DSG is configured in a TAC.

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
DSG
ESA
Management NIC (ethMNG)
Communication in TAC
 
8585
TCP
ESA
DSG
Management NIC (ethMNG)
Cloud Gateway cluster
 
443
TCP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
 
10100
UDP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100
UDP
DSG
ESA
Management NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100
UDP
DSG
DSG
Management NIC (ethMNG)
Communication in TAC
This port is optional.
8300
TCP
ESA
DSG
Management NIC (ethMNG)
Used by servers to handle incoming request.
This is used by servers to handle incoming requests from other agents.
8300
TCP
DSG
ESA
Management NIC (ethMNG)
Handle incoming requests
This is used by servers to handle incoming requests from other agents.
8300
TCP
DSG
DSG
Management NIC (ethMNG)
Handle incoming requests
This is used by servers to handle incoming requests from other agents.
8301
TCP and UDP
ESA
DSG
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all agents.
8301
TCP and UDP
DSG
ESA
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all agents.
8301
TCP and UDP
DSG
DSG
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all agents.
8302
TCP and UDP
ESA
DSG
Management NIC (ethMNG)
Gossip on WAN.
This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8302
TCP and UDP
DSG
ESA
Management NIC (ethMNG)
Gossip on WAN.
This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8302
TCP and UDP
DSG
DSG
Management NIC (ethMNG)
Gossip on WAN.
This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.

Additional Ports for DSG

In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.

Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
123UDP
DSG
Time servers
Management NIC (ethMNG) of ESA
NTP Time Sync Port
This port can be configured based on the enterprise network policies or according to your use case.
514UDP
DSG
Syslog servers
Management NIC (ethMNG) of ESA
Storing logs
This port can be configured based on the enterprise network policies or according to your use case.
N/A*N/A*
DSG
Applications/Systems
Service NIC (ethSRV) of DSG
Enabling communication for DSG with different applications in the organization.
This port can be configured based on the enterprise network policies or according to your use case.
N/A*N/A*
Applications/System
DSG
Service NIC (ethSRV) of DSG
Enabling communication for DSG with different applications in the organization.
This port can be configured based on the enterprise network policies or according to your use case.

Ports for the Internet

The following ports must be configured on ESA for communication with the Internet.

Port NumberProtocol
Source
Destination
NIC
Description
80TCP
ESA
ClamAV Database
Management NIC (ethMNG) of ESA
Updating the Antivirus database on ESA.

The following ports are recommended for strengthening the firewall configurations.

Port NumberProtocol
Source
Destination
NIC
Description
67UDP
Appliance/System
DHCP server
Management NIC (ethMNG)
Allows server requests from the DHCP server.
68UDP
Appliance/System
DHCP server
Management NIC (ethMNG)
Allows client requests on the DHCP server.
161UDP
ESA/DSG
SNMP
Management NIC (ethMNG)
Allows SNMP requests.
10161TCP and UDP
ESA/DSG
SNMP
Management NIC (ethMNG)
Allows SNMP requests over DTLS.

Audit Store Ports

The following ports must be configured for communication between the ESA and the Audit Store.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
9200TCPESAESAManagement NIC (ethMNG) of ESA / Audit StoreAudit Store REST communication.This port can be configured based on the enterprise network policies or according to your use case.
9300TCPESAESAManagement NIC (ethMNG) of ESA / Audit StoreInternode communication between the Audit Store nodes.This port can be configured based on the enterprise network policies or according to your use case.
24224UDPESAESAManagement NIC (ethMNG) of ESA / Audit StoreCommunication between td-agent and the Audit Store.This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM).
24284TCPProtectorESAManagement NIC (ethMNG) of ESA / Audit StoreCommunication between protector and td-agent.This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM) over TLS.