Upload
others
View
219
Download
0
Embed Size (px)
Citation preview
ArcSight Ports and Protocols June 6, 2018
2
Contents Contents ..................................................................................................................................................................... 2 Overview .................................................................................................................................................................... 3 ESM (v7.0) .................................................................................................................................................................. 3 ESM & ESM Express (v6.11) ....................................................................................................................................... 4 ESM & Express (v6.X/v4.X) ......................................................................................................................................... 6 Event Broker (v2.20) and Investigate (v2.10) ............................................................................................................. 9 User Behavior Analytics (v5.0) ................................................................................................................................. 10 Logger (v6.X) ............................................................................................................................................................. 11 Management Center (v2.X) ...................................................................................................................................... 15 SmartConnectors...................................................................................................................................................... 17 Model Import Connectors ........................................................................................................................................ 20 SmartConnector Load Balancer ............................................................................................................................... 22 Integrated Lights-Out (iLO) ...................................................................................................................................... 22 Connector Appliance (v6.X) ...................................................................................................................................... 23 DNS Malware Analytics (SaaS/Cloud) ...................................................................................................................... 24 Network Synergy Platform (v5.X) ............................................................................................................................. 25 Micro Focus Trademark Information ....................................................................................................................... 26 Company Details ...................................................................................................................................................... 27
3
Overview This document describes the most commonly used ports and protocols used by ESM, ESM Express, Express, Investigate, User Behavior Analytics, Logger, Event Broker, Management Center, SmartConnectors, Model Import Connectors, SmartConnector Load Balancer, Connector Appliance, DNA Malware Analytics, Network Synergy Platform, and Integrated Lights-Out (iLO).
ESM (v7.0)
Source Device Destination Device Destination Port Notes
1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9000, 9095, 9090, 9123, 9124, 9999, 45450
Ports used internally for inter-component communication
3179, 3180, 3181 Ports used by the information repository
10000-10100 Default range of ports for your cluster. This range of ports is made available for dynamic assignment to services (aggregator and correlator, message bus data and message bus control, and distributed cache) as they are added to a cluster. The lowest value can be 1024 and the highest value 32767. The difference between the lowest value and the highest value specified must be at least 100.
694/udp
7789/tcp
Ports for external incoming connections for HA
4
8443/tcp Inbound SmartConnectors and Consoles
9000/tcp Peering requires this port
22/tcp Inbound SSH log in
53/udp Inbound/Outbound DNS requests and responses
25/tcp Outbound SMTP to mail server
110/tcp Outbound POP3 to mail server, if applicable
143/tcp Outbound IMAP to mail server, if applicable
1645/udp Inbound/Outbound RADIUS, if applicable
1812/udp Inbound/Outbound RADIUS, if applicable
389/tcp Outbound LDAP to LDAP server, if applicable
636/tcp Outbound LDAP over SSL to LDAP server, if applicable
ESM & ESM Express (v6.11)
Source Device Destination Device Destination Port Notes
ESM Manager TCP 1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9095, 9090, 9123, 9124, 9999, 45450
TCP ports used internally for inter-component communication and data exchange between the threads comprising the ESM Manager. They do not required external access, won't be used
5
for any cross-device communication, and can be blocked by an external firewall.
ESM Manager TCP 9000 Peering requires this port
ESM Manager 22/TCP Inbound SSH log in (Unix only)
ESM Manager ESM Manager 53/UDP Inbound/Outbound DNS requests and responses
ESM Manager 8443/TCP Inbound SmartConnectors and Consoles
ESM Manager 25/TCP Outbound SMTP to mail server
ESM Manager 110/TCP Outbound POP3 to mail server, if applicable
ESM Manager 143/TCP Outbound IMAP to mail server, if applicable
ESM Manager ESM Manager 1645/UDP Inbound/Outbound RADIUS, if applicable
ESM Manager ESM Manager 1812/UDP Inbound/Outbound RADIUS, if applicable
ESM Manager 389/TCP Outbound LDAP to LDAP server, if applicable
ESM Manager 636/TCP Outbound LDAP over SSL to LDAP server, if applicable
ESM Manager ESM Manager TCP/7789
UDP/694
The HA Module uses ports 694 and 7789 on each IP address in the cluster environment.
ESM Manager
• The primary IP address.
ESM Manager
• The primary IP address
ICMP The HA Module
• A Connected Host is any other
6
• The secondary IP address.
• The secondary IP address
• The Service IP address
• To the Connected Host
machine on the network that you have indicated can be pinged by the HA Module to verify that it is still on the network.
ESM & Express (v6.X/v4.X)
Source Device Destination Device Destination Port Notes
Workstation ESM/ESM Express Manager
TCP 8443 Console to ESM/ESM Express Manager communication.
Workstation Express/ESM Manager TCP 22 SSH access for troubleshooting and diagnostics.
Workstation DNS Server(s) UDP/TCP 53 Console to DNS server communication (nslookup tool). Host resolution of ESM/ESM Express Manager during Console login.
Workstation Whois Server(s) UDP/TCP 43 Console to Whois server communication (whois tool).
Workstation Selected Destination/Target in Console
ICMP Console to target communication (ping tool).
Workstation ArcSight Web TCP 9443 Web browser to ArcSight Web communication.
ESM/ESM Express Manager
NTP Server(s) UDP 123 ESM/ESM Express Manager to NTP server (for time synchronization).
7
ESM/ESM Express Manager
DNS Server(s) UDP/TCP 53 ESM/ESM Express Manager to DNS server communication (nslookup tool).
ESM/ESM Express Manager
SMTP Server(s) TCP 25 ESM/ESM Express Manager to SMTP server (for notifications).
ESM/ESM Express Manager
POP3 Server(s) TCP 110 ESM/ESM Express Manager to POP3 server (for notifications, if applicable).
ESM/ESM Express Manager
IMAP Server(s) TCP 143 ESM/ESM Express Manager to IMAP server (for notifications, if applicable).
ESM/ESM Express Manager
SNPP Server(s) TCP 444 ESM/ESM Express Manager to SNPP server (for notifications, if applicable).
ESM/ESM Express Manager
LDAP Server(s) TCP 389 or 636 ESM/ESM Express Manager to LDAP server (if applicable). TCP 389 without SSL; TCP 636 with SSL.
ESM/ESM Express Manager
RADIUS Server(s) UDP 1645 or 1812 ESM/ESM Express Manager to RADIUS server (if applicable).
Connector Appliance SmartConnectors, Logger SmartConnectors, and SmartConnectors
ESM/ESM Express Manager
TCP 8443 SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.
ESM/ESM Express Manager
Logger TCP 443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).
8
ESM/ESM Express Manager
ESM/ESM Express Manager
TCP 8443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).
ESM/ESM Express Manager
Syslog Server(s) UDP/TCP 514 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).
ESM/ESM Express Manager
McAfee ePolicy Orchestrator
TCP 1433 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).
Web Service Client ESM/ESM Express Manager
TCP 9090 The ESM/ESM Express Service Layer is available and exposes functionalities as Web Services. By consuming the exposed Web Services, you can integrate ESM/ESM Express functionality in your own applications.
Express Manager TCP 9001 Remote Connector Management listening port.
Express Manager TCP 9002 Remote Connector Management listening port.
Express Manager TCP 6443 Connector Management.
9
ESM 6.8c Manager TCP 8443, 9443, 9000 These TCP ports are used for external incoming connections.
ESM 6.8c Manager TCP 1976, 28001, 2812, 3306, 5555, 6005, 6009, 6443, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9095, 9090, 9123, 9124, 9999, 45450
These TCP ports are used internally for inter-component communication by ESM 6.8c.
ESM 6.8c Manager TCP 6060, 9005, 9009, 1099
Risk Insight
ESM 6.8c Manager TCP 8081, 6005, 8444, 6410, 6400
Risk Insight (BusinessObjects)
ESM 6.8c Manager TCP 7789
UDP 694
Each of the High Availability servers uses these ports in addition to those used by ESM.
Event Broker (v2.20) and Investigate (v2.10)
Source Device Destination Device Destination Port Notes
Workstation Event Broker Master Node(s)
5443/tcp Web interface to the ArcSight Installer
Workstation Event Broker Master Node(s)
443/tcp Web interface to ArcSight Investigate
All Event Broker nodes All Event Broker nodes 22/tcp SSH is needed for installation of Event Broker to all Event Broker nodes
All Vertica nodes All Vertica nodes 22/tcp SSH is needed for installation of Vertica to all Vertica nodes
10
All Event Broker consumers and producers
All Event Broker Worker nodes
9092/tcp
9093/tcp
Ports 9092 must be reachable by all Event Broker nodes, consumers, and producers. If you are using TLS, port 9093 must also be reachable.
ArcMC All Event Broker nodes 38080/tcp
5443/tcp ArcMC Management of Event Broker
All Event Broker nodes ArcMC 443/tcp ArcMC Management of Event Broker (when ArcMC is installed as root)
All Event Broker nodes ArcMC 9000/tcp ArcMC Management of Event Broker (when ArcMC is installed as a non-root user)
Investigate node All Vertica nodes 5433/tcp Investigate to Vertica communication
2379, 2380, 3000, 4001, 4194, 5000, 8080, 8088, 8200, 8285, 8443, 10248-10252, 10255
Kubernetes
111, 2049, 20048, 37189 NFS (the NFS ports are used only in clusters that are configured to use an internal NFS server)
2181, 9092, 9093, 38080, 39000, 39093, 32181
Event Broker
39001-39010 CEB (Connectors in Event Broker)
4194 CAdvisor
User Behavior Analytics (v5.0)
Source Device Destination Device Destination Port Notes
11
UBA Server UBA Server TCP 3306 Port for MySQL
Workstation UBA Server TCP 8080 (http)
TCP 8443 (https)
Tomcat Application Server Port
UBA Server TCP 22 SSH
UBA Server TCP 20 & 21 FTP
UBA Server MSFT SMTP Gateway TCP 25 & 465 SMTP notifications (email alerts from the application)
UBA Server TCP/UDP 53 DNS host name lookup – DNS is used for name lookup and event enrichment
UDP 67 DHCP/bootstrap protocol server is not needed when static IP addressing is used
UBA Server UDP 514 asyslog server set up; Alternate ports can be configured, for example if forwarding events from Logger
UBA Server ICMP Type 8 Server monitoring
UBA Server Identity Store TCP 389
TCP 636
Connectivity varies by identity store, for example, for Active Directory
UBA Master/Child UBA Master/Child TCP 3306 & 8443 Master/Child communication uses ports 3306/8443 (HTTPS)
Logger (v6.X)
Source Device Destination Device Destination Port Notes
12
Logger TCP 1976 2812 3306 5555 7777 7778 7779 7780 8005 8009 8080 8088 8089 8666 8808 8880 8888 8889 9123 9124 9999 45450
TCP ports used internally for inter-component communication and data exchange between the threads comprising Logger. They do not required external access, won't be used for any cross-device communication, and can be blocked by an external firewall.
Workstation Logger TCP 443 or 9000 Web browser to Logger communication.
For root installs, allow access to port 443/tcp as well as the ports for any protocol that the Logger receivers need, such as port 514/udp for the UDP receiver and port 515/tcp for the TCP receiver.
For non-root installs, allow access to port 9000/tcp as well as the ports for any protocol that the Logger receivers need, such as port 8514/udp for the UDP receiver and port 8515/tcp for the TCP receiver.
Workstation Logger TCP 22 SSH access for troubleshooting and diagnostics.
Logger NTP Server(s) UDP 123 Logger to NTP server (for time synchronization).
Logger DNS Server(s) UDP/TCP 53 Logger to DNS server communication.
13
Logger SMTP Server(s) TCP 25 Logger to SMTP server (for notifications).
Logger Syslog Server(s) UDP/TCP 514 Logger to syslog server (for notifications).
Logger SNMP Server(s) UDP 162 Logger to SNMP server (for notifications).
Logger RADIUS Server(s) UDP 1645 or 1812 Logger to RADIUS server (when Logger is configured to use RADIUS password authentication).
Logger NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219
Allows Logger to connect to servers via NFS for event archiving and search export.
Logger CIFS Server(s) TCP 445 Allows Logger to connect to servers via CIFS for event archiving and search export.
Logger NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219
Allows Logger File Receivers to read log files from NFS servers.
Allows Logger SmartConnectors (L3500) to read logs from NFS servers.
Logger CIFS Server(s) TCP 445 Allows Logger File Receivers to read log files from CIFS servers.
Allows Logger SmartConnectors (L3500) to read logs from CIFS servers.
Logger SCP, SFTP, FTP Server(s) TCP 22 (SCP, SFTP)
TCP 20 & 21 (FTP)
Allows Logger File Transfer Receiver to read remote log files
14
using SCP, SFTP or FTP protocols.
Syslog Event Sources Logger UDP 514 or 8514 The UDP receiver is on port 514/udp for Logger Appliances. If you are installing Software Logger as root, the UDP receiver is on port 514/udp. For non-root installs, it is on port 8514/udp. If this port is already occupied, the initialization process selects the next higher unoccupied port.
Syslog Event Sources Logger TCP 515 or 8515 The TCP receiver is on port 515/tcp for Logger Appliances. If you are installing Software Logger as root, the TCP receiver is on port 515/tcp. For non-root installs, it is on port 8515/tcp. If this port is already occupied, the initialization process selects the next higher unoccupied port.
SmartConnectors Logger TCP 443 or 9000 The SmartMessage receiver listens on the same port as the User Interface, 443/tcp on Logger appliances, and typically 443/tcp on Software Logger installed as root, and 9000/tcp on Software Logger installed as non-root. The Software Logger ports may vary.
Logger ESM/ESM Express Manager
TCP 8443 Used to forward audit events from Logger to the ESM/ESM Express Manager.
15
Logger ESM/ESM Express Manager and/or Syslog Server(s)
TCP 8443 (ESM/ESM Express Manager), UDP/TCP 514
Used to send all events, or events which match a particular filter, on to a particular host.
Logger SCP Server TCP 22 (SCP) Allows backup of Logger configuration to remote host.
ArcMC Agent Logger TCP 7913 ArcMC Agent
Management Center (v2.X)
Source Device Destination Device Destination Port Notes
ArcMC Appliance TCP 21
TCP 22
TCP 443
TCP 7913
TCP 9001
TCP 9002
TCP 9003
TCP 9004
TCP 9005
TCP 9006
TCP 9007
TCP 9008
UDP 123
The ArcSight Management Center Appliance (v2.5+) includes a script that you can use to configure the firewall. This script looks at your current ArcSight Management Center configuration and decides what ports to keep open. Alternatively, you can configure the firewall on your appliance as you would on any server, by editing iptables-config and white-listing the appropriate ports.
Workstation ArcMC TCP 443 (when installed as root)
TCP 9000 when installed as non-root user)
Web browser to ArcMC communication.
Workstation ArcMC TCP 22 SSH access for troubleshooting and diagnostics.
ArcMC ArcMC/Logger/Connector Appliance
TCP 443 (when installed as root)
Managing ArcMC/Logger/Connector Appliance
16
TCP 9000 (when installed as non-root user)
ArcMC NTP Server(s) UDP 123 ArcMC to NTP server (for time synchronization).
ArcMC DNS Server(s) UDP/TCP 53 ArcMC to DNS server communication (for IP/hostname resolution)
ArcMC SMTP Server(s) TCP 25 ArcMC to SMTP server (for notifications).
ArcMC RADIUS Server(s) UDP 1645 or 1812 ArcMC to RADIUS server (for external authentication).
ArcMC LDAP Server(s) TCP 389 or 636 ArcMC to LDAP server (for external authentication). TCP 389 without SSL; TCP 636 with SSL.
ArcMC SCP Server TCP 22 Allows backup of ArcMC configuration to a remote host.
ArcMC ArcMC local syslog SmartConnector
UDP/TCP 514 Used for audit forwarding from ArcMC to the ArcMC local syslog SmartConnector.
ArcMC SmartConnectors ESM/ESM Express Manager
TCP 8443 ArcMC SmartConnectors to ESM/ESM Express Manager secure and encrypted event channel.
ArcMC SmartConnectors Logger TCP 443 ArcMC SmartConnectors to Logger SmartMessage secure and encrypted event channel.
ArcMC local syslog SmartConnector
ESM/ESM Express Manager
TCP 8443 Used for audit forwarding from the ArcMC local syslog SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.
17
ArcMC local syslog SmartConnector
Logger TCP 443 Used for audit forwarding from ArcMC local syslog SmartConnector to Logger SmartMessage secure and encrypted event channel.
ArcMC SmartConnectors TCP 9001-9008 Allows ArcMC to manage remote SmartConnectors (appliance and/or software).
ArcMC NFS Server(s) UDP/TCP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219
Allows SmartConnectors to read logs from NFS servers.
ArcMC CIFS Server(s) TCP 445 Allows SmartConnectors to read logs from CIFS servers.
ArcMC marketplace.saas.hpe.com TCP 443 Connection to the ArcSight Marketplace for retrieving parser upgrade versions.
SmartConnectors
Source Device Destination Device Destination Port Notes
SmartConnector DNS Server(s) UDP/TCP 53 SmartConnector to DNS server communication.
Connector Appliance SmartConnectors or SmartConnectors
ESM/ESM Express Manager
TCP 8443 SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.
Connector Appliance SmartConnectors or SmartConnectors
Logger TCP 443 SmartConnector to Logger SmartMessage secure and encrypted event channel.
Connector Appliance SmartConnectors TCP 9001 Allows Connector Appliance to manage remote SmartConnectors (appliance and/or software).
18
Forwarding Connector ESM/ESM Express Manager
TCP 8443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.
Forwarding Connector Logger TCP 443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.
Forwarding Connector Syslog Server(s) UDP/TCP 514 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.
Forwarding Connector McAfee ePolicy Orchestrator
TCP 1433 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.
Syslog Event Sources SmartConnector UDP/TCP 514 All products that send events via syslog.
SNMP Event Sources SmartConnector UDP 162 All products that send events via SNMP.
Microsoft Windows Event Log – Unified
Windows Servers and Workstations
TCP 445 This SmartConnector can connect to local or remote machines, inside a single domain or from multiple domains, to retrieve events from all types of event logs.
Windows Domain (Legacy)
Windows Servers TCP 135, 139, 445
UDP 137,138
The Windows Domain SmartConnector will use RPC and Remote Registry to connect to the server and poll the Windows Event Log. This SmartConnector requires domain privileges and domain membership.
19
Check Point Check Point Provider-1 (configure for each CMA)
TCP 18184 The Check Point SmartConnector will connect to Provider-1 using Log Export API (LEA) using SSLCA and OPSEC will need to be configured per CMA.
Check Point Check Point Provider-1 or Smart Center
TCP 18210 Allows SmartConnector to pull OPSEC SSL certificate.
Oracle Oracle Server TCP 1521 The SmartConnector establishes connectivity to the database.
Microsoft SQL Server Microsoft SQL Server TCP 1433
TCP 139, 445
UDP 135, 139, 445
The SmartConnector establishes connectivity to the database and reads audit trace logs simultaneously. Trace files are not a requirement with some products reporting to Microsoft SQL Server.
MySQL MySQL Server TCP 3306 The SmartConnector establishes connectivity to the database.
Blue Coat Server hosting Blue Coat SmartConnector and FTP server
TCP 20
TCP 21 Allows Blue Coat to send logs to server hosting Blue Coat SmartConnector over FTP and FTP-Data.
Sourcefire Sourcefire Defense Center Server
TCP 8302 SSL connection for the Defense Center eStreamer protocol.
WinC host / winc-agent.exe
WinC host / Java.exe TCP/61616 SmartConnector for Microsoft Windows Event Log – Native
Port 61616 is used for Message Queue service to communicate between the standard connector code of WinC and its agent code in C#, winc-agent. The port can be configured if needed, for example when more than
20
one WinC is installed on the same server, the port number should be modified by addingmq.server.listener.port to agent.properties. By default, this is set to 61616 in agent.default.properties. Copy the value to agent.properties and change the port number.
WinC host / winc-agent.exe
Server to collect events from
TCP/135 SmartConnector for Microsoft Windows Event Log – Native
Server to collect events from
WinC host / winc-agent.exe
Vary. Default TCP/49153
SmartConnector for Microsoft Windows Event Log – Native
WinC and the server to collect events from negotiate the port to use: Ephemeral TCP port range
• 49152-65535
1025-5000
The third-party SmartConnector types listed above are some of the most common SmartConnectors deployed. For any third-party SmartConnector not listed, please refer to the “SmartConnector Configuration Guide” for information on the ports and protocols used.
Model Import Connectors
Source Device Destination Device Destination Port Notes
Model Import Connector for Reputation Security Monitor Plus 1.6
ns.glbs.zvelo.com TCP 443 A component of Reputation Security Monitor Plus which retrieves reputation data from the threat intelligence service processes this data, and forwards it to ESM/ESM Express.
21
Model Import Connector for Reputation Security Monitor 1.5
tmc.tippingpoint.com
d.tippingpoint.com
*.akamai.net
*.akamai.com
TCP 443 A component of Reputation Security Monitor which retrieves reputation data from the threat intelligence service (powered by DVLabs), processes this data, and forwards it to ESM/ESM Express.
tmc.tippingpoint.com is the application server that provides the Web Service. The Web Service provides a URL to d.tippingpoint.com to the client from which the actual data is downloaded as files. Since d.tippingpoint.com is a cloud service (Akamai based), the underlying IP addresses are subject to change all the time and therefore only domain based filtering can be used between the Model Import Connector and the Internet and not IP based filtering.
Model Import Connector for IdentityView
Active Directory TCP 389 or 636 The Model Import Connector for Microsoft Active Directory extracts the user identity information (or Actor data) from the Active Directory LDAP, and then uses that data to populate ESM/ESM Express Manager with resources.
Model Import Connector ESM/ESM Express Manager
TCP 8443 Model Import Connector to ESM/ESM Express Manager secure and encrypted channel.
22
SmartConnector Load Balancer
Source Device Destination Device Destination Port Notes
Primary Node Secondary Node TCP 9090 'vipPingPort' is internally used to check if VIP address is still bound to one of the member hosts for continuous event collection.
Primary Node Secondary Node TCP 6702 Port is internally used to communicate with another Load Balancer to detect the health for HA support.
Primary/Secondary Node
SmartConnector TCP 9001 remote.management.listener.port from agent.properties
TCP 8443 Web Service Listener.
Syslog Devices Primary/Secondary Node Virtual IP Address
UDP 514 'vipAddress' is the virtual IP addres that will be shared between two member hosts to handle seamless failover of member host.
Syslog Devices Primary/Secondary Node Virtual IP Address
TCP 514 'vipAddress' is the virtual IP addres that will be shared between two member hosts to handle seamless failover of member host.
Integrated Lights-Out (iLO)
Source Device Destination Device Destination Port Notes
Integrated Lights-Out (iLO)
TCP 22, 80, 443, 623, 17990, 17988
iLO Management technologies are embedded management technologies that supports the complete lifecycle of all ProLiant servers, from initial deployment to ongoing
23
management and service alerting.
Connector Appliance (v6.X)
Source Device Destination Device Destination Port Notes
Workstation Connector Appliance TCP 443 Web browser to Connector Appliance communication.
Workstation Connector Appliance TCP 22 SSH access for troubleshooting and diagnostics.
Connector Appliance NTP Server(s) UDP 123 Connector Appliance to NTP server (for time synchronization).
Connector Appliance DNS Server(s) UDP/TCP 53 Connector Appliance to DNS server communication.
Connector Appliance SMTP Server(s) TCP 25 Connector Appliance to SMTP server (for notifications).
Connector Appliance RADIUS Server(s) UDP 1645 or 1812 Connector Appliance to RADIUS server (when Connector Appliance is configured to use RADIUS password authentication).
Connector Appliance SmartConnectors or SmartConnectors
ESM/ESM Express Manager
TCP 8443 SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.
Connector Appliance SmartConnectors or SmartConnectors
Logger TCP 443 SmartConnector to Logger SmartMessage secure and encrypted event channel.
24
Connector Appliance NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219
Allows SmartConnectors to read logs from NFS servers.
Connector Appliance CIFS Server(s) TCP 445 Allows SmartConnectors to read logs from CIFS servers.
Connector Appliance Connector Appliance SmartConnectors and SmartConnectors
TCP 9001 (SmartConnector)
TCP 9001-9004 (C3500)
TCP 9001-9008 (C5500)
Allows Connector Appliance to manage remote SmartConnectors (appliance and/or software).
Connector Appliance Syslog Server(s) UDP/TCP 514 Used to forward audit events from Connector Appliance to syslog server(s).
Connector Appliance SCP Server TCP 22 (SCP) Allows backup of Connector Appliance configuration to remote host.
DNS Malware Analytics (SaaS/Cloud)
Source Device Destination Device Destination Port Notes
DNS capture module SAAS analytic engine – portal.dnsmalwareanalytics.com
Web Sockets – RFC 6455
Encryption WSS – TLS 1.2 minimum
WAMP – Web Application Messaging Protocol 2.0
DNS Malware Analytics is a scalable, cloud-based threat detector that monitors DNS traffic and rapidly identifies an infected system, enabling immediate remediation in real time.
Workstation portal.dnsmalwareanalytics.com TCP 443 Web browser to SAAS analytic engine interface
25
Network Synergy Platform (v5.X)
Source Device Destination Device Destination Port Notes
Workstation NSP TCP 443 Web browser to NSP communication.
NSP Managed devices TCP 20 & 21 (FTP) Configuration file transfer.
NSP Managed devices TCP 22 (SSH, SCP, SFTP) Securely copy or transfer files.
NSP Managed devices TCP 23 (telnet) Managed device access through the appliance only as needed.
NSP Managed devices UDP 69 (TFTP) Configuration file transfer.
NSP Managed devices ICMP Device discovery.
NSP Managed devices Multiple ports Device discovery, if OS fingerprinting is selected.
Managed devices NSP TCP 20 & 21 (FTP) Configuration file transfer.
Managed devices NSP TCP 22 (SSH, SCP) Securely copy or transfer files (SSH proxy; SCP on demand only).
Managed devices NSP UDP 69 (TFTP) Configuration file transfer (TFTP on demand only).
NSP SMTP Server(s) TCP 25 (SMTP) E-mail notifications (if enabled on your appliance).
NSP SNMP Server(s) UDP 161 & 162 (SNMP) SNMP notifications (if your appliance is configured to send them).
26
NSP Syslog Server(s) UDP 514 (syslog) Syslog messages (if your appliance is configured to send them).
NSP WINS Server(s) UDP/TCP 1512 NSP to WINS server communication to resolve Windows NETBIOS names.
NSP NTP Server(s) UDP 123 NSP to NTP server (for time synchronization).
NSP DNS Server(s) UDP/TCP 53 NSP to DNS server communication.
NSP ESM/ESM Express Manager
TCP 8443 TRM Connector configured to integrate NSP with ESM/ESM Express and take TRM actions on managed devices through the NSP appliance.
NSP Syslog SmartConnector (running on Connector Appliance or as a SmartConnector)
UDP 514 (syslog) The NSP appliance forwards the notification messages it generates to an Common Event Format (CEF) Syslog SmartConnector that sends the events on to the ESM/ESM Express Manager.
The information that resides on your NSP appliance is well protected. Any port, except 443, is opened only for the length of time it takes to perform the action related to that port. After the action has been performed, the port is closed. The appliance opens no unnecessary ports or third-party software vulnerabilities that might compromise the security of the information.
Micro Focus Trademark Information MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.
27
Company Details Company name: Micro Focus International plc Place of registration: England and Wales Registered number: 5134647 Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q