Required ports, protocols, and services for the Edge SWG (ProxySG) appliance
search cancel

Required ports, protocols, and services for the Edge SWG (ProxySG) appliance

book

Article ID: 150987

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG

Issue/Introduction

You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway (Edge SWG) — formerly ProxySG — appliances.

Resolution

Depending on your Edge SWG appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options. 

Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.

Inbound-Only Connection

Component Default Port Protocol Configurable Source Description
Client Manager 8084 TCP Yes Symantec Unified Agent, ProxyClient Unified Agent/ProxyClient configuration check
HTTPS Management Console 8082 TCP Yes Client browser Secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) 
HTTP Management Console 8081 TCP Yes Client browser Non-secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway)
RIP 520 UDP No local server hosting RIP file RIP configuration file download
SSH 22 TCP No SSH client SSH management of the appliance
SNMP 161 UDP Yes SNMP client SNMP monitoring

Outbound-Only Connections 

Component Default Port Protocol Configurable Source Description
Appliance certificate 443 TCP No Symantec server Certificate updates
BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms 16101 TCP Yes Authentication Server

Authentication-and authorization-related queries to the configured server

See What ports does BCAAA use for details.

DNS 53 TCP/UDP No DNS server Port used by your DNS servers
Diagnostics 443 TCP No Symantec server Heartbeats, SysInfo uploads
Email notifications 25 TCP No SMTP server Email notifications
HTTP/HTTPS 80/443 TCP No Internet Regular HTTP/HTTPS access to internet
ICAP (plain) 1344 TCP Yes Symantec Content Analysis or other ICAP service

Forwarding requests for content scanning

(Not applicable to Advanced Secure Gateway)

ICAP (secure) 11344 TCP Yes Content Analysis or other ICAP service

Forwarding requests for content scanning

(Not applicable to Advanced Secure Gateway)

IWA-Kerberos authentication 88 TCP/UDP Yes DC/KDC Kerberos for IWA Direct authentication
LDAP 389 TCP/UDP Yes DC/KDC/LDAP Server LDAP for IWA Direct authentication
Log client (custom) 69 TCP Yes Custom log server Sending access logs to configured server
Log client (FTP, plain and secure) 21  TCP Yes FTP/S log server Sending access logs to configured server
Log client (HTTP, plain and secure) 80 TCP Yes HTTP/S log server Sending access logs to configured server
Log client (Kafka) 9092 TCP Yes Kafka broker Sending access logs to configured Kafka broker cluster
Log client (Symantec Reporter client) 9081 TCP Yes Reporter Deprecated log streaming to Reporter version 9
Log client (SCP) 22 TCP Yes SCP log server Sending access logs to configured server
Symantec Management Center, Symantec Director  22 TCP No Management Center, Director

Management Center and Director registration

(Not applicable to Advanced Secure Gateway)

Monitoring statistics to Management Center (plain) 9009 TCP No Management Center Export of monitoring  statistics to Management Center
Monitoring statistics to Management Center (secure) 9010 TCP No Management Center

Export of monitoring statistics to Management Center

Novell SSO 389 TCP Yes Novell server Novell authentication
NTP 123 UDP Yes NTP server

Periodic time update from default or configured NTP servers

RADIUS  1812 TCP Yes RADIUS server RADIUS authentication

SafeNet Java HSM

8443

TCP

Yes

SafeNet Java HSM

Communication with SafeNet Java HSM 

SMB 139, 445 TCP Yes  DC/KDC CIFS services in transparent deployments
SOCKS 1080 TCP/UDP No SOCKS server Forwarding traffic to SOCKS proxy 
Syslog 514 UDP No Syslog server Syslog uploads to remote server
WCCP 2048

UDP

 

No WCCP-compliant router or switch Traffic redirection from router to the appliance in out-of-path deployments

URLs and IP Addresses for Symantec Services 

Component Ports Protocols URLs IP Addresses Description
Symantec Content Analysis 443 HTTPS 

subscription.es.bluecoat.com

 

168.149.132.6
168.149.132.38
168.149.132.102

Antivirus pattern updates from Content Analysis 

(Not applicable to Advanced Secure Gateway)

Content Analysis 443 HTTPS  contentanalysis-ma.es.bluecoat.com 168.149.132.18
168.149.132.50

Malware reporting from Content Analysis 

(Not applicable to Advanced Secure Gateway)

Cloud Isolation 443 HTTPS

isolation-jump.prod.fire.glass 35.201.102.245

Web Isolation

Licensing 443 HTTPS  device-services.es.bluecoat.com 192.19.237.100 Appliance license management
Appliance License Management 443 HTTPS  bto-services.es.bluecoat.com 192.19.237.99 Validates the license and performs updates to the appliance
Subscription Services 443 HTTPS subscription.es.bluecoat.com

168.149.132.6
168.149.132.38
168.149.132.102

Subscription-based services management and downloads
Licensing 443 HTTPS  services.bluecoat.com 192.19.237.103 License administration
Licensing 443

HTTPS 

download.bluecoat.com 192.19.237.102 License administration
PKI - Appliance validation

80 444

HTTPS  abrca.bluecoat.com 192.19.237.69 Symantec appliance Certificate Authority
PKI - CA certificates 443 HTTPS  appliance.bluecoat.com 34.117.186.24 Trust package downloads

NTP

123

UDP

ntp.bluecoat.com 

ntp2.bluecoat.com

216.239.35.0
216.239.35.4
216.239.35.8
216.239.35.12

Synchronize the appliance clock with a verified time reference server.

Diagnostics 443 HTTPS hb.bluecoat.com  192.19.145.20 Appliance heartbeat information to Symantec
Diagnostics 443 HTTPS

upload.bluecoat.com

supportftp.broadcom.com

192.19.232.162
141.202.253.43

Diagnostic report uploads to Symantec support
Content filtering 443 HTTPS list.bluecoat.com

34.87.94.80
168.149.132.5
168.149.132.37
168.149.132.101

Legacy Blue Coat WebFilter, IWF, Optenet, and Proventia database downloads
Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS) 443 HTTPS portal.threatpulse.com 35.245.151.224 Cloud SWG registration

Policy Updates

443

HTTPS

bto.bluecoat.com

192.19.237.112

Provides updates to the security and threat protection policies

Threat protection 443 HTTPS securitylabs.es.bluecoat.com 168.149.132.20 Security intelligence
Threat protection 443 HTTPS

webpulse.es.bluecoat.com

sp.cwfservice.net
(version 6.5.x)

 

 

168.149.132.1
168.149.132.2
168.149.132.32
168.149.132.33
168.149.132.64
168.149.132.65
168.149.132.80
168.149.132.81
168.149.132.96
168.149.132.97
168.149.132.112
168.149.132.113
168.149.132.128
168.149.132.129
168.149.132.144
168.149.132.145
168.149.132.160
168.149.132.161
168.149.132.176
168.149.132.177

 

Symantec Global Intelligence Network updates

Timezone Updates

443

HTTPS

download.bluecoat.com

192.19.237.102

Time zone database downloads

Virtual Appliance Validation 443 HTTPS

validation.es.bluecoat.com

192.19.237.101

Only required for validating virtual appliances

Additional Information

For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.

For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.