Required ports, protocols, and services for the Edge SWG (ProxySG) appliance
Article ID: 150987
Updated On:
Products
Issue/Introduction
You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway (Edge SWG) — formerly ProxySG — appliances.
Resolution
Depending on your Edge SWG appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options.
Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.
Inbound-Only Connection
| Component | Default Port | Protocol | Configurable | Source | Description |
| HTTPS Management Console | 8082 | TCP | Yes | Client browser | Provides the secured Edge SWG web interface. |
| HTTP Management Console | 8081 | TCP | Yes | Client browser | Provides the non-secured Edge SWG web interface. It is recommended that it not be enabled, as administrative credentials and configuration data would be sent in plaintext. |
| RIP | 520 | UDP | No | local server hosting RIP file | Receives the RIP configuration file download from a local server. |
| SSH | 22 | TCP | No | SSH client | Allows for SSH management of the appliance. |
| SNMP | 161 | UDP | Yes | SNMP client | Enables SNMP monitoring by an SNMP client. |
Outbound-Only Connections
| Component | Default Port | Protocol | Configurable | Source | Description |
|---|---|---|---|---|---|
| Appliance certificate | 443 | TCP | No | Symantec server | Sends mutually authenticated requests to Symantec servers. |
| BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms | 16101 | TCP | Yes | Authentication Server | Submits authentication- and authorization-related queries to the configured Authentication Server. For details, see What ports does BCAAA use. |
| DNS | 53 | TCP/UDP | No | DNS server | Uses this port for DNS queries to your DNS servers. |
| Diagnostics | 443 | TCP | No | Symantec server | Transmits heartbeats and SysInfo uploads to the Symantec server. |
| Email notifications | 25, 465 | TCP | No | SMTP server | Sends email notifications. This port is configurable. When TLS is not configured, the default is 25. When it is configured, the default is 465. |
| HTTP/HTTPS | 80/443 | TCP | No | Internet | Enables regular HTTP/HTTPS access to the internet. |
| ICAP (plain) | 1344 | TCP | Yes | Symantec Content Analysis or other ICAP service | Forwards requests for content scanning to Symantec Content Analysis or other ICAP services. (Not applicable to Advanced Secure Gateway) |
| ICAP (secure) | 11344 | TCP | Yes | Content Analysis or other ICAP service | Forwards requests for content scanning securely to Content Analysis or other ICAP services. (Not applicable to Advanced Secure Gateway) |
| IWA-Kerberos authentication | 88 | TCP/UDP | Yes | DC/KDC | Performs Kerberos for IWA Direct authentication with the DC/KDC. |
| LDAP | 389 | TCP/UDP | Yes | DC/KDC/LDAP Server | Performs LDAP for IWA Direct authentication with the DC/KDC/LDAP Server. |
| Log client (custom) | 69 | TCP | Yes | Custom log server | Sends access logs to the configured custom log server. |
| Log client (FTP, plain and secure) | 21 | TCP | Yes | FTP/S log server | Sends access logs to the configured FTP/S log server. |
| Log client (HTTP, plain and secure) | 80 | TCP | Yes | HTTP/S log server | Sends access logs to the configured HTTP/S log server. The default is port 80, but you can change the default when configuring the primary and alternate hosts for the log server. When setting up secure (HTTPS) log uploads, explciitly set the port to the secure port of the log server, which is generally 443. |
| Log client (Kafka) | 9092 | TCP | Yes | Kafka broker | Sends access logs to the configured Kafka broker cluster. |
| Log client (Symantec Reporter client) | 9081 | TCP | Yes | Reporter | Performs deprecated log streaming to Reporter version 9. |
| Log client (SCP) | 22 | TCP | Yes | SCP log server | Sends access logs to the configured SCP log server. |
| Symantec Management Center, Symantec Director | 22 | TCP | No | Management Center, Director | Facilitates Management Center registration. (Not applicable to Advanced Secure Gateway) |
| Monitoring statistics to Management Center (plain) | 9009 | TCP | No | Management Center | Exports monitoring statistics to Management Center. |
| Monitoring statistics to Management Center (secure) | 9010 | TCP | No | Management Center | Exports monitoring statistics securely to Management Center. |
| NTP | 123 | UDP | Yes | NTP server | Performs periodic time update from default or configured NTP servers. |
| RADIUS | 1812 | TCP | Yes | RADIUS server | Performs RADIUS authentication with the RADIUS server. |
SafeNet Java HSM | 8443 | TCP | Yes | SafeNet Java HSM | Manages communication with the SafeNet Java HSM. |
| SOCKS | 1080 | TCP/UDP | No | SOCKS server | Forwards traffic to the SOCKS Gateway. |
| Syslog | 514 | TCP/UDP | No | Syslog server | Uploads Syslog entries to a remote Syslog server. This port is configurable. |
| WCCP | 2048 | UDP
| No | WCCP-compliant router or switch | Handles traffic redirection from a WCCP-compliant router or switch to the appliance in out-of-path deployments. |
URLs and IP Addresses for Symantec Services
| Component | Ports | Protocols | URLs | IP Addresses | Description |
| Symantec Content Analysis | 443 | HTTPS | subscription.es.bluecoat.com | 168.149.132.6 168.149.132.38 168.149.132.102 | Downloads antivirus pattern updates from Content Analysis. |
| Content Analysis | 443 | HTTPS | contentanalysis-ma.es.bluecoat.com | 168.149.132.18 168.149.132.50 | Submits malware reports from Content Analysis. |
| Cloud Isolation | 80 443 8080 | HTTP HTTPS | isolation-jump.prod.fire.glass global-shared.fire.glass docisolation.prod.fire.glass docisolation-eu.prod.fire.glas doc-isolation-prod.prod.fire.g doc-isolation-prod-eu.prod.fir shared.fire.glass Web Isolation Cloud Tenant (This should be the custom domain for the created tenant per customer) | 35.201.102.245 | Connects to the Web Isolation Cloud Tenant service. For more information, see Web Isolation Required Ports, Protocols, and Services. |
| Licensing | 443 | HTTPS | device-services.es.bluecoat.com | 192.19.237.100 | Manages the appliance license. |
| Appliance License Management | 443 | HTTPS | bto-services.es.bluecoat.com | 192.19.237.99 | Validates the license and performs updates to the appliance. |
| Subscription Services | 443 | HTTPS | subscription.es.bluecoat.com | 168.149.132.6 | Manages subscription services and downloads binary databases. |
| Licensing | 443 | HTTPS | download.bluecoat.com/cgi-bin/license.cgi | 192.19.237.103 | Retrieves and updates the license key by POSTing serial number and credentials. |
| PKI - Appliance validation | 80 443 444 | HTTP HTTPS | http://abrca.bluecoat.com/cgi-bin/device-authentication/sign-automatic (Port 80) https://abrca.bluecoat.com:444/cgi-bin/device-authentication/verify (Port 444) | 192.19.237.69 | Manages appliance identity and validation by submitting a CSR to the Symantec Certificate Authority. |
| PKI - CA certificates | 80 (default) 443 | HTTP HTTPS | appliance.bluecoat. | 34.117.186.24 | Downloads trust packages to fetch trusted CA root certificates for SSL inspection. |
NTP | 123 | UDP | ntp.bluecoat.com ntp2.bluecoat.com | 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12 | Synchronize the appliance clock with a verified time reference server. |
| Diagnostics | 443 | HTTPS | hb.bluecoat.com | 192.19.145.20 | Transmits a periodic appliance heartbeat, uploading the appliance health status and statistics to Symantec for proactive support and license compliance. |
Diagnostics (Uploads) | 443 | HTTPS | upload.bluecoat.com supportftp.broadcom.com | 192.19.232.162 | Hosts the Broadcom endpoint for support case file uploads. Note: upload.bluecoat.com/support/upload/ is officially retired and should no longer be used. |
| Content filtering | 443 | HTTPS | list.bluecoat.com | 168.149.132.5 | Downloads databases for legacy Blue Coat WebFilter, IWF, Optenet, Proventia, and other filter databases. |
| Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS) | 443 | HTTPS | portal.threatpulse.com | 39.49.9.67 | Provides the Cloud SWG administration portal for management and proxy registration/sync. For more information, see Cloud SWG Required Locations, Ports, and Protocols. |
Policy Updates | 443 | HTTPS | bto.bluecoat.com | 192.19.237.112 | Provides updates to security and threat protection policies and downloads VPM policy classification metadata and threat protection policy modules. |
| Threat protection | 443 | HTTPS | webpulse.es.bluecoat.com sp.cwfservice.net
| 168.149.132.1
| Performs real-time URL categorization lookups for Symantec Global Intelligence Network / WebPulse. |
Timezone Updates | 443 | HTTPS | download.bluecoat.com | 192.19.237.102 | Fetches the IANA timezone archive periodically. |
Trust Package Updates | 80 443 | HTTPS | appliance.bluecoat.com/sgos/trust_package.bctp |
| Fetches trust package updates. |
| Virtual Appliance Validation | 443 | HTTPS | validation.es.bluecoat.com | 192.19.237.101 | Performs virtual appliance license validation by POSTing appliance identity periodically to validate entitlement and CPU usage. |
| Telemetry | 443 | HTTPS | telemetry.broadcom.com/login (custom auth headers) telemetry.broadcom.com/loaddata (Bearer token auth) |
| Uploads a daily report containing a JSON payload of product, license, and performance metrics. |
Additional Information
For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.
For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.
Feedback
