Required ports, protocols, and services for the Edge SWG (ProxySG) appliance

Products

ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG

Issue/Introduction

You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway (Edge SWG) — formerly ProxySG — appliances.

Resolution

Depending on your Edge SWG appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options.

Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.

Inbound-Only Connection

Component	Default Port	Protocol	Configurable	Source	Description
Client Manager	8084	TCP	Yes	Symantec Unified Agent, ProxyClient	Unified Agent/ProxyClient configuration check
HTTPS Management Console	8082	TCP	Yes	Client browser	Secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway)
HTTP Management Console	8081	TCP	Yes	Client browser	Non-secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway)
RIP	520	UDP	No	local server hosting RIP file	RIP configuration file download
SSH	22	TCP	No	SSH client	SSH management of the appliance
SNMP	161	UDP	Yes	SNMP client	SNMP monitoring

Outbound-Only Connections

Component	Default Port	Protocol	Configurable	Source	Description
Appliance certificate	443	TCP	No	Symantec server	Certificate updates
BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms	16101	TCP	Yes	Authentication Server	Authentication-and authorization-related queries to the configured server See What ports does BCAAA use for details.
DNS	53	TCP/UDP	No	DNS server	Port used by your DNS servers
Diagnostics	443	TCP	No	Symantec server	Heartbeats, SysInfo uploads
Email notifications	25, 465	TCP	No	SMTP server	Email notifications This port is configurable. When TLS is not configured, the default is 25. When it is configured, the default is 465.
HTTP/HTTPS	80/443	TCP	No	Internet	Regular HTTP/HTTPS access to internet
ICAP (plain)	1344	TCP	Yes	Symantec Content Analysis or other ICAP service	Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway)
ICAP (secure)	11344	TCP	Yes	Content Analysis or other ICAP service	Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway)
IWA-Kerberos authentication	88	TCP/UDP	Yes	DC/KDC	Kerberos for IWA Direct authentication
LDAP	389	TCP/UDP	Yes	DC/KDC/LDAP Server	LDAP for IWA Direct authentication
Log client (custom)	69	TCP	Yes	Custom log server	Sending access logs to configured server
Log client (FTP, plain and secure)	21	TCP	Yes	FTP/S log server	Sending access logs to configured server
Log client (HTTP, plain and secure)	80	TCP	Yes	HTTP/S log server	Sending access logs to configured server
Log client (Kafka)	9092	TCP	Yes	Kafka broker	Sending access logs to configured Kafka broker cluster
Log client (Symantec Reporter client)	9081	TCP	Yes	Reporter	Deprecated log streaming to Reporter version 9
Log client (SCP)	22	TCP	Yes	SCP log server	Sending access logs to configured server
Symantec Management Center, Symantec Director	22	TCP	No	Management Center, Director	Management Center and Director registration (Not applicable to Advanced Secure Gateway)
Monitoring statistics to Management Center (plain)	9009	TCP	No	Management Center	Export of monitoring statistics to Management Center
Monitoring statistics to Management Center (secure)	9010	TCP	No	Management Center	Export of monitoring statistics to Management Center
Novell SSO	389	TCP	Yes	Novell server	Novell authentication
NTP	123	UDP	Yes	NTP server	Periodic time update from default or configured NTP servers
RADIUS	1812	TCP	Yes	RADIUS server	RADIUS authentication
SafeNet Java HSM	8443	TCP	Yes	SafeNet Java HSM	Communication with SafeNet Java HSM
SMB	139, 445	TCP	Yes	DC/KDC	CIFS services in transparent deployments
SOCKS	1080	TCP/UDP	No	SOCKS server	Forwarding traffic to SOCKS proxy
Syslog	514	TCP/UDP	No	Syslog server	Syslog uploads to remote server This port is configurable.
WCCP	2048	UDP	No	WCCP-compliant router or switch	Traffic redirection from router to the appliance in out-of-path deployments

URLs and IP Addresses for Symantec Services

Component	Ports	Protocols	URLs	IP Addresses	Description
Symantec Content Analysis	443	HTTPS	subscription.es.bluecoat.com	168.149.132.6 168.149.132.38 168.149.132.102	Antivirus pattern updates from Content Analysis (Not applicable to Advanced Secure Gateway)
Content Analysis	443	HTTPS	contentanalysis-ma.es.bluecoat.com	168.149.132.18 168.149.132.50	Malware reporting from Content Analysis (Not applicable to Advanced Secure Gateway)
Cloud Isolation	80 443 8080	HTTPS	isolation-jump.prod.fire.glass global-shared.fire.glass docisolation.prod.fire.glass docisolation-eu.prod.fire.glass doc-isolation-prod.prod.fire.glass doc-isolation-prod-eu.prod.fire.glass shared.fire.glass Web Isolation Cloud Tenant (This should be the custom domain for the created tenant per customer)	35.201.102.245	Web Isolation For more information, see Web Isolation Required Ports, Protocols, and Services.
Licensing	443	HTTPS	device-services.es.bluecoat.com	192.19.237.100	Appliance license management
Appliance License Management	443	HTTPS	bto-services.es.bluecoat.com	192.19.237.99	Validates the license and performs updates to the appliance
Subscription Services	443	HTTPS	subscription.es.bluecoat.com	168.149.132.6 168.149.132.38 168.149.132.102	Subscription-based services management and downloads
Licensing	443	HTTPS	services.bluecoat.com	192.19.237.103	License administration
Licensing	443	HTTPS	download.bluecoat.com	192.19.237.102	License administration
PKI - Appliance validation	80 443 444	HTTPS	abrca.bluecoat.com	192.19.237.69	Symantec appliance Certificate Authority
PKI - CA certificates	443	HTTP HTTPS	appliance.bluecoat.com/sgos/trust_package.bctp (default, HTTP) appliance.bluecoat.com/sgos/trust_package.bctp	34.117.186.24	Trust package downloads
NTP	123	UDP	ntp.bluecoat.com ntp2.bluecoat.com	216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12	Synchronize the appliance clock with a verified time reference server.
Diagnostics	443	HTTPS	hb.bluecoat.com	192.19.145.20	Appliance heartbeat information to Symantec
Diagnostics	443	HTTPS	upload.bluecoat.com supportftp.broadcom.com	192.19.232.162 141.202.253.54	Diagnostic report uploads to Symantec support
Content filtering	443	HTTPS	list.bluecoat.com	34.87.94.80 168.149.132.5 168.149.132.37 168.149.132.101	Legacy Blue Coat WebFilter, IWF, Optenet, and Proventia database downloads
Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS)	443	HTTPS	portal.threatpulse.com	39.49.9.67	Cloud SWG administration. For more information, see Cloud SWG Required Locations, Ports, and Protocols.
Policy Updates	443	HTTPS	bto.bluecoat.com	192.19.237.112	Provides updates to the security and threat protection policies
Threat protection	443	HTTPS	webpulse.es.bluecoat.com sp.cwfservice.net (version 6.5.x)	168.149.132.1 168.149.132.2 168.149.132.32 168.149.132.33 168.149.132.64 168.149.132.65 168.149.132.80 168.149.132.81 168.149.132.96 168.149.132.97 168.149.132.112 168.149.132.113 168.149.132.128 168.149.132.129 168.149.132.144 168.149.132.145 168.149.132.160 168.149.132.161 168.149.132.176 168.149.132.177	Symantec Global Intelligence Network updates
Timezone Updates	443	HTTPS	download.bluecoat.com	192.19.237.102	Time zone database downloads
Virtual Appliance Validation	443	HTTPS	validation.es.bluecoat.com	192.19.237.101	Only required for validating virtual appliances

Additional Information

For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.

For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.