Required ports, protocols, and services for the Edge SWG (ProxySG) appliance
Article ID: 150987
Updated On:
Products
Issue/Introduction
You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway (Edge SWG) — formerly ProxySG — appliances.
Resolution
Depending on your Edge SWG (ProxySG) appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options.
Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.
Inbound-Only Connection
| Component | Default Port | Protocol | Configurable | Source | Description |
| Client Manager | 8084 | TCP | Yes | Symantec Unified Agent, ProxyClient | Unified Agent/ProxyClient configuration check |
| HTTPS Management Console | 8082 | TCP | Yes | Client browser | Secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) |
| HTTP Management Console | 8081 | TCP | Yes | Client browser | Non-secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) |
| RIP | 520 | UDP | No | local server hosting RIP file | RIP configuration file download |
| SSH | 22 | TCP | No | SSH client | SSH management of the appliance |
| SNMP | 161 | UDP | Yes | SNMP client | SNMP monitoring |
Outbound-Only Connections
| Component | Default Port | Protocol | Configurable | Source | Description |
|---|---|---|---|---|---|
| Appliance certificate | 443 | TCP | No | Symantec server | Certificate updates |
| BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms | 16101 | TCP | Yes | Authentication Server |
Authentication-and authorization-related queries to the configured server See What ports does BCAAA use for details. |
| DNS | 53 | TCP/UDP | No | DNS server | Port used by your DNS servers |
| Diagnostics | 443 | TCP | No | Symantec server | Heartbeats, SysInfo uploads |
| Email notifications | 25 | TCP | No | SMTP server | Email notifications |
| HTTP/HTTPS | 80/443 | TCP | No | Internet | Regular HTTP/HTTPS access to internet |
| ICAP (plain) | 1344 | TCP | Yes | Symantec Content Analysis or other ICAP service |
Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway) |
| ICAP (secure) | 11344 | TCP | Yes | Content Analysis or other ICAP service |
Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway) |
| IWA-Kerberos authentication | 88 | TCP/UDP | Yes | DC/KDC | Kerberos for IWA Direct authentication |
| LDAP | 389 | TCP/UDP | Yes | DC/KDC/LDAP Server | LDAP for IWA Direct authentication |
| Log client (custom) | 69 | TCP | Yes | Custom log server | Sending access logs to configured server |
| Log client (FTP, plain and secure) | 21 | TCP | Yes | FTP/S log server | Sending access logs to configured server |
| Log client (HTTP, plain and secure) | 80 | TCP | Yes | HTTP/S log server | Sending access logs to configured server |
| Log client (Kafka) | 9092 | TCP | Yes | Kafka broker | Sending access logs to configured Kafka broker cluster |
| Log client (Symantec Reporter client) | 9081 | TCP | Yes | Reporter | Deprecated log streaming to Reporter version 9 |
| Log client (SCP) | 22 | TCP | Yes | SCP log server | Sending access logs to configured server |
| Symantec Management Center, Symantec Director | 22 | TCP | No | Management Center, Director |
Management Center and Director registration (Not applicable to Advanced Secure Gateway) |
| Monitoring statistics to Management Center (plain) | 9009 | TCP | No | Management Center | Export of monitoring statistics to Management Center |
| Monitoring statistics to Management Center (secure) | 9010 | TCP | No | Management Center |
Export of monitoring statistics to Management Center |
| Novell SSO | 389 | TCP | Yes | Novell server | Novell authentication |
| NTP | 123 | UDP | Yes | NTP server |
Periodic time update from default or configured NTP servers |
| RADIUS | 1812 | TCP | Yes | RADIUS server | RADIUS authentication |
|
SafeNet Java HSM |
8443 |
TCP |
Yes |
SafeNet Java HSM |
Communication with SafeNet Java HSM |
| SMB | 139, 445 | TCP | Yes | DC/KDC | CIFS services in transparent deployments |
| SOCKS | 1080 | TCP/UDP | No | SOCKS server | Forwarding traffic to SOCKS proxy |
| Syslog | 514 | UDP | No | Syslog server | Syslog uploads to remote server |
| WCCP | 2048 |
UDP
|
No | WCCP-compliant router or switch | Traffic redirection from router to the appliance in out-of-path deployments |
URLs and IP Addresses for Symantec Services
| Component | Ports | Protocols | URLs | IP Addresses | Description |
| Symantec Content Analysis | 443 | HTTPS |
subscription.es.bluecoat.com
|
8.28.16.208 103.246.38.208 199.19.249.208 199.116.169.248 199.247.40.247 |
Antivirus pattern updates from Content Analysis (Not applicable to Advanced Secure Gateway) |
| Content Analysis | 443 | HTTPS | contentanalysis-ma.es.bluecoat.com | 199.116.169.239 |
Malware reporting from Content Analysis (Not applicable to Advanced Secure Gateway) |
| Cloud Isolation | 443 | HTTPS |
isolation-jump.prod.fire.glass | 35.201.102.245 |
Web Isolation |
| Licensing | 443 | HTTPS | device-services.es.bluecoat.com | 192.19.237.100 | Appliance license management |
| Appliance License Management | 443 | HTTPS | bto-services.es.bluecoat.com | 192.19.237.99 | Validates the license and performs updates to the appliance |
| Subscription Services | 443 | HTTPS | subscription.es.bluecoat.com |
8.28.16.243 168.149.132.6 |
Subscription-based services management and downloads |
| Licensing | 443 | HTTPS | services.bluecoat.com | 192.19.237.103 | License administration |
| Licensing | 443 |
HTTPS |
download.bluecoat.com | 192.19.237.102 | License administration |
| PKI - Appliance validation |
80 444 |
HTTPS | abrca.bluecoat.com | 192.19.237.69 | Symantec appliance Certificate Authority |
| PKI - CA certificates | 443 | HTTPS | appliance.bluecoat.com | Trust package downloads | |
|
NTP |
123 |
UDP |
ntp.bluecoat.com ntp2.bluecoat.com |
Synchronize the appliance clock with a verified time reference server. |
|
| Diagnostics | 443 | HTTPS | hb.bluecoat.com | Appliance heartbeat information to Symantec | |
| Diagnostics | 443 | HTTPS |
upload.bluecoat.com mft.symantec.com |
Diagnostic report uploads to Symantec support | |
| Content filtering | 443 | HTTPS | list.bluecoat.com |
8.28.16.206 Only IP address is returned when there is a DNS query. If the IP address fails to respond, one of the other active addresses is returned. |
Legacy Blue Coat WebFilter, IWF, Optenet, and Proventia database downloads |
| Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS) | 443 | HTTPS | portal.threatpulse.com | Cloud SWG registration | |
|
Policy Updates |
443 |
HTTPS |
bto.bluecoat.com |
Provides updates to the security and threat protection policies |
|
| Threat protection | 443 | HTTPS | securitylabs.es.bluecoat.com | 8.28.16.7 | Security intelligence |
| Threat protection | 443 | HTTPS |
webpulse.es.bluecoat.com sp.cwfservice.net
|
199.19.249.201 168.149.132.32 * These addresses are returned only when the request originates in China. |
Symantec Global Intelligence Network updates |
|
Timezone Updates |
443 |
HTTPS |
download.bluecoat.com |
199.91.133.16 192.19.237.102 |
Time zone database downloads |
| Virtual Server Validation | 443 | HTTPS |
validation.es.bluecoat.com |
192.19.237.101 |
Only required for validating virtual appliances |
Additional Information
For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.
For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.
Feedback
