You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway(Edge SWG) (formerly ProxySG) appliances.
Depending on your Edge Secure Web Gateway (formerly ProxySG) appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options.
Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.
Component | Default Port | Protocol | Configurable | Source | Description |
---|---|---|---|---|---|
Client Manager | 8084 | TCP | Yes | Symantec Unified Agent, ProxyClient | Unified Agent/ProxyClient configuration check |
HTTPS Management Console | 8082 | TCP | Yes | Client browser | Secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) |
HTTP Management Console | 8081 | TCP | Yes | Client browser | Non-secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) |
RIP | 520 | UDP | No | local server hosting RIP file | RIP configuration file download |
SSH | 22 | TCP | No | SSH client | SSH management of the appliance |
SNMP | 161 | UDP | Yes | SNMP client | SNMP monitoring |
Component | Default Port | Protocol | Configurable | Source | Description |
---|---|---|---|---|---|
Appliance certificate | 444 | TCP | No | Symantec server | Certificate updates |
BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms | 16101 | TCP | Yes | Authentication Server |
Authentication-and authorization-related queries to the configured server See What ports does BCAAA use for details. |
DNS | 53 | TCP/UDP | No | DNS server | Port used by your DNS servers |
Diagnostics | 443 | TCP | No | Symantec server | Heartbeats, SysInfo uploads |
Email notifications | 25 | TCP | No | SMTP server | Email notifications |
HTTP | 80 | TCP | No | Internet | Regular HTTP access to internet |
ICAP (plain) | 1344 | TCP | Yes | Symantec Content Analysis or other ICAP service |
Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway) |
ICAP (secure) | 11344 | TCP | Yes | Content Analysis or other ICAP service |
Forwarding requests for content scanning (Not applicable to Advanced Secure Gateway) |
IWA-Kerberos authentication | 88 | TCP/UDP | Yes | DC/KDC | Kerberos for IWA Direct authentication |
LDAP | 389 | TCP/UDP | Yes | DC/KDC/LDAP Server | LDAP for IWA Direct authentication |
Log client (custom) | 69 | TCP | Yes | Custom log server | Sending access logs to configured server |
Log client (FTP, plain and secure) | 21 | TCP | Yes | FTP/S log server | Sending access logs to configured server |
Log client (HTTP, plain and secure) | 80 | TCP | Yes | HTTP/S log server | Sending access logs to configured server |
Log client (Kafka) | 9092 | TCP | Yes | Kafka broker | Sending access logs to configured Kafka broker cluster |
Log client (Symantec Reporter client) | 9081 | TCP | Yes | Reporter | Deprecated log streaming to Reporter version 9 |
Log client (SCP) | 22 | TCP | Yes | SCP log server | Sending access logs to configured server |
Symantec Management Center, Symantec Director | 22 | TCP | No | Management Center, Director |
Management Center and Director registration (Not applicable to Advanced Secure Gateway) |
Monitoring statistics to Management Center (plain) | 9009 | TCP | No | Management Center | Export of monitoring statistics to Management Center |
Monitoring statistics to Management Center (secure) | 9010 | TCP | No | Management Center |
Export of monitoring statistics to Management Center |
Novell SSO | 389 | TCP | Yes | Novell server | Novell authentication |
NTP | 123 | UDP | Yes | NTP server |
Periodic time update from default or configured NTP servers |
RADIUS | 1812 | TCP | Yes | RADIUS server | RADIUS authentication |
SMB | 139, 445 | TCP | Yes | DC/KDC | CIFS services in transparent deployments |
SOCKS | 1080 | TCP/UDP | No | SOCKS server | Forwarding traffic to SOCKS proxy |
Syslog | 514 | UDP | No | Syslog server | Syslog uploads to remote server |
WCCP | 2048 |
UDP
|
No | WCCP-compliant router or switch | Traffic redirection from router to the appliance in out-of-path deployments |
Component | Default Port | Protocol | Configurable | Source | Description |
---|---|---|---|---|---|
ADN data tunnel (plain) | 3035 | TCP | Yes | Edge SWG appliance |
Connection to ADN manager for updates (Not applicable to Advanced Secure Gateway) |
ADN data tunnel (secure) | 3037 | TCP | Yes | Edge SWG appliance |
Connection to ADN manager for updates (Not applicable to Advanced Secure Gateway) |
ADN management (plain) | 3034 | TCP | Yes | Edge SWG appliance |
Explicit connections between two Edge SWG peers (Not applicable to Advanced Secure Gateway) |
ADN management (secure) | 3036 | TCP | Yes | Edge SWG appliance |
Explicit connections between two Edge SWG peers (Not applicable to Advanced Secure Gateway) |
ADN connection forwarding | 3030 | TCP | Yes | Edge SWG appliance |
Load balancing and asymmetric routing (Not applicable to Advanced Secure Gateway) |
Flash media | 1935 | TCP/UDP | No | origin content server | Streaming Flash and RTMP |
Real Media | 554 | UDP | No | origin content server | Streaming Real Media (RTSP) |
SafeNet Java HSM | 8443 | TCP | Yes | SafeNet Java HSM | Communication with SafeNet Java HSM |
Windows Media | 1755 | UDP | No | origin content server | Streaming Windows Media (MMS) |
Component | Ports | Protocols | URLs | IP Addresses | Description |
---|---|---|---|---|---|
Symantec Content Analysis | 80 443 |
HTTPS TCP |
subscription.es.bluecoat.com
|
8.28.16.208 103.246.38.208 199.19.249.208 199.116.169.248 199.247.40.247 |
Antivirus pattern updates from Content Analysis (Not applicable to Advanced Secure Gateway) |
Content Analysis | 443 | HTTPS TCP | contentanalysis-ma.es.bluecoat.com | 199.116.169.239 |
Malware reporting from Content Analysis (Not applicable to Advanced Secure Gateway) |
Licensing | 443 | HTTPS TCP | device-services.es.bluecoat.com | 192.19.237.100 | Appliance license management |
Licensing | 443 | HTTPS TCP | bto-services.es.bluecoat.com | 192.19.237.99 | Validates the license |
Licensing | 443 | HTTPS TCP | subscription.es.bluecoat.com |
8.28.16.243 168.149.132.6 |
Subscription-based services management |
Licensing | 443 | HTTPS TCP | services.bluecoat.com | 192.19.237.103 | License administration |
Licensing | 443 |
HTTPS TCP |
download.bluecoat.com | 192.19.237.102 | License administration |
PKI - Appliance validation |
80 444 |
HTTPS TCP | abrca.bluecoat.com | 192.19.237.69 | Symantec appliance Certificate Authority |
PKI - CA certificates | 443 | HTTPS TCP | appliance.bluecoat.com | Trust package downloads | |
NTP | 80 | HTTP TCP | download.bluecoat.com | 199.91.133.16 192.19.237.102 |
Time zone database downloads |
Diagnostics | 443 | HTTPS TCP | hb.bluecoat.com | Appliance heartbeat information to Symantec | |
Diagnostics | 443 | HTTPS TCP |
upload.bluecoat.com mft.symantec.com |
Diagnostic report uploads to Symantec support | |
Content filtering | 80 443 |
HTTPS TCP | list.bluecoat.com |
8.28.16.206 Only IP address is returned when there is a DNS query. If the IP address fails to respond, one of the other active addresses is returned. |
WebFilter, IWF, Optenet, and Proventia database downloads |
Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS) | 443 | HTTPS TCP | portal.threatpulse.com | Cloud SWG registration | |
Threat protection | 443 | HTTPS TCP | securitylabs.es.bluecoat.com | 8.28.16.7 | Security intelligence |
Threat protection | 80 443 |
HTTPS TCP |
webpulse.es.bluecoat.com sp.cwfservice.net
|
199.19.249.201 168.149.132.32 * These addresses are returned only when the request originates in China. |
Symantec Global Intelligence Network updates |
Virtual Server Validation* | 443 | HTTPS TCP |
validation.es.bluecoat.com
|
192.19.237.101
|
Virtual Edge SWG Validation *Only needed from virutal machines. |