search cancel

Required ports, protocols, and services for the Edge Secure Web Gateway (formerly ProxySG) appliance

book

Article ID: 150987

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You want to know the required ports, protocols, and services for the Advanced Secure Gateway (ASG) and Edge Secure Web Gateway(Edge SWG) (formerly ProxySG) appliances.

Resolution

Depending on your Edge Secure Web Gateway (formerly ProxySG) appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options. 

Note: This document also applies to the supported proxy components of the Advanced Secure Gateway appliance. For supported components related to Content Analysis, refer to the appropriate version of Content Analysis documentation.

Inbound-Only Connection

Component Default Port Protocol Configurable Source Description
Client Manager 8084 TCP Yes Symantec Unified Agent, ProxyClient Unified Agent/ProxyClient configuration check
HTTPS Management Console 8082 TCP Yes Client browser Secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway) 
HTTP Management Console 8081 TCP Yes Client browser Non-secured Edge SWG web interface (Proxy tab in Advanced Secure Gateway)
RIP 520 UDP No local server hosting RIP file RIP configuration file download
SSH 22 TCP No SSH client SSH management of the appliance
SNMP 161 UDP Yes SNMP client SNMP monitoring

Outbound-Only Connections 

Component Default Port Protocol Configurable Source Description
Appliance certificate 444 TCP No Symantec server Certificate updates
BCAAA authentication with COREid, IWA, SSO, SitemInder, and XML realms 16101 TCP Yes Authentication Server

Authentication-and authorization-related queries to the configured server

See What ports does BCAAA use for details.
DNS 53 TCP/UDP No DNS server Port used by your DNS servers
Diagnostics 443 TCP No Symantec server Heartbeats, SysInfo uploads
Email notifications 25 TCP No SMTP server Email notifications
HTTP 80 TCP No Internet Regular HTTP access to internet
ICAP (plain) 1344 TCP Yes Symantec Content Analysis or other ICAP service

Forwarding requests for content scanning

(Not applicable to Advanced Secure Gateway)
ICAP (secure) 11344 TCP Yes Content Analysis or other ICAP service

Forwarding requests for content scanning

(Not applicable to Advanced Secure Gateway)
IWA-Kerberos authentication 88 TCP/UDP Yes DC/KDC Kerberos for IWA Direct authentication
LDAP 389 TCP/UDP Yes DC/KDC/LDAP Server LDAP for IWA Direct authentication
Log client (custom) 69 TCP Yes Custom log server Sending access logs to configured server
Log client (FTP, plain and secure) 21  TCP Yes FTP/S log server Sending access logs to configured server
Log client (HTTP, plain and secure) 80 TCP Yes HTTP/S log server Sending access logs to configured server
Log client (Kafka) 9092 TCP Yes Kafka broker Sending access logs to configured Kafka broker cluster
Log client (Symantec Reporter client) 9081 TCP Yes Reporter Deprecated log streaming to Reporter version 9
Log client (SCP) 22 TCP Yes SCP log server Sending access logs to configured server
Symantec Management Center, Symantec Director  22 TCP No Management Center, Director

Management Center and Director registration

(Not applicable to Advanced Secure Gateway)
Monitoring statistics to Management Center (plain) 9009 TCP No Management Center Export of monitoring  statistics to Management Center
Monitoring statistics to Management Center (secure) 9010 TCP No Management Center

Export of monitoring statistics to Management Center
Novell SSO 389 TCP Yes Novell server Novell authentication
NTP 123 UDP Yes NTP server

Periodic time update from default or configured NTP servers
RADIUS  1812 TCP Yes RADIUS server RADIUS authentication
SMB 139, 445 TCP Yes  DC/KDC CIFS services in transparent deployments
SOCKS 1080 TCP/UDP No SOCKS server Forwarding traffic to SOCKS proxy 
Syslog 514 UDP No Syslog server Syslog uploads to remote server
WCCP 2048

UDP

 

 No WCCP-compliant router or switch Traffic redirection from router to the appliance in out-of-path deployments

Inbound/Outbound Connections

Component Default Port Protocol Configurable Source Description
ADN data tunnel (plain) 3035 TCP Yes Edge SWG appliance 

Connection to ADN manager for updates

(Not applicable to Advanced Secure Gateway)
ADN data tunnel (secure) 3037 TCP Yes Edge SWG appliance

Connection to ADN manager for updates

(Not applicable to Advanced Secure Gateway)
ADN management (plain) 3034 TCP Yes Edge SWG appliance

Explicit connections between two Edge SWG peers

(Not applicable to Advanced Secure Gateway)
ADN management (secure) 3036 TCP Yes Edge SWG appliance

Explicit connections between two Edge SWG peers

(Not applicable to Advanced Secure Gateway)
ADN connection forwarding 3030 TCP Yes Edge SWG appliance

Load balancing and asymmetric routing

(Not applicable to Advanced Secure Gateway)
Flash media 1935 TCP/UDP No origin content server Streaming Flash and RTMP 
Real Media 554 UDP No origin content server Streaming Real Media (RTSP)
SafeNet Java HSM 8443 TCP Yes SafeNet Java HSM Communication with SafeNet Java HSM 
Windows Media 1755 UDP No origin content server Streaming Windows Media (MMS)

URLs and IP Addresses for Symantec Services 

Component Ports Protocols URLs IP Addresses Description
Symantec Content Analysis 80
443		 HTTPS TCP

subscription.es.bluecoat.com

 

 8.28.16.208
103.246.38.208
199.19.249.208
199.116.169.248
199.247.40.247

Antivirus pattern updates from Content Analysis 

(Not applicable to Advanced Secure Gateway)
Content Analysis 443 HTTPS TCP contentanalysis-ma.es.bluecoat.com 199.116.169.239

Malware reporting from Content Analysis 

(Not applicable to Advanced Secure Gateway)
Licensing 443 HTTPS TCP device-services.es.bluecoat.com 192.19.237.100 Appliance license management
Licensing 443 HTTPS TCP bto-services.es.bluecoat.com 192.19.237.99 Validates the license
Licensing 443 HTTPS TCP subscription.es.bluecoat.com

8.28.16.243
199.247.40.244

168.149.132.6
168.149.132.38

 Subscription-based services management
Licensing 443 HTTPS TCP services.bluecoat.com 192.19.237.103 License administration
Licensing 443

HTTPS TCP

 download.bluecoat.com 192.19.237.102 License administration
PKI - Appliance validation

80 444

 HTTPS TCP abrca.bluecoat.com 192.19.237.69 Symantec appliance Certificate Authority
PKI - CA certificates 443 HTTPS TCP appliance.bluecoat.com   Trust package downloads
NTP 80 HTTP TCP download.bluecoat.com 199.91.133.16
192.19.237.102		 Time zone database downloads
Diagnostics 443 HTTPS TCP hb.bluecoat.com    Appliance heartbeat information to Symantec
Diagnostics 443 HTTPS TCP

upload.bluecoat.com

mft.symantec.com

   Diagnostic report uploads to Symantec support
Content filtering 80
443		 HTTPS TCP list.bluecoat.com

8.28.16.206
103.246.38.206
199.19.249.206
199.116.169.246
199.247.40.246

Only IP address is returned when there is a DNS query. If the IP address fails to respond, one of the other active addresses is returned. 

 WebFilter, IWF, Optenet, and Proventia database downloads
Symantec Cloud Secure Web Gateway (SWG, formerly known as WSS) 443 HTTPS TCP portal.threatpulse.com   Cloud SWG registration
Threat protection 443 HTTPS TCP securitylabs.es.bluecoat.com 8.28.16.7 Security intelligence
Threat protection 80
443		 HTTPS TCP

 

webpulse.es.bluecoat.com

sp.cwfservice.net
(version 6.5.x)

 

 

199.19.249.201
199.19.249.203
199.116.169.244
199.116.169.245
8.28.16.201
8.28.16.203
103.246.38.201
103.246.38.203
103.246.39.212
103.246.39.213
103.246.36.212
103.246.36.213
54.233.145.171
54.207.85.173
123.103.64.94*
123.103.64.95*
197.96.129.181
197.96.129.182
199.116.173.201
199.116.173.203
199.116.173.215
180.179.142.109
13.114.137.119
52.64.80.74
13.114.129.165
13.54.6.129
180.179.142.110
8.28.16.202
46.235.158.215
52.65.118.140
54.64.46.133
54.207.87.150
103.246.38.202
180.179.142.115
185.2.196.215
199.19.249.211
199.116.169.242
199.116.173.215
35.157.189.75
18.195.189.47
3.121.119.187
148.64.5.249
148.64.5.250
148.64.5.253

168.149.132.32
168.149.132.33
168.149.132.64
168.149.132.65
168.149.132.80
168.149.132.81
168.149.132.96
168.149.132.97
168.149.132.113
168.149.132.128
168.149.132.129
168.149.132.145
168.149.132.160
168.149.132.161
168.149.132.176
168.149.132.177

* These addresses are returned only when the request originates in China.

 Symantec Global Intelligence Network updates
Virtual Server Validation* 443 HTTPS TCP

 

validation.es.bluecoat.com

 

 

192.19.237.101

 

Virtual Edge SWG Validation 

*Only needed from virutal machines.

 

 
Powered by Wolken Software