All firewall rules must allow outbound connections to the following ports:

Reference: Required Locations, Ports, and Protocols

Firewall/VPN (IPSEC):

• IP Protocol 50 (ESP)
• TCP 80/443
• UDP 500 (ISAKMP)
• UDP 4500 if firewall is behind a NAT.

Proxy Forwarding:

• Port 8080 to proxy.threatpulse.net
• Port 8443 to proxy.threatpulse.net
• Port 8084 to proxy.threatpulse.net

Remote Users: (Mobility client)

• Port 443 to ctc.threatpulse.com
• Port 443 to all WSS Agent cluster IP Addresses returned from CTC (available in WSS Agent logs) - nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address.

Transproxy:

• See link above.

Explicit Proxy:

• See link above.

MDM Integration: (for example, Airwatch)

• UDP 500 (ISAKMP)
• UDP 4500 (NAT-T)

Authentication: (BCCA.exe)

• Port 443 to auth.threatpulse.com (34.160.229.36)
• Port 443 to portal.threatpulse.net (34.49.9.67)
• Note: In an IPSEC deployment, BCCA must also be able to talk to the same data pods authentication servers where the IPSEC tunnel terminates. Refer to Authentication IP addresses for Web Security Service data centers for more details.

Authentication: (ACLogon.exe; log-in script for sending logged-in credentials directly to BCCA.)

• Port 80 from all clients to BCCA server

SAML:

• Port 8443 to saml.threatpulse.net

Roaming Captive Portal:

• Port 8080 to proxy.threatpulse.com

Internal ports: (between BCCA server and Domain Controllers)

• 139 and 445 TCP
• 389 LDAP
• 636 LDAPS
• 3268 ADSI LDAP
• 135 Location Services / RPC (RPC may also require other random ports for Endpoint Mapper which not listed here)
• 88 Kerberos
• 1024 to 5000 Endpoint mapper (opened by RPC) - However, it is possible that ports over 5000 are used depending on your AD configuration. Refer to How to configure RPC to use certain ports and how to help secure those ports by using IPsec​.