Ports and Protocols for Symantec IT Management Suite (ITMS) 8.x
Article ID: 184952
Updated On:
Products
Issue/Introduction
This article contains information about the Ports and Protocols used by components of IT Management Suite (ITMS) 8.x
Environment
ITMS 8.x
Resolution
Symantec Installation Manager
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| Symantec Installation Manager | TCP | 80/443 | SIM uses ports to download files only. It does not open any ports. SIM accesses the following URLs. Your firewall should allow these URLs in order to use SIM properly. https://www.solutionsam.com | ||
| SIM to MS SQL DB | TCP | Outbound | 1433 | Standard port for connection to remote MS SQL DB using TCP/IP transport. Note that MS SQL can be configured to custom or dynamic port usage. | Yes, in MS SQL configuration. |
| SIM to MS SQL DB | UDP | Outbound | 1434 | Used to determine dynamic or custom port used by MS SQL instance. Also used for SQL server discovery. | No |
| Symantec Installation Manager | TCP/UDP(DNS) | Outbound | 53 | Used to resolve SQL server name. | No |
Notification Server and Symantec Management Console
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| NS Console | TCP | Inbound | 80/443 | When using a remote console, Notification Server uses HTTP (port 80) to connect to the server and download the client application / admin console content. | W3SVC | Yes |
| Cloud-enabled management | TCP | Inbound/Outbound | 4726 | This is the default port for Cloud-enabled Management Agent IIS Website. It handles the incoming/outgoing connections from the Internet Gateway to the Notification Server. | W3SVC | Yes, you can configure it in Settings > Notification Server > Cloud-enabled Management > Setup > Cloud enabled Management Agent IIS Website Settings. |
| NS (agent install) | UDP (NETLOGON) | Outbound | 138 | Initial connection Notification Server to client. | AexSvc | No |
| NS (agent install) | TCP (MS DS/CIFS/SMB) | Outbound | 445 | Initial connection Notification Server to client. | AexSvc | No |
| Agent (initial connection) | TCP | Outbound | 80/443 | Initial connection Client to Notification Server (after Service Starts). | AltirisAgentInstSvc | Yes |
| Agent (initial connection) | ICMP Type 8 (PING) | Outbound | ICMP Type 8 (PING) package server speed check. | AltirisAgentInstSvc | No | |
| Agent (policy update and post event) | TCP | Outbound | 80/443 | The Agent establishes a connection to server port TCP 80 for HTTP and server port TCP 443 for SSL. This port is configurable by the user, however, and can be set to any free port. | AeXNSClient | Yes |
| Hierarchy | TCP | Inbound/Outbound | 80/443 | Hierarchy uses the ports that individual Notification Servers have been set up and configured to use.
To join Notification Servers in a hierarchy, you must correctly enter the port numbers or HTTPS prefix inside the Add Hierarchy Node Wizard. In Step 1 of the wizard, in the URL field, you enter either HTTPS or the IIS port. For example, to add a child node called example.com using port 30000, enter http://example.com:30000/Altiris/Console in the URL field. This means that your child Notification is configured to use port 30000, and you are instructing the local Notification Server to connect to it for hierarchy communications using that port. To add a child node called example.com using HTTPS, enter https://example.com/Altiris/Console in the URL field. Notification Servers within the hierarchy may not all use the same HTTP port for communication. As long as the hierarchy connection is configured correctly inside the Add Hierarchy Node Wizard, they will all work correctly. | AexSvc, W3SVC | Yes |
| NS to MS SQL DB | TCP | Outbound | 1433 | Standard port for connection to remote MS SQL DB using TCP/IP transport. Note that MS SQL can be configured to custom or dynamic port usage. | AexSvc, AltirisClientMsgDispatcher, AltirisReceiverService, W3SVC | Yes, in MS SQL configuration. |
| NS to MS SQL DB | UDP | Outbound | 1434 | Used to determine dynamic or custom port used by MS SQL instance. | AexSvc, AltirisClientMsgDispatcher, AltirisReceiverService, W3SVC | No |
| NS | TCP/UDP | Outbound | 389 | Active Directory data import using AD import rules or Data Connector LDAP data source. | AexSvc, W3SVC | No |
| NS | TCP | Outbound | 25 | Optional connection to mail server using SMTP, required for sending notifications to configured recipients using automation policies or tasks. | AexSvc | Yes, NS console. |
| NS | UDP | Outbound | 137 | Optional WINS import for computers. | AexSvc | No |
| NS Data Connector | TCP/UDP | Outbound | 1024-65536 | In case data sources like ODBC or OLEDB are used, outgoing connection may be required to specific services defined by driver used. | AexSvc, W3SVC | No |
| NS Software package access | TCP (SMB) | Outbound | 445 | Optional access to software pacakges which are accessible only via UNC. | AexSvc, W3SVC | No |
| Computer discovery | TCP/UDP (DNS) | Outbound | 53 | Resolving computer hostname/fully qualified domain name(FQDN). | AexSvc, W3SVC | No |
| Computer discovery | UDP (NetBIOS) | Outbound | 137, 138 | Optional findout computer's NetBIOS name, or discover computer by NetBIOSname. | AexSvc, W3SVC | No |
| Computer discovery | TCP (NetBIOS) | Outbound | 139 | Optional findout computer's NetBIOS name, or discover computer by NetBIOSname. | AexSvc, W3SVC | No |
| Computer discovery | TCP (RPC/WMI) | Outbound | 135, 49152-65535 | Optional get computer's details(e.g. OS type) during discovery. | AexSvc, W3SVC | No |
| NS | TCP | Inbound | 9086, 9988 | Ports used to access Service Framework. Not utilized by SMP itself, but may be required by certain utilities like NSDiag. | No |
Task Management
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Task Server (atrshost.exe) | TCP | Inbound/Outbound | 80/443 | Task Server downloads tasks from NS and sends task-result xml to NS. | AtrsHost, W3SVC | Yes. Either through IIS, or with Altiris HTTP; use the Altiris.Http.config file. |
| Task Server (atrshost.exe) | TCP | Inbound/Outbound | 50123 | Tickle port. Opened by TS on NS during TS registration on NS after install. Used to receive real-time notifications when some new tasks are to be executed. NS sends tickle to TS when a new task is available. | AtrsHost | Yes. Altiris.ClientTask.TickleService.config |
| Client Task Agent | TCP | Inbound/Outbound | 80/443 | Obtains the list of Task Servers and TS properties from the NS part of TS. | AeXNSClient, W3SVC | Yes. Either through IIS, or with Altiris HTTP; use the Altiris.Http.config file. |
| Client Task Agent | TCP | Inbound/Outbound | 80/443 | CTA checks for the new task and sends the task-result xml to TS. | AeXNSClient, W3SVC | Yes. Either through IIS, or with Altiris HTTP; use the Altiris.Http.config file. |
| Client Task Agent | TCP | Inbound/Outbound | 50124 | Tickle port. Opened by CTA on TS during registration. Used to receive real-time notifications when some new tasks are to be executed. TS send tickle to client if new task is available. | AeXNSClient | Yes. Altiris.ClientTask.Server.config |
Package Server
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Package Server | TCP | Inbound | 80/443 | From client computers HTTP/HTTPS. | W3SVC | Yes, depends on the port used by the website Package Server is residing on. |
| Package Server | TCP | Inbound | 445 | From client computers UNC. | System | No |
| Package Server | TCP | Outbound | 445 | To Notification Server UNC. | AeXNSClient | No |
| Package Server | TCP | Outbound | 52030 | Package Multicasting | AeXNSClient | Yes, in Symantec Management Console. |
| Package Server | UDP | Outbound | 52030 | Package Multicasting | AeXNSClient | Yes, in Symantec Management Console. |
| Package Server | TCP/UDP | Inbound | 135 | From client computers UNC. | RpcSs (svchost.exe) | No |
| Package Server | TCP/UDP | Inbound | 139 | From client computers UNC. | System | No |
| Package Server | UDP | Inbound | 137 | From client computers UNC. | System | No |
Symantec Management Agent for Windows
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Notification Server | TCP | Inbound | 80/443 | From client computers. | W3SVC | Yes, depends on the port used by the website Notification Server is residing on. |
| Symantec Management Agent | TCP | Outbound | 80/443 | To Notification Server. | AeXNSClient | Yes, depends on the port used by the website Notification Server is residing on. |
| Symantec Management Agent | TCP | Inbound | 445 | Push install from Notification Server. | System | No |
| Symantec Management Agent | TCP | Inbound | 52028 | Tickle / Power Management. | AeXNSClient | Yes, in Symantec Management Console. |
| Symantec Management Agent | UDP | Inbound | 52028 | Tickle / Power Management. | AeXNSClient | Yes, in Symantec Management Console. |
| Symantec Management Agent | TCP | Inbound | 52029 | Tickle / Power Management multicast. | AeXNSClient | Yes, in Symantec Management Console. |
| Symantec Management Agent | UDP | Inbound | 52029 | Tickle / Power Management multicast. | AeXNSClient | Yes, in Symantec Management Console. |
| Symantec Management Agent | TCP/UDP | Outbound | 56118 | Peer-to-peer (P2P) local HTTP server. | AeXNSClient | Yes, in Symantec Management Console. |
Symantec Management Agent for ULM
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| Notification Server | TCP | Inbound | 80/443 | From client computers | Yes, depends on the port used by the website the Notification Server is residing on. |
| UNIX, Linux or Mac client computer | TCP | Outbound | 80/443 | To the Notification Server | Yes, depends on the port used by the website the Notification Server is residing on. |
| UNIX, Linux or Mac client computer | TCP | Outbound | 80/443 | To Package and Task Servers | Yes, depends on the ports used by the website the Package Server Agent is integrated with. |
| UNIX, Linux or Mac client computer | TCP | Outbound | Source ports 1024 and above | To the Notification Server, Package, and Task Servers. | No, the ports are randomly selected when the connection is established. |
| UNIX, Linux or Mac client computer | TCP | Inbound | 22 (SSH) | Push install from the Notification Server. | Yes, depends on the port used by SSHD. |
| UNIX, Linux or Mac client computer | TCP | Inbound | 52028 | Tickle / Power Management messages. | Yes, in the SM Console. |
| UNIX, Linux or Mac client computer | UDP | Inbound | 52028 | Tickle / Power Management messages. | Yes, in the SM Console. |
| UNIX, Linux or Mac client computer | UDP | Inbound | 52029 | Multicast (default group is 224.0.255.135) | Yes, in the SM Console. |
Activity Center
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| Activity Center UI | TCP | Inbound | 80/443 | HTTP/HTTPS | Yes |
Asset Management Solution
N/A
Client Management Suite Portal Page
The portal page contains web parts of other solutions - i.e. covered with specifications for other solutions, no special ports used.
CMDB Solution
N/A
Deployment Solution
For storing images on the Package Server and for communication from preOS with SMP infrastructure, Deployment Solution uses SMP ports and protocols.
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| HTTP/HTTPS imaging | HTTP/HTTPS | Outbound | 80/443 | Creating and Deploying images. | W3SVC | Yes |
| PXE Server | PXE over UDP | Inbound/Outbound | 67-68/4011 | Network boot using PXE, Port 67 is used when PXE Server is not on DHCP Server machine. | SymantecNetworkBootServicePxe | No |
| PXE Server | PXE over UDP | Inbound/Outbound | TCP 4433 | Network boot using PXE, TCP port 4433 is used for both communication and file transfer. | SymantecNetworkBootServicePxe | No |
| TFTP Server | TFTP over UDP | Inbound | 69 | TFTP requests for file download. | SymantecNetworkBootServiceTftp | No |
| TFTP Server | TFTP over UDP | Inbound/Outbound | 1024-65535 | TFTP file download port. TFTP Server uses the first available free port for TFTP file download. | SymantecNetworkBootServiceTftp | No |
Event Console
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Event Receiver | TCP | Inbound | 8500 | Alert Port | EventReceiver | Yes, in the Global Settings Item configuration XML. |
| Event Engine | TCP | Inbound | 8501 | Alert Port | EventEngine | Yes, in the Global Settings Item configuration XML. |
| Event Receiver | TCP | Inbound | 8502 | Receiver Refresh Port | EventReceiver | Yes, in the Global Settings Item configuration XML. |
| Event Engine | TCP | Inbound | 8503 | Engine Refresh Port | EventEngine | Yes, in the Global Settings Item configuration XML. |
| Event Engine | UDP | 64522, 64523, 64527, 64528 | EventEngine | No | ||
| Event Receiver | UDP | Inbound | 162 | SNMP trap | EventReceiver | No |
| Event Receiver | UDP | 64524, 64525, 64526, 64529 | EventReceiver | No |
First-Time Setup Portal
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| FTSP UI | TCP | Inbound | 80/443 | HTTP/HTTPS | Yes |
Internet Gateway
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Gateway | TCP | Inbound | 443* | Gateway accepts connections from CEM agents to route them to NS on CEM port (default 4726). | SymantecManagementPlatformInternetGateway | Yes |
| Gateway | TCP | Outbound | System-defined range* | Ports that are used by apache service to perform calls to NS on CEM port. | SymantecManagementPlatformInternetGateway | Yes |
* You might need to open more ports to let the name resolution work correctly. For example, for the NetBIOS name resolution you must open UDP port 137 (TCP, UDP).
Inventory Solution
Inventory Solution works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for Windows ports.
Inventory Solution - ULM
Inventory Solution - ULM works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for ULM ports.
Inventory Rule Management
Inventory Rule Management works through the Altiris Agent. There is no difference from that of the Altiris Agent for Windows ports.
Inventory for Network Devices
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| SNMP Protocol Plug-in | UDP | Outbound/Inbound | 161 | Predefined IANA network port for SNMP protocol for agents to listen to SNMP requests. In addition to above, we need to run Network discovery first(as a pre-requisite) and which uses the ports as configured through the Pluggable Protocols Architecture. | No |
| SNMP TrapListener Protocol Plug-in | UDP | Inbound | 162 | Predefined IANA network port for SNMP protocol for listening to SNMP traps. | No |
ITMS Admin App (iPad)
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| Tablet Service | TCP/IP | Inbound/Outbound | 80/443 | HTTP/HTTPS for ITMS management and status. | Yes |
Mobile Device Management (MDM)
The MDM configuration requires TCP port 443 to be opened (Inbound/Outbound) to allow communication between the MDM server, the Notification Server, the MDM-managed MacOS endpoints, and Apples's APNS server as documented in the following: Setting up and Configuring the MDM Server
Monitor Solution (Monitor Solution for Servers)
Monitor solution also uses the ports as configured through the Pluggable Protocols Architecture (PPA).
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Metric Provider | TCP | Inbound/Outbound | 1011 | Real-Time Performance Viewer, Metric Provider. | MetricProvider (Windows) altirisSM (Linux/UNIX) | Yes, in Symantec Management Console. |
| Metric Provider | UDP | Inbound/Outbound | Random | PPA opened dynamic ports for SNMP metrics, agentless monitoring. | MetricProvider (Windows) altirisSM (Linux/UNIX) | No |
| Metric Provider | TCP | Inbound/Outbound | Random | PPA opened dynamic ports for agentless monitoring connections. | MetricProvider (Windows) altirisSM (Linux/UNIX) | No |
Network Discovery
Network Discovery uses the ports as configured through the Pluggable Protocols Architecture (PPA).
Network Topology Viewer
Viewer just uses the visualization webpart containing data gathered by other solutions (Network Discovery, PPA), no special ports are used.
Patch Management Solution for Windows
Patch Management solution for Windows works through the Symantec Management Agent (and Client Task Agent for vulnerability assessment task). There is no difference from that of the Symantec Management Agent for Windows ports.
Requires access from Notification Server to SolutionSam and vendor sites to download patch data and patches from vendor sites. See Detailed Import Patch Management for Windows access to SolutionSam and Vendor Download Sites for more information.
Patch Management Solution for Linux
Patch Management Solution for Linux works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for ULM ports.
Requires access from Notification Server to RedHat, SUSE, and CentOS sites to download patch data and patches from vendor sites.
Patch Management Solution for MAC
Patch Management Solution for MAC works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for ULM ports.
Requires access from Mac endpoint to Apple site to communicate with Apple Update Server to make assessments and download patch data.
Pluggable Protocol Architecture
PPA is a component that can be loaded to any service/process, but is mostly used by MetricProvider, AtrsHost, and AMTRedirectionService.
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| AMT Protocol Plugin | TCP/UDP | Outbound/Inbound | 16992 | Predefined IANA network port for Intel AMT to send and receive data (SOAP/HTTP). | MetricProvider, AtrsHost, AMTRedirectionService, etc. (can be loaded by any process using PPA SDK) | No |
| AMT Protocol Plugin | TCP/UDP | Outbound/Inbound | 16993 | Predefined IANA network port for Intel AMT to send and receive data (SOAP/HTTPS). | MetricProvider, AtrsHost, AMTRedirectionService | No |
| AMT Protocol Plugin | TCP/UDP | Outbound/Inbound | 16994 | Predefined IANA network port for Intel AMT to send and receive data (Redirection/TCP). | MetricProvider, AtrsHost, AMTRedirectionService | No |
| AMT Protocol Plugin | TCP/UDP | Outbound/Inbound | 16995 | Predefined IANA network port for Intel AMT to send and receive data (Redirection/TLS). | MetricProvider, AtrsHost, AMTRedirectionService | No |
| ASF Protocol Plugin | UDP | Outbound/Inbound | 623 | Predefined IANA network port for ASF protocol to send and receive data. (RMCP - Remote Management and Control Protocol). | MetricProvider, AtrsHost | No |
| ASF Protocol Plugin | UDP | Outbound/Inbound | 664 | Predefined IANA network port for ASF protocol to send and received data. (RSP - RMCP Security Extensions Protocol). | MetricProvider, AtrsHost | No |
| EMC Protocol Plugin | TCP | Outbound | 443 | MetricProvider, AtrsHost | Yes | |
| HTTP Protocol Plugin | TCP | Outbound/Inbound | 80 | Predefined IANA network port for HTTP protocol to send and receive data. | MetricProvider, AtrsHost | No |
| IPMI Protocol Plugin | TCP | Outbound/Inbound | 623 | MetricProvider, AtrsHost | Yes | |
| SNMP Protocol Plugin | UDP | Outbound/Inbound | 161 | Predefined IANA network port for SNMP protocol for agents to listen to SNMP requests. | MetricProvider, AtrsHost | No |
| SNMP TrapListener Protocol Plugin | UDP | Inbound | 162 | Predefined IANA network port for SNMP protocol for listening to SNMP traps. | MetricProvider, AtrsHost | No |
| SNMP TrapListener Protocol | UDP | 1024-65536 | Four additional UDP ports are opened by net-SNMP open-source library used by our code. | MetricProvider, AtrsHost | ||
| SSH Protocol Plugin | TCP/UDP | Inbound/Outbound | 22 | Predefined network port for SSH protocol. | MetricProvider, AtrsHost | Yes |
| VMware Protocol Plugin | TCP | Inbound/Outbound | 80/443 | Default port for communication. | MetricProvider, AtrsHost | Yes |
| WMI Protocol Plugin | TCP | Inbound/Outbound | 135 | Default port for communication. | MetricProvider, AtrsHost | No |
| WS-MAN Protocol Plugin | TCP | Inbound/Outbound | 623 | Predefined IANA network port for WS-MAN protocol. | MetricProvider, AtrsHost | Yes |
| WS-MAN Protocol Plugin | TCP | Inbound/Outbound | 664 | Predefined IANA network port for WS-MAN protocol. | MetricProvider, AtrsHost | Yes |
| WMI Protocol Plugin | TCP/UDP | Inbound/Outbound | 1025-5000 | Dynamic ports for communication. | No | |
| WMI Protocol Plugin | TCP/UDP | Inbound/Outbound | 49152-65535 | Dynamic ports for communication. | No |
Power Scheme
Power Scheme solution works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for Windows ports.
Real-Time System Management (RTSM\RTCI)
Real-Time System Management works through the Pluggable Protocol Architecture. There is no difference from that of the Pluggable Protocol Architecture component ports..
Server Management Suite Portal Page
The portal page contains web parts of other solutions or tasks from other solutions - i.e. covered with specifications for other solutions (Monitor, Discovery, PPA, Event Console, RTCI, Task Management, NS Server, etc).
Symantec Endpoint Protection Integration Component
Symantec Endpoint Protection Integration Component (SEPIC) relies on the ports configured for the Notification Server.
Software Management Framework
Software Management Framework works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for Windows ports.
Software Management Solution - ULM
Software Management Solution - ULM works through the Symantec Management Agent. There is no difference from that of the Symantec Management Agent for ULM ports.
Software Management Solution - Windows
Software Management Solution for WIndows - works through the Symantec Management Agent. Software Portal works through the HTTP(s) port, configured for the Notification Server (80/443 by default).
Symantec Workflow
| Component | Protocol | Direction | Port | Connections | Service Name | Is configurable? |
|---|---|---|---|---|---|---|
| Workflow Server | TCP/IP | Inbound/Outbound | 80/443 | HTTP/HTTPS for ProcessManager Portal, etc. | SWFSVR | Yes |
| Server Extensions | TCP/IP | Inbound/Outbound | 11434 | Publishing from Workflow Designer. | Yes, but not recommended. | |
| Enterprise Management/Deployment | TCP/IP | Inbound/Outbound | 11436 | Deployment and registration from Workflow Enterprise Manager. | No | |
| Workflow Components | Various | Inbound/Outbound | Various | Workflow Designer is a development tool that allows the use of components to integrate with myriad systems and protocols. Ports will vary based on customers' designs and requirements. | Yes |
Virtual Machine Management
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| VMware Protocol Plugin | TCP | Inbound/Outbound | 443 | Default port for communication. | Yes |
| MSHyperV Protocol Plugin | TCP | Inbound/Outbound | 135 | Default port for communication. | No |
Power Control Task
| Component | Protocol | Direction | Port | Connections | Is configurable? |
|---|---|---|---|---|---|
| Wake on Lan | TCP | Outbound | 50200 | Default port for communication. | Yes |
Additional Information
169520 TCP/UDP ports required in Ghost Solution Suite 3.X
Feedback
