search cancel

Required ports, protocols, and services for the Management Center appliance

book

Article ID: 255068

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

You want to know the required ports, protocols, and services for the Management Center appliance.

Resolution

Depending on your Management Center appliance configuration, you must open certain ports and protocols on your firewalls for the appliance to function as intended, to use enabled features, or to allow connectivity to various components and data centers. This document presents basic configurations and some commonly used options. 

Important Notice
As of Saturday, April 11, 2020, the Symantec Licensing services IP address changes shown in the following table take effect.

Service Host Symantec IP Address (Old) Broadcom IP Address (New)
validation.es.bluecoat.com 155.64.49.136 192.19.237.101
bto-services.es.bluecoat.com 155.64.49.131  192.19.237.99
device-services.es.bluecoat.com 155.64.49.132 192.19.237.100
download.bluecoat.com 155.64.49.133 192.19.237.102
services.bluecoat.com 155.64.49.135 192.19.237.103
abrca.bluecoat.com 155.64.49.137 192.19.237.69

 

Inbound Connections to Management Center

Service Port  Protocol  Configurable?  Source Description
Web UI  8080 8082  TCP No User's client  Management Center web console*
CLI 22 TCP No User's client  Management Center CLI shell access
Web API  8082  TCP No User's client  Management Center API using HTTPS
Statistics Collector  9009 TCP No Blue Coat ProxySG appliance/Advanced Secure Gateway/SSL Visibility  Performance Statistics data that is sent by monitoring assets using HTTP*
Statistics Collector  9010 TCP No ProxySG appliance/Advanced Secure Gateway/SSL Visibility  Performance Statistics data that is sent by monitoring assets using HTTPS*
Management Center Failover  2025 TCP No Alternate Management Center appliance in a failover cluster  Used to transmit state and other pertinent information between primary and secondary Management Center appliances in a failover pair

*Ports 8080 and 9009 are disabled by default on new deployments. If you upgrade from version 1.x to version 2.x and ports 8080 and 9009 were previously enabled in version 1.x (with the security http enable command), they will remain open after the upgrade to 2.x.

Outbound Connections from Management Center

Service Port Protocol Configurable?  Destination  Description
LDAP LDAPS  10389 389 636 TCP Yes LDAP server  Authentication
Active Directory  10389 389 636  TCP Yes Active Directory server  Authentication
RADIUS 1812 UDP/TCP  Yes RADIUS server  Authentication
RADIUS 1813 UDP/TCP  Yes RADIUS server  Accounting
SMTP 25 TCP Yes SMTP server  SMTP alerts
SNMP Trap  162 UDP Yes Trap receiver  SNMP traps
HTTP Proxy  8080  TCP Yes HTTP Proxy  Updates
NTP 123 UDP/TCP  No NTP server list  Time sync to customer-configured NTP time server
HTTP 80 TCP No Symantec https://support.symantec.com License activation, the latest release information, and documentation
HTTPS 443 TCP No Symantec https://support.symantec.com License activation, Web Application Firewall (WAF) subscription, the latest release information, and documentation
DNS 53 UDP/TCP  No DNS server  FQDN lookups
ProxySG/ASG  22 TCP No ProxySG appliance/Advanced Secure Gateway  ProxySG appliance monitoring and management
ProxySG/ASG  8082 TCP No ProxySG appliance/Advanced Secure Gateway  System image upload
SSH access to managed devices  22 TCP No All managed devices  Device scripts support for appliances with SSH access, CLI shell.
SCP access to external servers  22 TCP No All managed devices and other hosts Management Center exports data to.  Importing and exporting data—Management Center and device backups, diagnostics, PCAP transfer
MA 443 TCP No Malware Analysis  Health monitoring and backup
PacketShaper®  80/443  TCP No PacketShaper®  Health Monitoring (unencrypted/encrypted)
Reporter  8080/8082  TCP No Reporter  Reporter API (unencrypted/encrypted)
Management Center  2025  TCP No Alternate Management Center appliance in a failover cluster.  Used to transmit state and other pertinent information between primary and secondary Management Center appliances in a failover pair.
CA 8080/8082  TCP No Content Analysis  Health Monitoring (unencrypted/encrypted)
SSL Visibility  443 TCP No SSL Visibility  Health monitoring and configuration sync.

Required IP Addresses and URLs
Ensure connectivity from Management Center to the following URLs.

URL Protocol  Port  Description
199.19.250.195 199.116.168.195  HTTPS TCP  443 Web Security Service policy updates.
https://telemetry.broadcom.com  HTTPS TCP  443 Sends appliance usage data to Broadcom. The option must be explicitly enabled but PLA customers are required to enable it. Personally Identifiable Information that is covered under GDPR is never transmitted.
validation.es.bluecoat.com  HTTPS TCP  443 Validates the license every 5 minutes. After successful validation, validation occurs every hour.
bto-services.es.bluecoat.com  HTTPS TCP  443 Validates the license.
device-services.es.bluecoat.com  HTTPS TCP  443 License related.
services.es.bluecoat.com  HTTPS TCP  443 License related.
abrca.bluecoat.com  HTTPS TCP  443 Symantec CA.
appliance.bluecoat.com  HTTPS TCP  443 Trust package downloads.
subscription.es.bluecoat.com  HTTPS TCP  443 Subscription services.
upload.bluecoat.com  HTTPS TCP  443 Upload diagnostic reports to Symantec support.
sgapi.es.bluecoat.com  HTTPS TCP  443 Universal VPM policy.