1 Reply Latest reply on Jun 6, 2017 7:58 AM by cwinning

    Port requirement if the distribution server and the Console is 2 different machines

    sdionne000 Rookie

      I would like to know what the ports requirements are for the following

      I have a Console that would only be there for the scan

      A distribution server (local to the client)

      client (agentless)

       

      I saw the following but based on my situation I think some of the ports are not required at some sections

      Bidirectional

      TCP 137-139

      TCP 445

       

      Outbound

      TCP 5120

       

      Inbound

      TCP 3121

       

      Based on the above I would think

      Console requires the following ports outbound 137-139, 445, 5120 and inbound 3121(is this required if I do not mind for the report back)

      Distribution server outbound 137-139, 445

      and client inbound 137-139, 445, 5120 outbound 3121

       

      The clients we want as little or no access outbound as possible(DMZ but not internet connected)

      Thanks

      Stephane

       

        • 1. Re: Port requirement if the distribution server and the Console is 2 different machines
          cwinning CommunityTeam

          Hello,

           

          For agentless scans: TCP 137-139 or TCP 445 is require from the Protect server to the client. Protect will try both if one is blocked.

          TCP 5120 is used to for Shavlik Scheduler communication from the Protect server to the client.  It is not used bidirectionally.

          TCP 3121 is outbound from the client to the Protect server.  As you noted, it's only required if you want status updates from agentless deployments. (also used for agent communication back to the Protect server)

          For the Distribution Server:  If using an UNC share, TCP 137-139 or TCP 445 is require bidirectionally.  This would be for syncing operations from the Protect server and then files request from the client to the Distribution Server.  This setup isn't required (unless bandwidth is a concern) so you could remove the Distribution Server thus removing the need for outbound ports TCP 137-139 or TCP 445.  You would have Protect push everything from itself

           

          Let me know if you have any questions.

           

          Thanks,

          Charles