Loading...

Knowledge Center


Ports and traffic destinations used by Network Security Platform
Technical Articles ID:   KB59342
Last Modified:  5/20/2019
Rated:


Environment

McAfee Network Security Manager (NSM) 9.x, 8.x
McAfee Network Security Sensor Hardware
Network Threat Behavior Analysis Appliance 9.x, 8.x

Summary

NOTE: As a best practice, implement the Sensor and Manager management ports on the same internal network for security and management reasons.
Port Source Destination Description Comments
80 Client Manager HTTP Port

Client to Manager: Webstart/JNLP, Console applets

443

Client Manager

HTTPS

Client to Manager

443 Manager NTBA Appliance Command Channel (TCP) Manager to NTBA Appliance. Communication is bidirectional

3306

Internal Manager

Manager Database (MySQL or MarinaDB)

Internal to Manager; can be used externally to connect to the database

4166 Manager Sensor Command Channel (UDP) Source port for IPv6 Manager to Sensor Communication (Manager Java 1.7u45 and later)
Communication between Sensor and Manager is bidirectional
4167 Manager Sensor Command Channel (UDP) Source port for IPv4 Manager to Sensor Communication
Communication between Sensor and Manager is bidirectional

8007

Internal Manager

Tomcat AJP 12 Port (TCP)

Internal to Manager

8009

Internal Manager

Tomcat AJP 13 Port (TCP)

Internal to Manager

8500

Manager Sensor

Command Channel (UDP)

Communication between Sensor and Manager is bidirectional

8501

Sensor Manager

Install Port/Channel (TCP)

Communication between Sensor and Manager is bidirectional

8502

Sensor Manager

Alert Channel (Control Channel) (TCP)

Communication between Sensor and Manager is bidirectional

8503

Sensor Manager

Packet Log Channel (TCP)

Communication between Sensor and Manager is bidirectional

8504

Sensor Manager

File Transfer Channel (TCP)

Communication between Sensor and Manager is bidirectional

8506

Sensor Manager

Install channel (TCP) (2048-bit)

Communication between Sensor and Manager is bidirectional

8507

Sensor Manager

Alert channel (TCP) (2048-bit)

Communication between Sensor and Manager is bidirectional

8508

Sensor Manager

Packet log channel (TCP) (2048-bit)

Communication between Sensor and Manager is bidirectional

8509

Sensor Manager

Bulk file transfer channel for 2048-bit certificates (TCP)

Communication between Sensor and Manager is bidirectional

8510

Sensor Manager

Bulk file transfer channel for 1024-bit certificates (TCP)

Communication between Sensor and Manager is bidirectional

8551

Internal Manager

Lumos Nameserver (TCP)

Internal to Manager (RMI/IIOP)

8552

Internal Manager

JONAS Nameserver (TCP)

Internal to Manager (RMI)

8555

Client Manager

Alert Viewer (TCP)

Client to Manager SSL/TCP/IP
 
 
If you have Email Notification or SNMP Forwarding configured on the Manager, and there is a firewall residing between the Manager and your SMTP or SNMP Server, you must ensure that the following ports are also allowed through:
 
Port Description Comments

25

SMTP Port

Manager to SMTP Server

162

SNMP Forwarding

Manager to SNMP Server
 

IMPORTANT: NSP product documentation states that you must disable other web services before installing the Manager. This requirement is because the Manager server must integrate with the Apache server that is shipped with the Manager installation package. If other web services that use port 80 and 443 are not disabled, the Manager installation fails because it is not able to run the Apache server.

Ports used by the Sensor:
 
Port Description Comments
22
SSH
SSH connection for command-line access to Sensor and
Secure Copy from the Sensor to an SCP server for a manual loadimage or loadconfiguration.


Ports used for lookups and updates:
 
Port Source Destination Comments
53 UDP
Sensor
avqs.mcafee.com
avts.mcafee.com
(via DNS query to defined
DNS server)
McAfee GTI File Reputation query
 
80 TCP NSM Appliance *.windowsupdate.com
update.microsoft.com
Microsoft Windows Updates
80 TCP NSM download.nai.com For downloading Botnet Detectors
443 TCP NSM menshen.intruvert.com
menshen1.intruvert.com
NSP updates (can also be
downloaded out-of-band and applied manually)
443 TCP NSM gti-api.mcafee.com McAfee GTI botnet detectors update; GTI participation
information
443 TCP NSM/Sensor tunnel.web.trustedsource.org McAfee GTI IP reputation query
443 TCP NSM Appliance update.microsoft.com Microsoft Windows Updates
(NSM Appliances)
443 TCP Sensor tau-usa.mcafee.com Gateway Anti-Malware engine (GAM) downloads
443 TCP Sensor tau.mcafee.com
tau-europe.mcafee.com
tau-usa2.mcafee.com
tau-usa1.mcafee.com
tau-usa.mcafee.com
tau-asia.mcafee.com
Anti-malware downloads
443 TCP Sensor mwg-update.mcafee.com Anti-malware downloads


Third-party communications:
In addition to the communications channels between the components of NSP, additional communications can take place with third-party systems, including external syslog servers, SNMP monitoring systems, and authentication services.
 
Port/Protocol Source Destination Purpose

25 TCP

NSM

$smtp-mta-server

Email notifications


49 TCP


Sensor


$tacacs+-server

TACACS+ based authentication to Sensor for command line
interface

69 UDP

Sensor

$tftp-server
TFTP server used for
loadimage/netboot to install/update Sensor software
162 UDP NSM $snmp-server SNMP trap notifications
389 TCP NSM $ldap-server LDAP-based authentication to
NSM for GUI client
514 TCP/UDP NSM $syslog-server Notifications via syslog,
standard UDP, or optionally TCP
636 TCP NSM $ldaps-server LDAPS-based authentication to
NSM for GUI client
1812 UDP NSM $radius-server RADIUS-based authentication to NSM for GUI client


Network Threat Behavior Analysis (NTBA) communications: 
NTBA appliances (virtual or physical) are similar to NSP Sensors. But, they provide a function focused on analyzing network flows, which support the overall analysis.
 
Port Source Destination Purpose
22 TCP Any
NTBA
SSH connection for command-line access to Sensor
22 TCP NTBA $netflow-exporter Router ACL channel
53 UDP NTBA $dns-server DNS queries
80 TCP NTBA tunnel.web.trustedsource.org

list.smartfilter.com
GTO database download
111 TCP/UDP NTBA $backup-server NFS (optional) portmapper, for backups
137 UDP NTBA <any> NetBIOS lookups
161 UDP NTBA $netflow-exporter SNMP queries (2c/3)
443 TCP NTBA tunnel.web.trustedsource.org McAfee GTI IP reputation query
443 TCP NTBA tau-usa.mcafee.com Gateway Anti-Malware engine (GAM) downloads
443 TCP NTBA tau.mcafee.com Anti-malware downloads
445 TCP NTBA $backup-server CIFS backups (optional)
2049 TCP NTBA $backup-server NFS (optional) for backups
8444 TCP NTBA ePO For certificate signing
8501 TCP NTBA NSM Install/control channel
8502 TCP NTBA NSM Alert channel
8504 TCP NTBA NSM File transfer channel
8505 TCP Sensor NTBA IPS channel (SSL AES-128
SHA-1)
9008 UDP EIA NTBA EIA service (DTLS)
9996 UDP $netflowexporter NTBA NetFlow channel

NOTE: Some of the ports and protocols listed are optional; their use depends on your specific configuration.


ePolicy Orchestrator (ePO) communications: 
 
Port Source Destination Comments
8501 TCP
ePO
NSM
[HIPS] Establish trust for HIPS push notifications
8502 TCP ePO NSM [HIPS] HIPS event push notifications
8503 TCP ePO NSM [HIPS] HIPS event push notifications
3306 TCP ePO NSM
[NSM -> ePO integration]
Database connection to enable NSM-related
dashboards in ePO console
8443 TCP NSM ePO [ePO -> NSM integration]
NSM pull/query of host information from ePO; requires
NSM extension installation on ePO


Logon Collector:
 
Port Source Destination Comments
61641
NSM
MLC Server
JMS communications between
the Logon Collector and the
NSM


McAfee Vulnerability Manager (MVM) communications:
 
Port Source Destination Comments
1433 TCP
NSM
MVM 
Microsoft SQL Server connection for scheduled pull
of scan results
3801 TCP NSM MVM NSM command channel for initiating on-demand scans
(SSL encrypted propriety connection)


Advanced Threat Defense (ATD) communications:
 
Port Source Destination Comments
443 TCP
NSM
ATD
REST API communication
8505 TCP Sensor ATD Communication channel for
Sensor data


Enterprise Security Manager (ESM) communications:
 
Port Source Destination Comments
443 TCP
ESM
NSM 
Access to NSM data
3306 TCP ESM NSM Database queries


Network Security Central Manager (NSCM) communications:
 
Port Source Destination Comments
443 TCP
NSM
NSCM 
HTTPS
443 TCP NSCM NSM HTTPS

Previous Document ID

NAI32000

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.