Loading...

Knowledge Center


Required communication ports for Threat Intelligence Exchange, Data Exchange Layer, and Advanced Threat Defense
Technical Articles ID:   KB83713
Last Modified:  3/15/2019
Rated:


Environment

McAfee Advanced Threat Defense (ATD) (DXL and TIE supported versions)
McAfee Data Exchange Layer (DXL) 5.x, 4.x, 3.x
McAfee ePolicy Orchestrator (ePO) - all supported versions
McAfee Threat Intelligence Exchange (TIE) Server 2.x

For details of ePO supported environments, see KB51569.

Summary

Ensure that the following ports are open, to allow TIE, DXL, and ATD communication.

For this article:
  • Bidirectional - The connection can be initiated from either direction.
  • Inbound - The remote system initiates the connection.
  • Outbound - The local system initiates the connection.
NOTES:
  • The TIE server needs to reach the Internet. In addition to opening the following ports, If your network environment uses a web proxy to access the Internet, you need to take the following action:

    Specify the proxy settings in the Proxy Settings for GTI Requests section on the General tab of the Threat Intelligence Exchange Server Management policy.
     
  • You only need to open the ports used for ATD file evaluation if you have enabled ATD on the Advanced Threat Defense tab of the TIE Server Management policy.
  • This article lists the default ports used for each product component. If you specified custom ports during the setup of these components, ensure that you open the custom port instead of the default port specified in this article.

ePO server:
See KB66797 for a list of required ports.

 
McAfee Agent:
See KB66797 for a list of required ports.
 
DXL Client:
Default Port Protocol Traffic Direction Description and Comments
8883 TCP Outbound connection to DXL brokers   
  ICMP Outbound connection to DXL brokers
  • DXL broker selection process.
  • The DXL client uses a hop count to determine the closest DXL broker.
  • The DXL client uses ICMP types 0, 3, 8, and 11 as part of normal operation.
 
 
TIE Client:
Default Port  Protocol Traffic Direction Description and Comments
80; TCP Outbound connection to TIE server File upload to TIE server for ATD analysis
NOTE: For TIE 1.2.0 (and earlier).
443 TCP Outbound connection to McAfee GTI service

(tie.gti.mcafee.com);
Outbound connection to TIE server
Offline GTI reputation lookups.

Optional file upload to TIE server for ATD analysis
NOTE: Required for TIE 1.2.1 (and later).
 
 
DXL Broker:
Default Port Protocol Traffic Direction Description and Comments
22 TCP (SSH) Inbound connection from console client (Optional) SSH console to DXL/TIE appliances.
53 UDP/TCP Outbound connection to internal DNS services  
80 TCP Outbound connection to ePO/Agent Handler See McAfee Agent in KB66797.
123 UDP Outbound connection to NTP time servers  
443 TCP Outbound connection to ePO/Agent Handler See McAfee Agent in KB66797.
8081 TCP Inbound connection from ePO/Agent Handler
8443 TCP Outbound connection to ePO Required only during DXL installation to configure McAfee Agent.
8883 TCP Outbound connection to DXL brokers Connectivity to other DXL brokers.
8883  TCP Inbound connection from DXL clients/DXL broker hub pair    
 
 
TIE Server:
Default Port  Protocol Traffic Direction Description and Comments
22 TCP Outbound connection from TIE secondary to TIE primary1 Required only during initial TIE secondary configuration.
22 TCP (SSH) Inbound connection from console client (Optional) SSH console to DXL/TIE appliances.
53 UDP/TCP Outbound connection to internal DNS services Required for GTI lookups – otherwise you can configure the host file with the GTI server IP addresses.
80 TCP Outbound connection to ePO/Agent Handler See McAfee Agent in KB66797.
80 TCP Inbound connection from TIE client (ATD file upload) File upload from TIE client to TIE server (for ATD analysis).

NOTE: For TIE 1.2.0 (and earlier). While this port is still opened in TIE server 2.0.0, ATD unencrypted file submission from the client is disabled by default.
80 TCP Outbound connection from TIE secondary to TIE primary1
  • Required during TIE secondary configuration (initial and on service restart).
  • Unencrypted connection to TIE REST API.
NOTE: For TIE 1.2.1 (and later).
123 UDP Outbound connection to NTP time servers  
443 TCP Outbound connection to ePO/Agent Handler See McAfee Agent in KB66797.
443 TCP Outbound connection to McAfee GTI service (tie.gti.mcafee.com)
  • TIE reputation lookups.
  • The connection can be proxied.
443 TCP Inbound connection from TIE client (ATD file upload) Secure file upload from TIE client to TIE server (for ATD analysis).
NOTE: Required for TIE 1.2.1 (and later).
443 TCP Outbound connection from TIE secondary to TIE primary1
  • Required during TIE secondary configuration (initial and on service restart).
  • Secure connection to TIE REST API.
NOTE: Required for TIE 1.2.1 (and later).
5432 TCP
  • Inbound connection from ePO Application server.
  • Inbound connection from secondary TIE servers to primary
  • TIE server. 1
  • ePO connectivity applicable to the TIE server used for the ePO reporting function only.
  • Replication traffic sent from secondary TIE servers to primary TIE servers. 1
8081 TCP Inbound connection from ePO/Agent Handler See McAfee Agent in KB66797.
8443 TCP Outbound connection to ePO Required only during TIE server installation to configure McAfee Agent.
8883 TCP Outbound connection to DXL brokers  
 
1 As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example:
Master becomes Primary
Slave becomes Secondary
Previous versions of TIE Server retain the original Master/Slave designations.

 
ATD Appliance:
Default Port Protocol Traffic Direction Description and Comments
21 TCP (FTP) Inbound connection from client to ATD. Access the FTP servers on Advanced Threat Defense.
22 TCP (SFTP) Inbound connection from administrator client Upload of ATD software updates and images.
80 TCP Outbound connection to ePO/Agent Handler See McAfee Agent in KB66797.
443 TCP Outbound connection to ePO/Agent Handler
80 TCP (HTTP) Outbound connection to URL update service (list.smartfilter.com) URL updates.
443 TCP (HTTPS) Inbound connection from user console/REST API Communication between the Manager and Advanced Threat Defense through the RESTful APIs.
443 TCP (HTTPS) Inbound connection from TIE servers File upload from TIE server to ATD appliance.
443 TCP (HTTPS) Outbound connection to McAfee GTI service (tunnel.message.trustedsource.org)
  • Outbound connectivity from ATD management interface for GTI reputation lookups.
  • The connection can be proxied.
443 TCP (HTTPS) Updates for McAfee Gateway Anti-Malware Engine and McAfee Anti-Malware Engine:

wpm.webwasher.com, wpm1‑2.webwasher.com
wpm1‑3.webwasher.com, wpm1‑4.webwasher.com
wpm‑usa.webwasher.com, wpm‑usa1.webwasher.com
wpm‑usa2.webwasher.com, wpm‑asia.webwasher.com
tau.mcafee.com, tau1‑2.mcafee.com
tau1‑3.mcafee.com, tau1‑4.mcafee.com
tau‑usa.mcafee.com, tau‑usa1.mcafee.com
tau‑usa2.mcafee.com, tau‑manual.mcafee.com
tau‑ldv1.securelabs.webwasher.com
tau‑ldv2.securelabs.webwasher.com
tau‑ldv3.securelabs.webwasher.com
tau‑europe.mcafee.com
tau‑dnv1.securelabs.webwasher.com
tau‑dnv2.securelabs.webwasher.com
tau‑dnv3.securelabs.webwasher.com
tau‑asia.mcafee.com
rpns.mcafee.com, mwg‑update.mcafee.com
The connection can be proxied.
443 TCP (HTTPS) atdupdate.mcafee.com Updates for the Advanced Threat Defense software.
The update includes new detection and application package.
2222 TCP (SSH) Inbound connection from console    Console CLI access.
6080 TCP (HTTPS) Inbound connection from console For VM activation process and X-mode.
8081 TCP Inbound connection from ePO/Agent Handler See McAfee Agent in KB66797.
8883 TCP Outbound connection to DXL brokers DXL client connectivity.
8443 TCP Outbound connection to ePO Application Server Determine host operating system for sandbox analysis.
8505 TCP Bidirectional Communication channel between a Sensor and Advanced Threat Defense.
ANY 1 TCP Outbound connection to malware source (from dedicated malware interface)
  • 1 When deploying ATD, provide a separate, segmented network where malware being analyzed attempts to download additional payloads.
     
    Can be facilitated by using the secondary NIC on an ATD appliance. This connection requires a dedicated IP address. Which allows you to reduce connectivity from ANY ports to reflect your outbound access policies.
  • Outbound connection from ATD malware interface to malware source sites for additional downloads.
  • The connection can be proxied.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.