Required communication ports for Threat Intelligence Exchange, Data Exchange Layer, and Advanced Threat Defense

Technische artikelen ID: KB83713
Laatst gewijzigd: 8/12/2021

Omgeving

McAfee Advanced Threat Defense (ATD) (DXL and TIE supported versions)
McAfee Data Exchange Layer (DXL) 5.x, 4.x
McAfee ePolicy Orchestrator (ePO) - all supported versions
McAfee Threat Intelligence Exchange (TIE) Server - all supported versions

For details of ePO supported environments, see KB51569.
For details of TIE Server supported environments, see KB83368.

Samenvatting

Make sure that the following ports are open to allow TIE, DXL, and ATD communication.

For this article:

Bidirectional - The connection can be initiated from either direction.
Inbound - The remote system initiates the connection.
Outbound - The local system initiates the connection.

NOTES:

The TIE Server needs to reach the internet. In addition to opening the following ports, if your network environment uses a web proxy to access the internet, you need to take the following action:

Specify the proxy settings in the Proxy Settings for GTI Requests section on the General tab of the TIE Server Management policy.
You only need to open the ports used for ATD file evaluation if you have enabled ATD on the Advanced Threat Defense tab of the TIE Server Management policy.
This article lists the default ports used for each product component. If you specified custom ports during the setup of these components, make sure that you open the custom port instead of the default port specified in this article.

ePO server:
See KB66797 for a list of required ports.

McAfee Agent:

See KB66797 for a list of required ports.

DXL Client:

Default Port	Protocol	Traffic Direction	Description and Comments
8883	TCP	Outbound connection to DXL brokers
	ICMP	Outbound connection to DXL brokers	DXL broker selection process. The DXL client uses a hop count to determine the closest DXL broker. The DXL client uses ICMP types 0, 3, 8, and 11 as part of normal operation.

TIE Client:

Default Port	Protocol	Traffic Direction	Description and Comments
80	TCP	Outbound connection to TIE server	File upload to TIE Server for ATD analysis NOTE: For TIE 1.2.0 and earlier.
443	TCP	Outbound connection to McAfee GTI service (tie.gti.mcafee.com); Outbound connection to TIE server	Offline GTI reputation lookups. Optional file upload to TIE Server for ATD analysis NOTE: Required for TIE 1.2.1 and later.

DXL Broker:

Default Port	Protocol	Traffic Direction	Description and Comments
22	TCP (SSH)	Inbound connection from console client	(Optional) SSH console to DXL/TIE appliances.
53	UDP/TCP	Outbound connection to internal DNS services
80	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
123	UDP	Outbound connection to NTP time servers
443	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
8081	TCP	Inbound connection from ePO/Agent Handler	See McAfee Agent in KB66797.
8443	TCP	Outbound connection to ePO	Required only during DXL installation to configure McAfee Agent.
8883	TCP	Outbound connection to DXL brokers	Connectivity to other DXL brokers.
8883	TCP	Inbound connection from DXL clients/DXL broker hub pair
8883	TCP	Inbound Connection from ePO	ePO DXL java client connects to DXL broker via 8883

TIE Server:

Default Port	Protocol	Traffic Direction	Description and Comments
22	TCP	Outbound connection from TIE secondary to TIE primary¹	Required only during initial TIE secondary configuration.
22	TCP (SSH)	Inbound connection from console client	(Optional) SSH console to DXL/TIE appliances.
53	UDP/TCP	Outbound connection to internal DNS services	Required for GTI lookups – otherwise you can configure the host file with the GTI server IP addresses.
80	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
80	TCP	Inbound connection from TIE client (ATD file upload)	File upload from TIE client to TIE Server (for ATD analysis). NOTE: For TIE 1.2.0 and earlier. While this port is still opened in TIE Server 2.0.0, ATD unencrypted file submission from the client is disabled by default.
80	TCP	Outbound connection from TIE secondary to TIE primary¹	Required during TIE secondary configuration (initial and on service restart). Unencrypted connection to TIE REST API. NOTE: For TIE 1.2.1 and later.
123	UDP	Outbound connection to NTP time servers
443	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
443	TCP	Outbound connection to McAfee GTI service (tieserver.rest.gti.mcafee.com)	TIE reputation lookups. The connection can be proxied.
443	TCP	Inbound connection from TIE client (ATD file upload)	Secure file upload from TIE client to TIE Server (for ATD analysis). NOTE: Required for TIE 1.2.1 and later.
443	TCP	Outbound connection from TIE secondary to TIE primary¹	Required during TIE secondary configuration (initial and on service restart). Secure connection to TIE REST API. NOTE: Required for TIE 1.2.1 and later.
5432	TCP	Inbound connection from ePO Application server. Inbound connection from secondary TIE servers to primary TIE server. ¹	ePO connectivity applicable to the TIE Server used for the ePO reporting function only. Replication traffic sent from secondary TIE Servers to primary TIE servers. ¹
8081	TCP	Inbound connection from ePO/Agent Handler	See McAfee Agent in KB66797.
8443	TCP	Outbound connection to ePO	Required only during TIE Server installation to configure McAfee Agent.
8883	TCP	Outbound connection to DXL brokers

¹	As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example: Master becomes Primary Slave becomes Secondary Previous versions of TIE Server retain the original Master/Slave designations.

ATD Appliance:

Default Port	Protocol	Traffic Direction	Description and Comments
21	TCP (FTP)	Inbound connection from client to ATD.	Access the FTP servers on Advanced Threat Defense.
22	TCP (SFTP)	Inbound connection from administrator client	Upload of ATD software updates and images.
80	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
443	TCP	Outbound connection to ePO/Agent Handler	See McAfee Agent in KB66797.
80	TCP (HTTP)	Outbound connection to URL update service (list.smartfilter.com)	URL updates.
443	TCP (HTTPS)	Inbound connection from user console/REST API	Communication between the Manager and Advanced Threat Defense through the RESTful APIs.
443	TCP (HTTPS)	Inbound connection from TIE servers	File upload from TIE server to ATD appliance.
443	TCP (HTTPS)	Outbound connection to McAfee GTI service (tunnel.message.trustedsource.org)	Outbound connectivity from ATD management interface for GTI reputation lookups. The connection can be proxied.
443	TCP (HTTPS)	Updates for McAfee Gateway Anti-Malware Engine and McAfee Anti-Malware Engine: wpm.webwasher.com, wpm1‑2.webwasher.com wpm1‑3.webwasher.com, wpm1‑4.webwasher.com wpm‑usa.webwasher.com, wpm‑usa1.webwasher.com wpm‑usa2.webwasher.com, wpm‑asia.webwasher.com tau.mcafee.com, tau1‑2.mcafee.com tau1‑3.mcafee.com, tau1‑4.mcafee.com tau‑usa.mcafee.com, tau‑usa1.mcafee.com tau‑usa2.mcafee.com, tau‑manual.mcafee.com tau‑ldv1.securelabs.webwasher.com tau‑ldv2.securelabs.webwasher.com tau‑ldv3.securelabs.webwasher.com tau‑europe.mcafee.com tau‑dnv1.securelabs.webwasher.com tau‑dnv2.securelabs.webwasher.com tau‑dnv3.securelabs.webwasher.com tau‑asia.mcafee.com rpns.mcafee.com, mwg‑update.mcafee.com	The connection can be proxied.
443	TCP (HTTPS)	atdupdate.mcafee.com	Updates for the Advanced Threat Defense software. The update includes new detection and application package.
2222	TCP (SSH)	Inbound connection from console	Console CLI access.
6080	TCP (HTTPS)	Inbound connection from console	For VM activation process and X-mode.
8081	TCP	Inbound connection from ePO/Agent Handler	See McAfee Agent in KB66797.
8883	TCP	Outbound connection to DXL brokers	DXL client connectivity.
8443	TCP	Outbound connection to ePO Application Server	Determine host operating system for sandbox analysis.
8505	TCP	Bidirectional	Communication channel between a Sensor and Advanced Threat Defense.
ANY	TCP	Outbound connection to malware source (from dedicated malware interface)	When deploying ATD, provide a separate, segmented network where malware being analyzed attempts to download more payloads. Can be facilitated by using the secondary NIC on an ATD appliance. This connection requires a dedicated IP address. Which allows you to reduce connectivity from ANY ports to reflect your outbound access policies. Outbound connection from ATD malware interface to malware source sites for more downloads. The connection can be proxied.

Gerelateerde informatie

For more information about ATD sample submission, see KB86707.

Betrokken producten

Data Exchange Layer 5.x
ePolicy Orchestrator 5.9 (EOL)
ePolicy Orchestrator 5.10.x
Getting Started
Threat Intelligence Exchange Server 3.x
Threat Intelligence Exchange Server 2.3.x
Threat Intelligence Exchange Server 2.2.x

Talen:

Dit artikel is beschikbaar in de volgende talen:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Woordenlijst met technische termen

Termen in woordenlijst markeren

Bekijk onze Woordenlijst met technische termen.

Knowledge Center

Required communication ports for Threat Intelligence Exchange, Data Exchange Layer, and Advanced Threat Defense

Omgeving

Samenvatting

Gerelateerde informatie

Betrokken producten

Talen:

Woordenlijst met technische termen

Title

Title

Knowledge Center

Required communication ports for Threat Intelligence Exchange, Data Exchange Layer, and Advanced Threat Defense

Omgeving

Samenvatting

Gerelateerde informatie

Betrokken producten

Talen:

Woordenlijst met technische termen

Kies uw regio

Title

Title