NOTE: As a best practice, implement the Sensor and Manager management ports on the same internal network for security and management reasons.
| Port |
Source |
Destination |
Description |
Comments |
| 80 |
Client |
Manager |
HTTP Port |
Client to Manager: Webstart/JNLP, Console applets
|
|
443
|
Client |
Manager |
HTTPS
|
Client to Manager
|
| 443 |
Manager |
NTBA Appliance |
Command Channel (TCP) |
Manager to NTBA Appliance. Communication is bidirectional |
|
3306
|
Internal |
Manager |
Manager Database (MySQL or MarinaDB)
|
Internal to Manager; can be used externally to connect to the database
|
| 4166 |
Manager |
Sensor |
Command Channel (UDP) |
Source port for IPv6 Manager to Sensor Communication (Manager Java 1.7u45 and later)
Communication between Sensor and Manager is bidirectional |
| 4167 |
Manager |
Sensor |
Command Channel (UDP) |
Source port for IPv4 Manager to Sensor Communication
Communication between Sensor and Manager is bidirectional |
| 8005 |
Client |
Manager |
Tomcat Shutdown Port (TCP) |
Tomcat uses this port to listen for shutdown hook |
|
8007
|
Internal |
Manager |
Tomcat AJP 12 Port (TCP)
|
Internal to Manager
|
|
8009
|
Internal |
Manager |
Tomcat AJP 13 Port (TCP)
|
Internal to Manager
|
|
8500
|
Manager |
Sensor |
Command Channel (UDP)
|
Communication between Sensor and Manager is bidirectional
|
|
8501
|
Sensor |
Manager |
Install Port/Channel (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8502
|
Sensor |
Manager |
Alert Channel (Control Channel) (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8503
|
Sensor |
Manager |
Packet Log Channel (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8504
|
Sensor |
Manager |
File Transfer Channel (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8506
|
Sensor |
Manager |
Install channel (TCP) (2048-bit)
|
Communication between Sensor and Manager is bidirectional
|
|
8507
|
Sensor |
Manager |
Alert channel (TCP) (2048-bit)
|
Communication between Sensor and Manager is bidirectional
|
|
8508
|
Sensor |
Manager |
Packet log channel (TCP) (2048-bit)
|
Communication between Sensor and Manager is bidirectional
|
|
8509
|
Sensor |
Manager |
Bulk file transfer channel for 2048-bit certificates (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8510
|
Sensor |
Manager |
Bulk file transfer channel for 1024-bit certificates (TCP)
|
Communication between Sensor and Manager is bidirectional
|
|
8551
|
Internal |
Manager |
Lumos Nameserver (TCP)
|
Internal to Manager (RMI/IIOP)
|
|
8552
|
Internal |
Manager |
JONAS Nameserver (TCP)
|
Internal to Manager (RMI)
|
|
8555
|
Client |
Manager |
Alert Viewer (TCP)
|
Client to Manager SSL/TCP/IP
IMPORTANT: Applies to 9.x Managers only.
10.x no longer uses RTTA and this port does not need to be open on 10.x NSMs. |
If you configure Email Notification or
SNMP Forwarding on the Manager, and have a firewall between the Manager and
SMTP or
SNMP Server, allow the following ports:
| Port |
Description |
Comments |
|
25
|
SMTP Port
|
Manager to SMTP Server |
|
162
|
SNMP Forwarding
|
Manager to SNMP Server |
IMPORTANT: Product documentation states that you must disable other web services before you install the Manager. The Manager server must integrate with the Apache server that is shipped with the Manager installation package. If other web services that use port 80 and 443 are not disabled, the Manager installation fails. The failure happens because the Manager is not able to run the Apache server.
Ports used by the Sensor:
| Port |
Description |
Comments |
| 22 |
SSH
|
SSH connection for command-line access to Sensor and
Secure Copy from the Sensor to an SCP server for a manual load image or load configuration. |
Ports used for lookups and updates:
| Port |
Source |
Destination |
Comments |
| 443 TCP |
Sensor |
nsp.rest.gti.mcafee.com
(via REST JSON format) |
McAfee GTI File Reputation query |
| 80 TCP |
NSM Appliance |
*.windowsupdate.com
|
Microsoft Windows Updates |
| 80 TCP |
NSM |
download.nai.com |
For downloading Botnet Detectors |
| 443 TCP |
NSM(MLOS only) |
download.nai.com |
For downloading Antivirus DAT Signatures |
| 443 TCP |
NSM |
menshen.intruvert.com
menshen1.intruvert.com
nspupdate.mcafee.com |
NSP updates (can also be downloaded out-of-band and applied manually) |
| 443 TCP |
NSM |
gti-api.mcafee.com |
McAfee GTI botnet detectors update; GTI participation information |
| 443 TCP |
NSM/Sensor |
tunnel.web.trustedsource.org
|
McAfee GTI IP/URL reputation query |
| 443 TCP |
NSM Appliance |
update.microsoft.com |
Microsoft Windows Updates
(NSM Appliances)
|
| 443 TCP |
Sensor |
tau-usa.mcafee.com |
Gateway Anti-Malware engine (GAM) downloads |
| 443 TCP |
Sensor |
tau.mcafee.com
tau-europe.mcafee.com
tau-usa2.mcafee.com
tau-usa1.mcafee.com
tau-usa.mcafee.com
tau-asia.mcafee.com |
Antimalware downloads |
| 443 TCP |
Sensor |
mwg-update.mcafee.com |
Antimalware downloads |
| 443 TCP |
NSM |
iam.mcafee-cloud.com |
NSM Product Registration and Activation |
| 443 TCP |
NSM |
iam-rs.mcafee-cloud.com |
NSM Product Registration and Activation |
| 443 TCP |
NSM |
telemetry.mcafee-cloud.com |
NSM Product Registration and Activation |
Third-party communications:
In addition to the communications channels between the components of NSP, other communications can take place with third-party systems. These third-party systems include external
syslog servers,
SNMP monitoring systems, and authentication services.
| Port/Protocol |
Source |
Destination |
Purpose |
|
25 TCP
|
NSM |
$smtp-mta-server
|
Email notifications |
|
49 TCP
|
Sensor |
$tacacs+-server
|
TACACS+ based authentication to Sensor for command line interface |
69 UDP |
Sensor |
$tftp-server |
TFTP server used for
loadimage/netboot to install/update Sensor software
|
| 162 UDP |
NSM |
$snmp-server |
SNMP trap notifications |
| 389 TCP |
NSM |
$ldap-server |
LDAP-based authentication to
NSM for GUI client
|
| 514 TCP/UDP |
NSM |
$syslog-server |
Notifications via syslog, standard UDP, or optionally TCP |
| 636 TCP |
NSM |
$ldaps-server |
LDAPS-based authentication to
NSM for GUI client
|
| 1812 UDP |
NSM |
$radius-server |
RADIUS-based authentication to NSM for GUI client |
Network Threat Behavior Analysis (NTBA) communications:
NTBA appliances (virtual or physical) are similar to NSP Sensors. But, they provide a function focused on analyzing network flows, which support the overall analysis.
| Port |
Source |
Destination |
Purpose |
| 22 TCP |
Any |
NTBA
|
SSH connection for command-line access to Sensor |
| 22 TCP |
NTBA |
$netflow-exporter |
Router ACL channel |
| 53 UDP |
NTBA |
$dns-server |
DNS queries |
| 80 TCP |
NTBA |
tunnel.web.trustedsource.org
list.smartfilter.com |
GTO database download |
| 111 TCP/UDP |
NTBA |
$backup-server |
NFS (optional) portmapper, for backups |
| 137 UDP |
NTBA |
<any> |
NetBIOS lookups |
| 161 UDP |
NTBA |
$netflow-exporter |
SNMP queries (2c/3) |
| 443 TCP |
NTBA |
tunnel.web.trustedsource.org |
McAfee GTI IP reputation query |
| 443 TCP |
NTBA |
tau-usa.mcafee.com |
Gateway Anti-Malware engine (GAM) downloads |
| 443 TCP |
NTBA |
tau.mcafee.com |
Antimalware downloads |
| 445 TCP |
NTBA |
$backup-server |
CIFS backups (optional) |
| 2049 TCP |
NTBA |
$backup-server |
NFS (optional) for backups |
| 8444 TCP |
NTBA |
ePO |
For certificate signing |
| 8501 TCP |
NTBA |
NSM |
Install/control channel |
| 8502 TCP |
NTBA |
NSM |
Alert channel |
| 8504 TCP |
NTBA |
NSM |
File transfer channel |
| 8505 TCP |
Sensor |
NTBA |
IPS channel (SSL AES-128
SHA-1)
|
| 9008 UDP |
EIA |
NTBA |
EIA service (DTLS) |
| 9996 UDP |
$netflowexporter |
NTBA |
NetFlow channel |
NOTE: Some of the ports and protocols listed are optional; their use depends on your specific configuration.
ePolicy Orchestrator (ePO) communications:
| Port |
Source |
Destination |
Comments |
| 8501 TCP |
ePO
|
NSM
|
[HIPS] Establish trust for HIPS push notifications |
| 8502 TCP |
ePO |
NSM |
[HIPS] HIPS event push notifications |
| 8503 TCP |
ePO |
NSM |
[HIPS] HIPS event push notifications |
| 3306 TCP |
ePO |
NSM |
[NSM -> ePO integration]
Database connection to enable NSM-related dashboards in ePO console
|
| 8443 TCP |
NSM |
ePO |
[ePO -> NSM integration]
NSM pull/query of host information from ePO; requires
NSM extension installation on ePO
|
Logon Collector:
| Port |
Source |
Destination |
Comments |
| 61641 |
NSM
|
MLC Server
|
JMS communications between the Logon Collector and the NSM |
Vulnerability Manager (MVM) communications:
| Port |
Source |
Destination |
Comments |
| 1433 TCP |
NSM
|
MVM
|
Microsoft SQL Server connection for scheduled pull of scan results |
| 3801 TCP |
NSM |
MVM |
NSM command channel for initiating on-demand scans
(SSL encrypted propriety connection)
|
Advanced Threat Defense (ATD) communications:
| Port |
Source |
Destination |
Comments |
| 443 TCP |
NSM
|
ATD
|
REST API communication |
| 8505 TCP |
Sensor |
ATD |
Communication channel for
Sensor data
|
SIEM Enterprise Security Manager (ESM) communications:
| Port |
Source |
Destination |
Comments |
| 443 TCP |
ESM
|
NSM
|
Access to NSM data |
| 3306 TCP |
ESM |
NSM |
Database queries |
Network Security Central Manager (NSCM) communications:
| Port |
Source |
Destination |
Comments |
| 443 TCP |
NSM
|
NSCM
|
HTTPS |
| 443 TCP |
NSCM |
NSM |
HTTPS |
TIE/DXL communications:
| Port |
Source |
Destination |
| 8443 TCP |
Sensor
|
ePO
|
| 443 TCP |
Sensor |
ePO |
| 8081 TCP |
ePO |
Sensor |
| 8883 TCP |
Sensor |
DXL Broker |
NOTE: If you have multiple DXL brokers, the Sensor connects to each of them on 8883 TCP. If the DXL broker is deployed on the ePO server, the Sensor connects to the ePO server on 8883 TCP.
