Ports and traffic destinations used by Network Security Platform

Technical Articles ID: KB59342
Last Modified: 9/1/2020

Environment

McAfee Network Security Manager (NSM)
McAfee Network Security Sensor Hardware
McAfee Network Threat Behavior Analysis Appliance (NTBA)

Summary

NOTE: As a best practice, implement the Sensor and Manager management ports on the same internal network for security and management reasons.

Port	Source	Destination	Description	Comments
80	Client	Manager	HTTP Port	Client to Manager: Webstart/JNLP, Console applets
443	Client	Manager	HTTPS	Client to Manager
443	Manager	NTBA Appliance	Command Channel (TCP)	Manager to NTBA Appliance. Communication is bidirectional
3306	Internal	Manager	Manager Database (MySQL or MarinaDB)	Internal to Manager; can be used externally to connect to the database
4166	Manager	Sensor	Command Channel (UDP)	Source port for IPv6 Manager to Sensor Communication (Manager Java 1.7u45 and later) Communication between Sensor and Manager is bidirectional
4167	Manager	Sensor	Command Channel (UDP)	Source port for IPv4 Manager to Sensor Communication Communication between Sensor and Manager is bidirectional
8007	Internal	Manager	Tomcat AJP 12 Port (TCP)	Internal to Manager
8009	Internal	Manager	Tomcat AJP 13 Port (TCP)	Internal to Manager
8500	Manager	Sensor	Command Channel (UDP)	Communication between Sensor and Manager is bidirectional
8501	Sensor	Manager	Install Port/Channel (TCP)	Communication between Sensor and Manager is bidirectional
8502	Sensor	Manager	Alert Channel (Control Channel) (TCP)	Communication between Sensor and Manager is bidirectional
8503	Sensor	Manager	Packet Log Channel (TCP)	Communication between Sensor and Manager is bidirectional
8504	Sensor	Manager	File Transfer Channel (TCP)	Communication between Sensor and Manager is bidirectional
8506	Sensor	Manager	Install channel (TCP) (2048-bit)	Communication between Sensor and Manager is bidirectional
8507	Sensor	Manager	Alert channel (TCP) (2048-bit)	Communication between Sensor and Manager is bidirectional
8508	Sensor	Manager	Packet log channel (TCP) (2048-bit)	Communication between Sensor and Manager is bidirectional
8509	Sensor	Manager	Bulk file transfer channel for 2048-bit certificates (TCP)	Communication between Sensor and Manager is bidirectional
8510	Sensor	Manager	Bulk file transfer channel for 1024-bit certificates (TCP)	Communication between Sensor and Manager is bidirectional
8551	Internal	Manager	Lumos Nameserver (TCP)	Internal to Manager (RMI/IIOP)
8552	Internal	Manager	JONAS Nameserver (TCP)	Internal to Manager (RMI)
8555	Client	Manager	Alert Viewer (TCP)	Client to Manager SSL/TCP/IP IMPORTANT: Applies to 9.x managers only. 10.x no longer uses RTTA and this port does not need to be open on 10.x NSMs.

If you have Email Notification or SNMP Forwarding configured on the Manager, and there is a firewall between the Manager and your SMTP or SNMP Server, you must ensure that the following ports are also allowed through:

Port	Description	Comments
25	SMTP Port	Manager to SMTP Server
162	SNMP Forwarding	Manager to SNMP Server

IMPORTANT: NSP product documentation states that you must disable other web services before you install the Manager. The reason is because the Manager server must integrate with the Apache server that is shipped with the Manager installation package. If other web services that use port 80 and 443 are not disabled, the Manager installation fails because it is not able to run the Apache server.

Ports used by the Sensor:

Port	Description	Comments
22	SSH	SSH connection for command-line access to Sensor and Secure Copy from the Sensor to an SCP server for a manual load image or load configuration.

Ports used for lookups and updates:

Port	Source	Destination	Comments
53 UDP	Sensor	avqs.mcafee.com avts.mcafee.com (via DNS query to defined DNS server)	McAfee GTI File Reputation query
80 TCP	NSM Appliance	*.windowsupdate.com update.microsoft.com	Microsoft Windows Updates
80 TCP	NSM	download.nai.com	For downloading Botnet Detectors
443 TCP	NSM	menshen.intruvert.com menshen1.intruvert.com nspupdate.mcafee.com	NSP updates (can also be downloaded out-of-band and applied manually)
443 TCP	NSM	gti-api.mcafee.com	McAfee GTI botnet detectors update; GTI participation information
443 TCP	NSM/Sensor	tunnel.web.trustedsource.org	McAfee GTI IP reputation query
443 TCP	NSM Appliance	update.microsoft.com	Microsoft Windows Updates (NSM Appliances)
443 TCP	Sensor	tau-usa.mcafee.com	Gateway Anti-Malware engine (GAM) downloads
443 TCP	Sensor	tau.mcafee.com tau-europe.mcafee.com tau-usa2.mcafee.com tau-usa1.mcafee.com tau-usa.mcafee.com tau-asia.mcafee.com	Antimalware downloads
443 TCP	Sensor	mwg-update.mcafee.com	Antimalware downloads
443 TCP	NSM	iam.mcafee-cloud.com	NSM License Activation
443 TCP	NSM	iam-rs.mcafee-cloud.com	NSM License Activation
443 TCP	NSM	telemetry.mcafee-cloud.com	NSM Telemetry

Third-party communications:

In addition to the communications channels between the components of NSP, other communications can take place with third-party systems. These third-party systems include external syslog servers, SNMP monitoring systems, and authentication services.

Port/Protocol	Source	Destination	Purpose
25 TCP	NSM	$smtp-mta-server	Email notifications
49 TCP	Sensor	$tacacs+-server	TACACS+ based authentication to Sensor for command line interface
69 UDP	Sensor	$tftp-server	TFTP server used for loadimage/netboot to install/update Sensor software
162 UDP	NSM	$snmp-server	SNMP trap notifications
389 TCP	NSM	$ldap-server	LDAP-based authentication to NSM for GUI client
514 TCP/UDP	NSM	$syslog-server	Notifications via syslog, standard UDP, or optionally TCP
636 TCP	NSM	$ldaps-server	LDAPS-based authentication to NSM for GUI client
1812 UDP	NSM	$radius-server	RADIUS-based authentication to NSM for GUI client

Network Threat Behavior Analysis (NTBA) communications:
NTBA appliances (virtual or physical) are similar to NSP Sensors. But, they provide a function focused on analyzing network flows, which support the overall analysis.

Port	Source	Destination	Purpose
22 TCP	Any	NTBA	SSH connection for command-line access to Sensor
22 TCP	NTBA	$netflow-exporter	Router ACL channel
53 UDP	NTBA	$dns-server	DNS queries
80 TCP	NTBA	tunnel.web.trustedsource.org list.smartfilter.com	GTO database download
111 TCP/UDP	NTBA	$backup-server	NFS (optional) portmapper, for backups
137 UDP	NTBA	<any>	NetBIOS lookups
161 UDP	NTBA	$netflow-exporter	SNMP queries (2c/3)
443 TCP	NTBA	tunnel.web.trustedsource.org	McAfee GTI IP reputation query
443 TCP	NTBA	tau-usa.mcafee.com	Gateway Anti-Malware engine (GAM) downloads
443 TCP	NTBA	tau.mcafee.com	Antimalware downloads
445 TCP	NTBA	$backup-server	CIFS backups (optional)
2049 TCP	NTBA	$backup-server	NFS (optional) for backups
8444 TCP	NTBA	ePO	For certificate signing
8501 TCP	NTBA	NSM	Install/control channel
8502 TCP	NTBA	NSM	Alert channel
8504 TCP	NTBA	NSM	File transfer channel
8505 TCP	Sensor	NTBA	IPS channel (SSL AES-128 SHA-1)
9008 UDP	EIA	NTBA	EIA service (DTLS)
9996 UDP	$netflowexporter	NTBA	NetFlow channel

NOTE: Some of the ports and protocols listed are optional; their use depends on your specific configuration.

ePolicy Orchestrator (ePO) communications:

Port	Source	Destination	Comments
8501 TCP	ePO	NSM	[HIPS] Establish trust for HIPS push notifications
8502 TCP	ePO	NSM	[HIPS] HIPS event push notifications
8503 TCP	ePO	NSM	[HIPS] HIPS event push notifications
3306 TCP	ePO	NSM	[NSM -> ePO integration] Database connection to enable NSM-related dashboards in ePO console
8443 TCP	NSM	ePO	[ePO -> NSM integration] NSM pull/query of host information from ePO; requires NSM extension installation on ePO

Logon Collector:

Port	Source	Destination	Comments
61641	NSM	MLC Server	JMS communications between the Logon Collector and the NSM

McAfee Vulnerability Manager (MVM) communications:

Port	Source	Destination	Comments
1433 TCP	NSM	MVM	Microsoft SQL Server connection for scheduled pull of scan results
3801 TCP	NSM	MVM	NSM command channel for initiating on-demand scans (SSL encrypted propriety connection)

Advanced Threat Defense (ATD) communications:

Port	Source	Destination	Comments
443 TCP	NSM	ATD	REST API communication
8505 TCP	Sensor	ATD	Communication channel for Sensor data

Enterprise Security Manager (ESM) communications:

Port	Source	Destination	Comments
443 TCP	ESM	NSM	Access to NSM data
3306 TCP	ESM	NSM	Database queries

Network Security Central Manager (NSCM) communications:

Port	Source	Destination	Comments
443 TCP	NSM	NSCM	HTTPS
443 TCP	NSCM	NSM	HTTPS

Previous Document ID

NAI32000

Affected Products

Best Practices
Configuration
Network Security Manager 9.2.x
Network Security Manager 9.1.x
Network Security Manager 10.x
Network Security Sensor Appliance 9.2.x
Network Security Sensor Appliance 9.1.x
Network Security Sensor Appliance 10.x
Network Threat Behavior Analysis Appliance 9.1.x

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Ports and traffic destinations used by Network Security Platform

Environment

Summary

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions:Draft for New Nav

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Ports and traffic destinations used by Network Security Platform

Environment

Summary

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title