Required firewall ports for Web Security Service for each access method.

search cancel

Required firewall ports for Web Security Service for each access method.

book

Article ID: 167455

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cloud SWG (formerly known as WSS)

Some ports must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.
The ports vary depending upon the configured cloud access methods.

For converting proxy.threatpulse.net to your relevant geographical IP address(es), refer to Data Center IP Addresses.

Resolution

All firewall rules must allow outbound connections to the following ports:

Reference: Required Locations, Ports, and Protocols

Firewall/VPN (IPSEC):

IP Protocol 50 (ESP)
TCP 80/443
UDP 500 (ISAKMP)
UDP 4500 if firewall is behind a NAT.

Proxy Forwarding:

Port 8080 to proxy.threatpulse.net
Port 8443 to proxy.threatpulse.net
Port 8084 to proxy.threatpulse.net

Remote Users: (Mobility client)

Port 443 to ctc.threatpulse.com
Port 443 to all WSS Agent cluster IP Addresses returned from CTC (available in WSS Agent logs) - nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address.

Transproxy:

See link above.

Explicit Proxy:

See link above.

MDM Integration: (for example, Airwatch)

UDP 500 (ISAKMP)
UDP 4500 (NAT-T)

Authentication: (BCCA.exe)

Port 443 to auth.threatpulse.com (35.245.151.226 & 34.82.146.65)
Port 443 to portal.threatpulse.net (35.245.151.224 & 34.82.146.64)
Note: In an IPSEC deployment, BCCA must also be able to talk to the same data pods authentication servers where the IPSEC tunnel terminates. Please refer to Authentication IP addresses for Web Security Service data centers for more detail.

Authentication: (ACLogon.exe; log-in script for sending logged-in credentials directly to BCCA.)

Port 80 from all clients to BCCA server

SAML:

Port 8443 to saml.threatpulse.net

Roaming Captive Portal:

Port 8080 to proxy.threatpulse.com

Internal ports: (between BCCA server and Domain Controllers)

139 and 445 TCP
389 LDAP
636 LDAPS
3268 ADSI LDAP
135 Location Services / RPC (RPC may also require other random ports for Endpoint Mapper which not listed here)
88 Kerberos
1024 to 5000 Endpoint mapper (opened by RPC) - However, it is possible that ports over 5000 are used depending on your AD configuration. Refer to (How to configure RPC to use certain ports and how to help secure those ports by using IPsec).

Feedback

thumb_up Yes

thumb_down No