The Auth Connector (BCCA) is installed on an Active Directory member server.  To establish connections to other servers or domains, what are the required ports that need to be open on the Auth Connector server?

What are the required ports for the Cloud SWG (formerly known as WSS) Auth Connector?

Authentication: (BCCA.exe)
TCP port 443 to auth.threatpulse.com (35.245.151.226 & 34.82.146.65)
TCP port 443 to portal.threatpulse.com (35.245.151.224 & 34.82.146.64)

Note:  BCCA, also known as Auth Connector, needs to communicate to the authentication IPs of each data pod on TCP port 443.  The data pod authentication IPs are documented in the KB article titled Web Security Service (WSS) ingress and egress IP addresses specifically in column four.  Failure to allow Auth Connector to communicate to the authentication IPs of the data pods can result in a lack of user and/or group information.

Authentication: (ACLogon.exe - login script for sending logged-in credentials directly to BCCA.)
TCP port 80 from all clients running aclogon.exe to BCCA server

Roaming Captive Portal:
TCP port 8080 to proxy.threatpulse.com

SAML:
TCP port 8443

Internal ports: (between BCCA server and Domain Controllers)

• 139, 445 TCP port for Windows SMB communication.  The version of SMB used is not dictated by BCCA.EXE.
• 389  TCP port for LDAP
• 636 TCP port for LDAPS
• 3268 TCP port for ADSI LDAP
• 135 TCP port for Location Services / RPC (RPC may also require other random ports for End-Point Mapper which not listed here)
• 88 TCP port for Kerberos authentication
• 49152-65535 TCP If installed on a new Windows Server 2012 Member rather than a Domain Controller.

Cloud SWG (formerly known as WSS) Required Ports