Open Ports Needed for Web Gateway
To access external servers and databases for real-time updates, certain ports must be open on the infrastructure firewall. Ports for communication through a firewall is provided In the table below.
In the Table:
- Bidirectional means Connection can be initiated from either direction.
- Inbound means Remote system initiates the connection.
- Outbound means Local system can initiate the connection.
Table contains only default ports and Several of them can be configured. Additionally, Not all inbound ports are open by default, this depends on the configuration.
| Port | Direction | Transport Protocol | Application Protocol | Destination | Use | Note |
| 22 | Inbound | TCP | SSH | Local | Administrator secure shell | |
| 161 | Inbound | TCP/UDP | SNMP | Local | SNMP | |
| 1080 | Inbound | TCP | SOCKS | Local | SOCKS proxy | |
| 1344 | Inbound | TCP | ICAP | Local | ICAP | |
| 2000–20000 | Inbound | TCP | FTP | Local | Passive FTP data connection | From FTP client to WG |
| 2121 | Inbound | TCP | FTP | Local | FTP control port | |
| 4005 | Inbound | TCP | IFP | Local | IFP | |
| 4711 | Inbound | TCP | HTTP | Local | Administrator UI | Also REST if enabled |
| 4712 | Inbound | TCP | HTTPS | Local | Administrator UI | Also REST if enabled |
| 4713 | Inbound | TCP | HTTP | Local | File server | |
| 4714 | Inbound | TCP | HTTPS | Local | File server | |
| 5050 | Inbound | TCP | Yahoo | Local | Yahoo proxy | |
| 5190 | Inbound | TCP | ICQ | Local | ICQ proxy | |
| 5222 | Inbound | TCP | XMPP | Local | XMPP (Jabber) proxy | |
| 9090 | Inbound | TCP | HTTP | Local | HTTP(S) proxy | |
| 9393 | Inbound | TCP | HTTPS | Local | Intel Active System Console | |
| 16000–17000 | Inbound | UDP | Local | SOCKS UDP relay | ||
| 20001–40000 | Inbound | TCP | FTP | Local | Active FTP data connection | From FTP server to WG |
| 520 | Bidirectional | UDP | RIP | Your RIP routers | IP routing | |
| 12346 | Bidirectional | TCP | Proprietary | Your WG appliances | WG cluster communication | |
| Bidirectional | IP Protocol 47 | GRE | Your WG appliances or WCCP routers | WCCP and traffic tunneling between WG nodes | ||
| Bidirectional | IP Protocol 89 | OSPF | Your OSPF routers | IP routing | ||
| Bidirectional | IP Protocol 112 | VRRP | Your WG appliances | VIP failover | ||
| Bidirectional | IP Protocol 253 | Proprietary | Your WG appliances | Network driver cluster communication | ||
| 21 | Outbound | TCP | FTP | Arbitrary FTP servers | File transfer protocol | Active and passive |
| 25 | Outbound | TCP | SMTP | Your email server | Email notifications | |
| 53 | Outbound | TCP/UDP | DNS | Your DNS server | Domain name system | |
| 443 | Outbound | TCP | HTTPS | appliance1.webwasher.com, appliance2.webwasher.com | System update | |
| 80, 443 | Outbound | TCP | HTTP(S) | Arbitrary HTTP(S) servers | User HTTP(S) traffic | Other ports depending on configuration |
| 80, 443 | Outbound | TCP | HTTP(S) | Update Servers (tau-europe.mcafee.com,tau.mcafee.com,tau-usa2.mcafee.com,tau-usa1.mcafee.com,tau-usa.mcafee.com,tau-asia.mcafee.com,mwg-update.mcafee.com), CRL Download Servers, OCSP Requests, Telemetry |
Centralized Updater | |
| 80, 443 | Outbound | TCP | HTTP(S) | Your Customer-Maintained Subscribed List Servers | Subscribed Lists Manager | |
| 80, 443 | Outbound | TCP | HTTP(S) | Your Scheduled Job Servers (Upload, Download) | Scheduled Job Manager | |
| 123 | Outbound | TCP/UDP | NTP | Your NTP servers, ntp.webwasher.com | Time synchronization | |
| 162 | Outbound | TCP/UDP | SNMP | Your SNMP trap sink | SNMP traps | |
| 389 | Outbound | TCP | LDAP | Your directory servers | Directory service or Active Directory | |
| 443 | Outbound | TCP | HTTPS | tunnel.web.trustedsource.org (default; can be configured) | GTI Cloud lookups (Reputation, Categories, Geo Location, File Reputation) | |
| 443 | Outbound | TCP | HTTPS | tunnel.web.trustedsource.org (default; can be configured) | GTI Telemetry (Malicious URL Feedback) | |
| 445 | Outbound | TCP | SMB | NTLM Server | NTLM authentication | |
| 514 | Outbound | TCP/UDP | Syslog | Your Syslog servers | Syslog | |
| 636 | Outbound | TCP | LDAP | Your directory servers | Secure directory or Active Directory | |
| 1344 | Outbound | TCP | ICAP | Your ICAP servers | ICAP | |
| 2020 (Source) | Outbound | TCP | FTP | Local | Active FTP data connection | From WG to FTP client |
| 8883 | Outbound | TCP | DXL | Connection to the DXL broker | Communication between WG and DXL broker installed on ePO | |
| Your proxy ports | Outbound | TCP | HTTP | Your parent proxies | HTTP proxy | For user traffic and several internal connections (AV update), configured individually |