Required ports, protocols, and services for

the ProxySG appliance

Description
Depending on your ProxySG appliance configuration, you must open certain ports and
protocols on your firewalls for the appliance to function as intended, to use enabled
features, or to allow connectivity to various components and data centers. This
document presents basic configurations, and some commonly used options.
Note: This document also applies to the supported proxy components of the Advanced
Secure Gateway appliance.

Inbound-Only Connections
Default
Component Protocol Configurable Source Description
Port

Symantec Unified Agent, Unified Agent/ProxyClient

Client Manager 8084 TCP Yes
ProxyClient configuration check

Secured ProxySG web

HTTPS Management
8082 TCP Yes Client browser interface (Proxy tab in
Console
Advanced Secure Gateway)

Non-secured ProxySG web

HTTP Management
8081 TCP Yes Client browser interface (Proxy tab in
Console
Advanced Secure Gateway)

RIP configuration file

RIP 520 UDP No local server hosting RIP file
download

SSH management of the

SSH 22 TCP No SSH client
appliance

SNMP 161 UDP Yes SNMP client SNMP monitoring

Outbound-Only Connections
Default Configu
Component Protocol Source Description
Port rable

Appliance
444 TCP No Symantec server Certificate updates
certificate

BCAAA
authentication Authentication-and authorization-related
authentication queries to the configured server
with COREid, IWA, 16101 TCP Yes
server
SitemInder, and See TECH243202 for details.
XML realms

DNS 53 TCP/UDP No DNS server Port used by your DNS servers

Diagnostics 443 TCP No Symantec server Heartbeats, SysInfo uploads

Email notifications 25 TCP No SMTP server Email notifications

HTTP 80 TCP No Internet Regular HTTP access to internet

Forwarding requests for content

Symantec Content scanning
ICAP (plain) 1344 TCP Yes Analysis or other
ICAP service (Not applicable to Advanced Secure
Gateway)
Forwarding requests for content
Content Analysis or scanning
ICAP (secure) 11344 TCP Yes
other ICAP service (Not applicable to Advanced Secure
Gateway)
IWA-Kerberos
88 TCP/UDP Yes IWA server Kerberos for IWA Direct authentication
authentication

LDAP 389 TCP/UDP Yes IWA server LDAP for IWA Direct authentication

Log client (custom) 69 TCP Yes Custom log server Sending access logs to configured server
 Default Configu
Component Protocol Source Description
Port rable

Log client (FTP,

21 TCP Yes FTP/S log server Sending access logs to configured server
plain and secure)

Log client (HTTP,

80 TCP Yes HTTP/S log server Sending access logs to configured server
plain and secure)

Sending access logs to configured Kafka broker

Log client (Kafka) 9092 TCP Yes Kafka broker
cluster

Log client
(Symantec 9081 TCP Yes Reporter Deprecated log streaming to Reporter version 9
Reporter client)

Log client (SCP) 22 TCP Yes SCP log server Sending access logs to configured server

Symantec Management Center and Director

Management Management registration
22 TCP No
Center, Center, Director (Not applicable to Advanced Secure
Symantec Director Gateway)
Monitoring
statistics to Management Export of monitoring statistics to Management
9009 TCP No
Management Center Center
Center (plain)

Monitoring
statistics to Management Export of monitoring statistics to
9010 TCP No
Management Center Management Center
Center (secure)

Novell SSO 389 TCP Yes Novell server Novell authentication

NTP 123 UDP Yes NTP server Periodic time update from default or
configured NTP servers

RADIUS 1812 TCP Yes RADIUS server RADIUS authentication

139,
SMB TCP Yes IWA server CIFS services in transparent deployments
445
 Default Configu
Component Protocol Source Description
Port rable

SOCKS 1080 TCP/UDP No SOCKS server Forwarding traffic to SOCKS proxy

Syslog 514 UDP No Syslog server Syslog uploads to remote server

UDP WCCP-compliant Traffic redirection from router to the appliance

WCCP 2048 No
router or switch in out-of-path deployments

Inbound/Outbound Connections
Default
Component Protocol Configurable Source Description
Port

Connection to ADN manager for

ProxySG updates
ADN data tunnel (plain) 3035 TCP Yes
appliance (Not applicable to Advanced Secure
Gateway)
Connection to ADN manager for
ProxySG updates
ADN data tunnel (secure) 3037 TCP Yes
appliance (Not applicable to Advanced Secure
Gateway)
Explicit connections between two
ProxySG ProxySG peers
ADN management (plain) 3034 TCP Yes
appliance (Not applicable to Advanced Secure
Gateway)
Explicit connections between two
ProxySG ProxySG peers
ADN management (secure) 3036 TCP Yes
appliance (Not applicable to Advanced Secure
Gateway)
Load balancing and asymmetric
ADN connection ProxySG routing
3030 TCP Yes
forwarding appliance (Not applicable to Advanced Secure
Gateway)
 Default
Component Protocol Configurable Source Description
Port

origin
Flash media 1935 TCP/UDP No content Streaming Flash and RTMP
server

origin
Real Media 554 UDP No content Streaming Real Media (RTSP)
server

SafeNet
SafeNet Java HSM 8443 TCP Yes Communication with SafeNet Java HSM
Java HSM

origin
Windows Media 1755 UDP No content Streaming Windows Media (MMS)
server

URLs and IP Addresses for Symantec Services

Component Ports Protocols URLs IP Addresses Description

Antivirus
pattern updates
8.28.16.208 from Content
av-download.bluecoat.
Symantec Content HTTPS 103.246.38.208 Analysis
443 com
Analysis TCP 199.19.249.208 (Not applicable
199.116.169.248 to Advanced
Secure
Gateway)
Malware
reporting from
Content
HTTPS contentanalysis- Analysis
Content Analysis 443 199.116.169.239
TCP ma.es.bluecoat.com (Not applicable
to Advanced
Secure
Gateway)
HTTPS device- Appliance license
Licensing 443 155.64.49.132
TCP services.es.bluecoat.com management
 Component Ports Protocols URLs IP Addresses Description

Subscription-
HTTPS
Licensing 443 subscription.es.bluecoat.com 8.28.16.243 based services
TCP
management

HTTPS License
Licensing 443 services.bluecoat.com
TCP administration

Symantec
HTTPS appliance
PKI - Appliance validation 443 abrca.bluecoat.com
TCP Certificate
Authority

HTTPS Trust package

PKI - CA certificates 443 appliance.bluecoat.com
TCP downloads

Time zone
199.91.133.16
NTP 80 HTTP TCP download.bluecoat.com database
155.64.49.133
downloads

Appliance
HTTPS heartbeat
Diagnostics 443 hb.bluecoat.com
TCP information to
Symantec

upload.bluecoat.com Diagnostic report

HTTPS
Diagnostics 443 uploads to
TCP mft.symantec.com Symantec support

8.28.16.206
103.246.38.206
199.19.249.206
199.116.169.246
WebFilter, IWF,
Only IP address
HTTPS is returned when Optenet, and
Content filtering 443 list.bluecoat.com there is a DNS Proventia
TCP
query. If the IP database
address fails to downloads
respond, one of
the other active
addresses is
returned.
 Component Ports Protocols URLs IP Addresses Description

Web Security
Symantec Web Security HTTPS
443 portal.threatpulse.com Service
Service TCP
registration

HTTPS Security
Threat protection 443 securitylabs.es.bluecoat.com 8.28.16.7
TCP intelligence

199.19.249.201
199.19.249.203
199.116.169.244
199.116.169.245
8.28.16.201
8.28.16.203
103.246.38.201
103.246.38.203
103.246.39.212
103.246.39.213
103.246.36.212
103.246.36.213
54.233.145.171
54.207.85.173
123.103.64.94*
123.103.64.95*
197.96.129.181
webpulse.es.bluecoat.com
80 HTTPS 197.96.129.182 Symantec Global
Threat protection sp.cwfservice.net 199.116.173.201 Intelligence
443 TCP
(version 6.5.x) 199.116.173.203 Network updates
199.116.173.215
180.179.142.109
13.114.137.119
52.64.80.74
13.114.129.165
13.54.6.129
180.179.142.110
8.28.16.202
46.235.158.215
52.65.118.140
54.64.46.133
54.207.87.150
103.246.38.202
180.179.142.115
185.2.196.215
199.19.249.211
199.116.169.242
Component Ports Protocols URLs IP Addresses Description

199.116.173.215
35.157.189.75
18.195.189.47
3.121.119.187
* These
addresses are
returned only
when the
request
originates in
China.