Port numbers

If connecting Deep Security Manager, Relay, or Agents through a:

firewall or AWS/Azure/NSX Security Group

router
Print
proxy
other network address translation (NAT) device

you'll need to know the required domain names or IP addresses, ports, and protocols.

Deep Security Manager ports

Incoming (listening ports)
Outgoing

Deep Security Relay ports

Incoming (listening)
Outgoing

Deep Security Agent ports

Incoming (listening ports)
Outgoing

Firewall policies, proxies, and port forwarding often require this information. This is especially true for connections to services on the Internet, such as DNS, time
servers, the Trend Micro Active Update servers, Trend Micro Smart Protection Network, and Deep Security as a Service. If a computer has other installed software
that listens on the same ports, you must resolve the port conflict.

Default port numbers are in these tables. If the default port numbers don't work with your network or installation, you have a proxy, or if you require SSL or TLS
secured versions of the traffic, the tables indicate if you can configure it.

Deep Security Manager ports

Incoming (listening ports)

Transport Destination Service Source Purpose Configurable? Proxy

Protocol Port configurable?
Number

TCP 443 HTTPS Trend Micro Control WSDL access at: No No

Manager, SOAP API client,
or other REST API client
https://<manager FQDN or
IP>:443/webservice/Manager?WSDL
Status monitoring at:
https://<manager FQDN or
IP>:443/rest/status/manager/ping
Control Manager uploads sandboxing results from Deep
Discovery Analyzer with connected threat defense.

TCP 443 HTTPS Web browser Administrative connections to the Deep Security GUI or API. No No

TCP 443 HTTPS Agent/Appliance Deep Security Agent/Appliance installer downloads. No No

TCP 4120 HTTPS Agent/Appliance Discovery and Agent/Appliance activation. Yes Yes

Agent/Appliance to Manager heartbeat. Receives events

and provides configuration updates to them. See also
Agent-manager communication.

TCP 8080 HTTP Web installer Software installation via the web installer. Once Deep No No
Security Manager installation is complete, or if you use the
Quick Start instead, you can block this port.

Outgoing
Transport Destination Service Destination Purpose Configurable? Pro
Protocol Port con
Number

TCP 25 SMTP E-mail server Alerts for events. Yes No

Tip: AWS throttles (rate limits) e-mail on SMTP's IANA standard

port number, port 25. If you use AWS Marketplace, you may
have faster alerts if you use SMTP over STARTTLS (secure
SMTP) instead. For more information, see:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-
connect.html
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-
issues.html
Transport Destination Service Destination Purpose Configurable? Pro
Protocol Port con
Number

UDP 53 DNS DNS server Domain name resolution of Trend Micro services, e-mail server, NTP server, Yes Yes
and others.
(configure in (co
the operating the
system) sys

TCP 80 HTTP Trend Micro Smart Feedback Smart Protection feedback. No No

deepsecurity1100-
en.fbs25.trendmicro.com
deepsecurity1100-
jp.fbs25.trendmicro.com

TCP 80 HTTP Whois server Reverse name resolution of IP addresses into hostnames for event logs and Yes No
computer discovery.
(could be http://reports.internic.net/cgi/whois?
whois_nic=[IP]&type=nameserver)

TCP 443 HTTPS Trend Micro licensing and registration server Licensing and product registration. No Yes

licenseupdate.trendmicro.com

TCP 80 or 443 HTTP or Trend Micro Active Update Security package updates. Yes Yes
HTTPS
https://iaus.activeupdate.trendmicro.com/ Alternatively, use a relay. SO
https://ipv6-iaus.trendmicro.com sup

TCP 80 or 443 HTTP or Trend Micro Download Center or web server Deep Security Agent/Appliance installer downloads. Yes No
HTTPS
files.trendmicro.com (append port
number to
URL)

TCP 80 or 443 HTTP or Trend Micro Certified Safe Software Service Automatic event tagging for integrity monitoring. No Yes
HTTPS
(CSSS)

https://grid-global.trendmicro.com:443

UDP 123 NTP NTP server Accurate time for SSL or TLS connections, schedules, and event logs. Yes No

(can be Trend Micro Control Manager server) (configure in

the operating
system)

UDP 162 SNMP SNMP manager Traps for events. Yes No

TCP 389 LDAP Microsoft Active Directory server Discovery of and (optionally) synchronization of computer Yes No
groups in the directory.

TCP 389 HTTPS AWS Marketplace, Microsoft Azure Marketplace, and other Communication with cloud accounts to retrieve a list of No Yes
clouds
computers.

TCP 443 HTTPS news.deepsecurity.trendmicro.com Deep Security news feed No Yes

TCP 443 HTTPS NSX Manager Communication to VMware NSX Manager. Yes No

TCP 443 HTTPS vCenter server Communication to VMware vCenter server. Yes No

TCP 443 HTTPS ESXi server Communication to VMware ESXi server. No

UDP 514 Syslog SIEM or log server External logging and reporting. Yes No

TCP 636 LDAPS Microsoft Active Directory server Discovery and (optionally) synchronization of computer Yes No
groups in the directory.
Import and (optionally) synchronization of user groups,
including contacts and passwords.

TCP 1433 SQL Microsoft SQL database Deep Security Manager application to its storage. Yes No

Although it is not visible from the GUI, you can configure an

encrypted database connection.
 Transport Destination Service Destination Purpose Configurable? Pro
Protocol Port con
Number

TCP 1521 SQL Oracle database Deep Security Manager application to its storage. Yes No

Although it is not visible from the GUI, you can configure an

encrypted database connection.

TCP 5432 SQL PostgreSQL database Deep Security Manager application to its storage. Yes No

Although it is not visible from the GUI, you can configure an

encrypted database connection.

TCP 11000-11999, SQL Azure SQL Database If your Deep Security Manager runs inside the Azure cloud No No
14000-14999
boundary, it uses a direct route to interact with the Azure SQL
Database server. For more information, see
https://docs.microsoft.com/en-us/azure/sql-database/sql-
database-develop-direct-route-ports-adonet-v12.

This is only required when using Azure SQL Database with Deep
Security Manager deployed on Azure, for example, the Deep
Security Manager VM for Azure Marketplace.

TCP 4118 HTTPS Agent/Appliance Manager to Agent/Appliance heartbeat. Send events and get Yes No
configuration updates from the Manager. See also Agent-
manager communication.

Depending on your deployment type, you may be able to close

port 4118, and only use agent-initiated heartbeats.

TCP 4122 HTTPS Relay Security package updates such as anti-malware engine and Yes Yes
signatures via a Deep Security Relay. Alternatively, the Deep
Security Manager can connect directly to the Trend Micro Active
Update servers.

See also Agent-manager communication.

TCP All All Agent/Appliance Port scan to detect open (listening) ports on computers. Yes No

UDP

Deep Security Relay ports

Relays require all of the ports for an agent and these port numbers. (See Deep Security Agent ports.)
Incoming (listening)

Transport Destination Service Source Purpose Configurable? Proxy

Protocol Port configurable?
Number

TCP 4122 HTTPS Manager, Relay-to-Relay communication and Agent-to-Relay communication Yes Yes*
Agent,
Appliance,
for synchronizing Deep Security Agent software installers and
See Note.
or Relay security package updates such as anti-malware engine and
signatures.
Manager, agent, or appliance downloading security package updates
such as anti-malware engine and signatures from Relay.

See also Agent-manager communication.

TCP 4123 Localhost Communication of Agent to its own integrated Relay. No No

Relay
This port should not be listening to connections from other computers,
and you don't need to configure it in network firewall policies. But if you
have a host firewall on the Deep Security Manager server itself, verify that
it does not block this connection to itself. Also verify that other
applications do not use the same port (a port conflict).

Outgoing
Transport Destination Service Destination Purpose Configurable? Proxy
Protocol Port configurable?
Number

TCP 80 or 443 HTTP or Trend Micro Active Update Security package updates such as Yes Yes
HTTPS
anti-malware engine and
https://iaus.activeupdate.trendmicro.com/ signatures. SOCKS
https://ipv6-iaus.trendmicro.com support
Alternatively, use another relay.
Transport Destination Service Destination Purpose Configurable? Proxy
Protocol Port configurable?
Number

TCP 4122 HTTPS Relay Relay-to-Relay communication for Yes Yes*

synchronizing Deep Security Agent
See Note.
software installers and security
components such as anti-malware
engine and signatures.

See also Agent-manager

communication.

Deep Security Agent ports

Incoming (listening ports)

Transport Destination Service Source Purpose Configurable? Proxy

Protocol Port configurable?
Number

TCP 22 SSH Manager, deployment tools Remote installation of the agent (Linux only). No No
such as RightScale, Chef,
Puppet, Ansible and SSH

TCP 4118 HTTPS Manager Manager to agent or appliance heartbeat. Send events and Yes No
get configuration updates from the Manager. See also
Agent-manager communication.

TCP 3389 RDP Manager Remote installation of the agent (Windows only). No No

TCP 5985 WinRM deployment tools such as Remote installation of the agent (Windows only). Yes Yes
HTTP RightScale, Chef, Puppet, and
Ansible
(configure in (configure in
the operating the operating
system) system)

Outgoing
Transport Destination Service Destination Purpose Configurable? Proxy
Protocol Port configurable?
Number

UDP 53 DNS DNS server Domain name resolution of the Deep Yes Yes
Security Manager, Trend Micro Smart
Protection Servers, and others.
(configure in (configure in
the operating the operating
system) system)

TCP 80 HTTP Good File Reputation Service Communicates with the Good File No Yes
Reputation Service during file scans
11.0 and 11.1 started by Behavior Monitoring. SOCKS
support
deepsec11-en.gfrbridge.trendmicro.com
deepsec11-jp.gfrbridge.trendmicro.com

10.2 and 10.3

deepsec102-en.gfrbridge.trendmicro.com
deepsec102-jp.gfrbridge.trendmicro.com
deepsec102-cn.gfrbridge.trendmicro.com

10.1 and 10.0

deepsec10-en.grid-gfr.trendmicro.com
deepsec10-jp.grid-gfr.trendmicro.com
deepsec10-cn.grid-gfr.trendmicro.com
Transport Destination Service Destination Purpose Configurable? Proxy
Protocol Port configurable?
Number

TCP 80 HTTP File Census Communicates with the Global Census No Yes
Server during file scans started by Behavior
Monitoring.
11.0 and 11.1 SOCKS
support
ds1100-en-census.trendmicro.com
ds1100-jp-census.trendmicro.com

10.2 and 10.3

ds1020-en-census.trendmicro.com
ds1020-sc-census.trendmicro.com
ds1020-jp-census.trendmicro.com

10.1 and 10.0

ds1000-en.census.trendmicro.com
ds1000-jp.census.trendmicro.com
ds1000-sc.census.trendmicro.com
ds1000-tc.census.trendmicro.com

TCP 80 or 443 HTTP or Trend Micro Download Center or web server Deep Security Agent/Appliance installer Yes No
HTTPS downloads.
files.trendmicro.com (append port
number to
URL)

TCP 80 or 443 HTTP or Trend Micro Active Update Security package updates such as Yes Yes
HTTPS
anti-malware engine and
https://iaus.activeupdate.trendmicro.com/ signatures. SOCKS
https://ipv6-iaus.trendmicro.com support
Alternatively, use a relay.

TCP 80 or 443 HTTP or Web server Connectivity test to determine context Yes No
HTTPS (whether the computer is on the private
network or not) for policies

TCP 80 or 443 HTTP or Predictive machine learning Communicates with the Global Machine No Yes
HTTPS Learning Server during real-time file scans
11.0 and 11.1 SOCKS
support
ds110-en-f.trx.trendmicro.com
ds110-jp-f.trx.trendmicro.com
ds110-sc-f.trx.trendmicro.com

10.2 and 10.3

ds102-en-f.trx.trendmicro.com
ds102-jp-f.trx.trendmicro.com
ds102-sc-f.trx.trendmicro.com

TCP 80 or 443 HTTP or Trend Micro Smart Protection Network File reputation service and Smart Yes Yes
HTTPS
Protection feedback.
11.0 and 11.1
Alternatively, you can connect to a
ds110.icrc.trendmicro.com Smart Protection Server on your
ds110-jp.icrc.trendmicro.com local network, or a Smart
Protection Server on AWS.
10.2 and 10.3

ds102.icrc.trendmicro.com
ds102-jp.icrc.trendmicro.com
ds102-sc.icrc.trendmicro.com.cn

10.1 and 10.0

ds10.icrc.trendmicro.com
ds10.icrc.trendmicro.com/tmcss/
ds10-jp.icrc.trendmicro.com/tmcss/
ds10-sc.icrc.trendmicro.com/tmcss/

TCP 80 or 443 HTTP or Smart Protection Server File reputation service. Yes Yes
HTTPS
You can connect to a Smart
Protection Server on your local
network, or a Smart Protection
Server on AWS.
 Transport Destination Service Destination Purpose Configurable? Proxy
Protocol Port configurable?
Number

UDP 123 NTP NTP server Accurate time for SSL or TLS connections, Yes No
schedules, and event logs.
(can be Trend Micro Control Manager server) (configure in
the operating
system)

TCP 443 HTTPS Manager Discovery and Yes Yes*

Agent/Appliance activation.
See Note.
Agent or appliance to
manager Manager heartbeat.
Receives events and provides
configuration updates to
them. See also Agent-
manager communication.
Agent-to-relay
communication for Deep
Security Agent software
installers and security
package updates such as anti-
malware engine and
signatures.

UDP 514 Syslog SIEM or log server External logging and reporting. Yes No

This is only used if you want the

agents to send directly to an
external SIEM, instead of uploading
event logs to the Deep Security
Manager.

TCP 5274 HTTPS Trend Micro Smart Protection Network Web reputation service. Yes Yes

11.0 and 11.1 Alternatively, you can connect to a

Smart Protection Server on your
ds11-0-en.url.trendmicro.com local network, or a Smart
ds11-0-jp.url.trendmicro.com Protection Server on AWS.

10.2 and 10.3

ds10-2-en.url.trendmicro.com
ds10-2-sc.url.trendmicro.com.cn
ds10-2-jp.url.trendmicro.com

10.1 and 10.0

ds100-en.url.trendmicro.com
ds100-sc.url.trendmicro.com
ds100-jp.url.trendmicro.com

TCP 5274 HTTPS Smart Protection Server Web reputation service. Yes No

You can connect to a Smart

Protection Server on your local
network, or a Smart Protection
Server on AWS..

Note: In Deep Security Agent 10.0 GM and earlier, agents didn't have support for connections through a proxy to relays. You must either:

update agents' software (see Get Deep Security Agent software), then configure the proxy (see Connect agents behind a proxy.)
bypass the proxy
change the application control rulesets relay setting as a workaround