ArcSight

Ports and Protocols

November 13, 2017

Contents
Contents ..................................................................................................................................................................... 2
Overview .................................................................................................................................................................... 3
ESM & ESM Express (v6.11.0) .................................................................................................................................... 3
ESM & Express (v6.X/v4.X) ......................................................................................................................................... 4
Investigate (v2.0) and Event Broker (v2.10) ............................................................................................................... 8
User Behavior Analytics (v5.0) ................................................................................................................................... 9
Logger (v6.X)............................................................................................................................................................. 10
Management Center (v2.X) ...................................................................................................................................... 13
SmartConnectors...................................................................................................................................................... 15
Model Import Connectors ........................................................................................................................................ 18
SmartConnector Load Balancer ............................................................................................................................... 20
Integrated Lights-Out (iLO) ...................................................................................................................................... 20
Connector Appliance (v6.X) ...................................................................................................................................... 21
DNS Malware Analytics (SaaS/Cloud) ...................................................................................................................... 22
Network Synergy Platform (v5.X) ............................................................................................................................. 23
Micro Focus Trademark Information ....................................................................................................................... 24
Company Details ...................................................................................................................................................... 25

2
Overview
This document describes the most commonly used ports and protocols used by ESM, ESM Express, Express,
Investigate, User Behavior Analytics, Logger, Event Broker, Management Center, SmartConnectors, Model
Import Connectors, SmartConnector Load Balancer, Connector Appliance, DNA Malware Analytics, Network
Synergy Platform, and Integrated Lights-Out (iLO).

ESM & ESM Express (v6.11.0)

Source Device Destination Device Destination Port Notes

ESM Manager TCP 1976, 28001, 2812, TCP ports used internally
3306, 5555, 6005, 6009, for inter-component
7777, 7778, 7779, 7780, communication and data
8005, 8009, 8080, 8088, exchange between the
8089, 8666, 8766, 8808, threads comprising the
8880, 8888, 8889, 9095, ESM Manager. They do
9090, 9123, 9124, 9999, not required external
45450 access, won't be used
for any cross-device
communication, and can
be blocked by an
external firewall.

ESM Manager TCP 9000 Peering requires this

port

ESM Manager 22/TCP Inbound SSH log in (Unix

only)

ESM Manager ESM Manager 53/UDP Inbound/Outbound DNS

requests and responses

ESM Manager 8443/TCP Inbound

SmartConnectors and
Consoles

ESM Manager 25/TCP Outbound SMTP to mail

server

ESM Manager 110/TCP Outbound POP3 to mail

server, if applicable

ESM Manager 143/TCP Outbound IMAP to mail

server, if applicable

3
ESM Manager ESM Manager 1645/UDP Inbound/Outbound
RADIUS, if applicable

ESM Manager ESM Manager 1812/UDP Inbound/Outbound

RADIUS, if applicable

ESM Manager 389/TCP Outbound LDAP to LDAP

server, if applicable

ESM Manager 636/TCP Outbound LDAP over SSL

to LDAP server, if
applicable

ESM Manager ESM Manager TCP/7789 The HA Module uses

UDP/694 ports 694 and 7789 on
each IP address in the
cluster environment.

ESM Manager ESM Manager ICMP The HA Module

• The primary IP • The primary IP • A Connected
address. address Host is any other
• The secondary IP • The secondary IP machine on the
address. address network that
you have
• The Service IP indicated can be
address pinged by the
• To the Connected HA Module to
Host verify that it is
still on the
network.

ESM & Express (v6.X/v4.X)

Source Device Destination Device Destination Port Notes

Workstation ESM/ESM Express TCP 8443 Console to ESM/ESM

Manager Express Manager
communication.

Workstation Express/ESM Manager TCP 22 SSH access for

troubleshooting and
diagnostics.

Workstation DNS Server(s) UDP/TCP 53 Console to DNS server

communication
(nslookup tool). Host

4
 resolution of ESM/ESM
Express Manager during
Console login.

Workstation Whois Server(s) UDP/TCP 43 Console to Whois server

communication (whois
tool).

Workstation Selected ICMP Console to target

Destination/Target in communication (ping
Console tool).

Workstation ArcSight Web TCP 9443 Web browser to

ArcSight Web
communication.

ESM/ESM Express NTP Server(s) UDP 123 ESM/ESM Express

Manager Manager to NTP server
(for time
synchronization).

ESM/ESM Express DNS Server(s) UDP/TCP 53 ESM/ESM Express

Manager Manager to DNS server
communication
(nslookup tool).

ESM/ESM Express SMTP Server(s) TCP 25 ESM/ESM Express

Manager Manager to SMTP server
(for notifications).

ESM/ESM Express POP3 Server(s) TCP 110 ESM/ESM Express

Manager Manager to POP3 server
(for notifications, if
applicable).

ESM/ESM Express IMAP Server(s) TCP 143 ESM/ESM Express

Manager Manager to IMAP server
(for notifications, if
applicable).

ESM/ESM Express SNPP Server(s) TCP 444 ESM/ESM Express

Manager Manager to SNPP server
(for notifications, if
applicable).

ESM/ESM Express LDAP Server(s) TCP 389 or 636 ESM/ESM Express

Manager Manager to LDAP server
(if applicable). TCP 389

5
 without SSL; TCP 636
with SSL.

ESM/ESM Express RADIUS Server(s) UDP 1645 or 1812 ESM/ESM Express

Manager Manager to RADIUS
server (if applicable).

Connector Appliance ESM/ESM Express TCP 8443 SmartConnector to

SmartConnectors, Manager ESM/ESM Express
Logger Manager secure and
SmartConnectors, and encrypted event
SmartConnectors channel.

ESM/ESM Express Logger TCP 443 Allows you to receive

Manager events from a source
ESM/ESM Express
Manager installation and
send them to a
secondary destination
(Forwarding Connector).

ESM/ESM Express ESM/ESM Express TCP 8443 Allows you to receive

Manager Manager events from a source
ESM/ESM Express
Manager installation and
send them to a
secondary destination
(Forwarding Connector).

ESM/ESM Express Syslog Server(s) UDP/TCP 514 Allows you to receive

Manager events from a source
ESM/ESM Express
Manager installation and
send them to a
secondary destination
(Forwarding Connector).

ESM/ESM Express McAfee ePolicy TCP 1433 Allows you to receive

Manager Orchestrator events from a source
ESM/ESM Express
Manager installation and
send them to a
secondary destination
(Forwarding Connector).

Web Service Client ESM/ESM Express TCP 9090 The ESM/ESM Express
Manager Service Layer is available
and exposes

6
 functionalities as Web
Services. By consuming
the exposed Web
Services, you can
integrate ESM/ESM
Express functionality in
your own applications.

Express Manager TCP 9001 Remote Connector

Management listening
port.

Express Manager TCP 9002 Remote Connector

Management listening
port.

Express Manager TCP 6443 Connector

Management.

ESM 6.8c Manager TCP 8443, 9443, 9000 These TCP ports are
used for external
incoming connections.

ESM 6.8c Manager TCP 1976, 28001, 2812, These TCP ports are
3306, 5555, 6005, 6009, used internally for inter-
6443, 7777, 7778, 7779, component
7780, 8005, 8009, 8080, communication by ESM
8088, 8089, 8666, 8766, 6.8c.
8808, 8880, 8888, 8889,
9000, 9001, 9002, 9003,
9004, 9005, 9006, 9007,
9008, 9095, 9090, 9123,
9124, 9999, 45450

ESM 6.8c Manager TCP 6060, 9005, 9009, Risk Insight

1099

ESM 6.8c Manager TCP 8081, 6005, 8444, Risk Insight

6410, 6400 (BusinessObjects)

ESM 6.8c Manager TCP 7789 Each of the High

UDP 694 Availability servers uses
these ports in addition
to those used by ESM.

7
Investigate (v2.0) and Event Broker (v2.10)
Source Device Destination Device Destination Port Notes

All Vertica nodes All Vertica nodes TCP 22 SSH is needed for
deployment of Vertica to
all Vertica nodes

All Event Broker nodes All Event Broker nodes TCP 22 SSH is needed for
deployment of Event
Broker using the
ArcSight Installer.

Workstation Event Broker Master TCP 5443 Web interface to the

Node ArcSight Installer.

All Event Broker nodes, All Event Broker nodes, TCP 9092 Ports 9092 must be
consumers, and consumers, and TCP 9093 reachable by all Event
producers producers Broker nodes,
consumers, and
producers. If you are
using TLS, port 9093
must also be reachable.
Producers are
SmartConnectors.
Consumers are Vertica
with Investigate, Logger,
and ESM.

ArcMC All Event Broker nodes TCP 38080 ArcMC Management of

TCP 5443 Event Broker

All Event Broker nodes ArcMC TCP 443 ArcMC Management of

Event Broker (when
ArcMC is installed as
root)

All Event Broker nodes ArcMC TCP 9000 ArcMC Management of

Event Broker (when
ArcMC is installed as a
non-root user)

Investigate node All Vertica nodes TCP 5433 Investigate to Vertica

communication

8
User Behavior Analytics (v5.0)
Source Device Destination Device Destination Port Notes

UBA Server UBA Server TCP 3306 Port for MySQL

Workstation UBA Server TCP 8080 (http) Tomcat Application

TCP 8443 (https) Server Port

UBA Server TCP 22 SSH

UBA Server TCP 20 & 21 FTP

UBA Server MSFT SMTP Gateway TCP 25 & 465 SMTP notifications
(email alerts from the
application)

UBA Server TCP/UDP 53 DNS host name lookup –

DNS is used for name
lookup and event
enrichment

UDP 67 DHCP/bootstrap
protocol server is not
needed when static IP
addressing is used

UBA Server UDP 514 asyslog server set up;

Alternate ports can be
configured, for example
if forwarding events
from Logger

UBA Server ICMP Type 8 Server monitoring

UBA Server Identity Store TCP 389 Connectivity varies by

TCP 636 identity store, for
example, for Active
Directory

UBA Master/Child UBA Master/Child TCP 3306 & 8443 Master/Child

communication uses
ports 3306/8443
(HTTPS)

9
Logger (v6.X)
Source Device Destination Device Destination Port Notes

Logger TCP 1976 2812 3306 5555 TCP ports used internally
7777 7778 7779 7780 for inter-component
8005 8009 8080 8088 communication and data
8089 8666 8808 8880 exchange between the
8888 8889 9123 9124 threads comprising
9999 45450 Logger. They do not
required external access,
won't be used for any
cross-device
communication, and can
be blocked by an
external firewall.

Workstation Logger TCP 443 or 9000 Web browser to Logger

communication.
For root installs, allow
access to port 443/tcp as
well as the ports for any
protocol that the Logger
receivers need, such as
port 514/udp for the
UDP receiver and port
515/tcp for the TCP
receiver.
For non-root installs,
allow access to port
9000/tcp as well as the
ports for any protocol
that the Logger receivers
need, such as port
8514/udp for the UDP
receiver and port
8515/tcp for the TCP
receiver.

Workstation Logger TCP 22 SSH access for

troubleshooting and
diagnostics.

Logger NTP Server(s) UDP 123 Logger to NTP server

(for time
synchronization).

10
Logger DNS Server(s) UDP/TCP 53 Logger to DNS server
communication.

Logger SMTP Server(s) TCP 25 Logger to SMTP server

(for notifications).

Logger Syslog Server(s) UDP/TCP 514 Logger to syslog server

(for notifications).

Logger SNMP Server(s) UDP 162 Logger to SNMP server

(for notifications).

Logger RADIUS Server(s) UDP 1645 or 1812 Logger to RADIUS server

(when Logger is
configured to use
RADIUS password
authentication).

Logger NFS Server(s) TCP 111 Allows Logger to

UDP 111 connect to servers via
TCP 2049 NFS for event archiving
UDP 2049 and search export.
TCP 2219
UDP 2219

Logger CIFS Server(s) TCP 445 Allows Logger to

connect to servers via
CIFS for event archiving
and search export.

Logger NFS Server(s) TCP 111 Allows Logger File

UDP 111 Receivers to read log
TCP 2049 files from NFS servers.
UDP 2049 Allows Logger
TCP 2219 SmartConnectors
UDP 2219 (L3500) to read logs
from NFS servers.

Logger CIFS Server(s) TCP 445 Allows Logger File

Receivers to read log
files from CIFS servers.
Allows Logger
SmartConnectors
(L3500) to read logs
from CIFS servers.

Logger SCP, SFTP, FTP Server(s) TCP 22 (SCP, SFTP) Allows Logger File
Transfer Receiver to

11
 TCP 20 & 21 (FTP) read remote log files
using SCP, SFTP or FTP
protocols.

Syslog Event Sources Logger UDP 514 or 8514 The UDP receiver is on
port 514/udp for Logger
Appliances. If you are
installing Software
Logger as root, the UDP
receiver is on port
514/udp. For non-root
installs, it is on port
8514/udp. If this port is
already occupied, the
initialization process
selects the next higher
unoccupied port.

Syslog Event Sources Logger TCP 515 or 8515 The TCP receiver is on
port 515/tcp for Logger
Appliances. If you are
installing Software
Logger as root, the TCP
receiver is on port
515/tcp. For non-root
installs, it is on port
8515/tcp. If this port is
already occupied, the
initialization process
selects the next higher
unoccupied port.

SmartConnectors Logger TCP 443 or 9000 The SmartMessage

receiver listens on the
same port as the User
Interface, 443/tcp on
Logger appliances, and
typically 443/tcp on
Software Logger
installed as root, and
9000/tcp on Software
Logger installed as non-
root. The Software
Logger ports may vary.

Logger ESM/ESM Express TCP 8443 Used to forward audit

Manager events from Logger to
the ESM/ESM Express
Manager.

12
Logger ESM/ESM Express TCP 8443 (ESM/ESM Used to send all events,
Manager and/or Syslog Express Manager), or events which match a
Server(s) UDP/TCP 514 particular filter, on to a
particular host.

Logger SCP Server TCP 22 (SCP) Allows backup of Logger

configuration to remote
host.

ArcMC Agent Logger TCP 7913 ArcMC Agent

Management Center (v2.X)

Source Device Destination Device Destination Port Notes

ArcMC Appliance TCP 21 The ArcSight

TCP 22 Management Center
Appliance (v2.5+)
TCP 443
includes a script that you
TCP 7913 can use to configure the
TCP 9001 firewall. This script looks
TCP 9002 at your current ArcSight
Management Center
TCP 9003 configuration and
TCP 9004 decides what ports to
TCP 9005 keep open. Alternatively,
you can configure the
TCP 9006
firewall on your
TCP 9007 appliance as you would
TCP 9008 on any server, by editing
iptables-config and
UDP 123
white-listing the
appropriate ports.

Workstation ArcMC TCP 443 (when installed Web browser to ArcMC

as root) communication.
TCP 9000 when installed
as non-root user)

Workstation ArcMC TCP 22 SSH access for

troubleshooting and
diagnostics.

ArcMC ArcMC/Logger/Connector TCP 443 (when installed Managing

Appliance as root) ArcMC/Logger/Connector
Appliance

13
 TCP 9000 (when installed
as non-root user)

ArcMC NTP Server(s) UDP 123 ArcMC to NTP server (for

time synchronization).

ArcMC DNS Server(s) UDP/TCP 53 ArcMC to DNS server

communication (for
IP/hostname resolution)

ArcMC SMTP Server(s) TCP 25 ArcMC to SMTP server

(for notifications).

ArcMC RADIUS Server(s) UDP 1645 or 1812 ArcMC to RADIUS server

(for external
authentication).

ArcMC LDAP Server(s) TCP 389 or 636 ArcMC to LDAP server

(for external
authentication). TCP 389
without SSL; TCP 636
with SSL.

ArcMC SCP Server TCP 22 Allows backup of ArcMC

configuration to a remote
host.

ArcMC ArcMC local syslog UDP/TCP 514 Used for audit forwarding
SmartConnector from ArcMC to the
ArcMC local syslog
SmartConnector.

ArcMC SmartConnectors ESM/ESM Express TCP 8443 ArcMC SmartConnectors

Manager to ESM/ESM Express
Manager secure and
encrypted event channel.

ArcMC SmartConnectors Logger TCP 443 ArcMC SmartConnectors

to Logger SmartMessage
secure and encrypted
event channel.

ArcMC local syslog ESM/ESM Express TCP 8443 Used for audit forwarding
SmartConnector Manager from the ArcMC local
syslog SmartConnector to
ESM/ESM Express
Manager secure and
encrypted event channel.

14
ArcMC local syslog Logger TCP 443 Used for audit forwarding
SmartConnector from ArcMC local syslog
SmartConnector to
Logger SmartMessage
secure and encrypted
event channel.

ArcMC SmartConnectors TCP 9001-9008 Allows ArcMC to manage

remote SmartConnectors
(appliance and/or
software).

ArcMC NFS Server(s) UDP/TCP 111 Allows SmartConnectors

TCP 2049 to read logs from NFS
UDP 2049 servers.
TCP 2219
UDP 2219

ArcMC CIFS Server(s) TCP 445 Allows SmartConnectors

to read logs from CIFS
servers.

ArcMC marketplace.saas.hpe.com TCP 443 Connection to the

ArcSight Marketplace for
retrieving parser upgrade
versions.

SmartConnectors
Source Device Destination Device Destination Port Notes

SmartConnector DNS Server(s) UDP/TCP 53 SmartConnector to DNS

server communication.

Connector Appliance ESM/ESM Express TCP 8443 SmartConnector to ESM/ESM

SmartConnectors or Manager Express Manager secure and
SmartConnectors encrypted event channel.

Connector Appliance Logger TCP 443 SmartConnector to Logger

SmartConnectors or SmartMessage secure and
SmartConnectors encrypted event channel.

Connector Appliance SmartConnectors TCP 9001 Allows Connector Appliance

to manage remote
SmartConnectors (appliance
and/or software).

15
Forwarding Connector ESM/ESM Express TCP 8443 Allows you to receive events
Manager from a source ESM/ESM
Express Manager installation
and send them to a
secondary destination.

Forwarding Connector Logger TCP 443 Allows you to receive events

from a source ESM/ESM
Express Manager installation
and send them to a
secondary destination.

Forwarding Connector Syslog Server(s) UDP/TCP 514 Allows you to receive events
from a source ESM/ESM
Express Manager installation
and send them to a
secondary destination.

Forwarding Connector McAfee ePolicy TCP 1433 Allows you to receive events
Orchestrator from a source ESM/ESM
Express Manager installation
and send them to a
secondary destination.

Syslog Event Sources SmartConnector UDP/TCP 514 All products that send events
via syslog.

SNMP Event Sources SmartConnector UDP 162 All products that send events
via SNMP.

Microsoft Windows Windows Servers and TCP 445 This SmartConnector can
Event Log – Unified Workstations connect to local or remote
machines, inside a single
domain or from multiple
domains, to retrieve events
from all types of event logs.

Windows Domain Windows Servers TCP 135, 139, 445 The Windows Domain
(Legacy) UDP 137,138 SmartConnector will use RPC
and Remote Registry to
connect to the server and
poll the Windows Event Log.
This SmartConnector requires
domain privileges and
domain membership.

16
Check Point Check Point Provider-1 TCP 18184 The Check Point
(configure for each SmartConnector will connect
CMA) to Provider-1 using Log
Export API (LEA) using SSLCA
and OPSEC will need to be
configured per CMA.

Check Point Check Point Provider-1 TCP 18210 Allows SmartConnector to

or Smart Center pull OPSEC SSL certificate.

Oracle Oracle Server TCP 1521 The SmartConnector

establishes connectivity to
the database.

Microsoft SQL Server Microsoft SQL Server TCP 1433 The SmartConnector
TCP 139, 445 establishes connectivity to
the database and reads audit
UDP 135, 139, 445
trace logs simultaneously.
Trace files are not a
requirement with some
products reporting to
Microsoft SQL Server.

MySQL MySQL Server TCP 3306 The SmartConnector

establishes connectivity to
the database.

Blue Coat Server hosting Blue Coat TCP 20 Allows Blue Coat to send logs
SmartConnector and FTP TCP 21 to server hosting Blue Coat
server SmartConnector over FTP and
FTP-Data.

Sourcefire Sourcefire Defense TCP 8302 SSL connection for the

Center Server Defense Center eStreamer
protocol.

WinC host / winc- WinC host / Java.exe TCP/61616 SmartConnector for

agent.exe Microsoft Windows Event Log
– Native
Port 61616 is used for
Message Queue service to
communicate between the
standard connector code of
WinC and its agent code in
C#, winc-agent. The port can
be configured if needed, for
example when more than

17
 one WinC is installed on the
same server, the port
number should be modified
by
addingmq.server.listener.port
to agent.properties. By
default, this is set to 61616 in
agent.default.properties.
Copy the value to
agent.properties and change
the port number.

WinC host / winc- Server to collect events TCP/135 SmartConnector for

agent.exe from Microsoft Windows Event Log
– Native

Server to collect events WinC host / winc- Vary. SmartConnector for

from agent.exe Default TCP/49153 Microsoft Windows Event Log
– Native
WinC and the server to
collect events from negotiate
the port to use:
Ephemeral TCP port range
• 49152-65535
1025-5000
The third-party SmartConnector types listed above are some of the most common SmartConnectors
deployed. For any third-party SmartConnector not listed, please refer to the “SmartConnector Configuration
Guide” for information on the ports and protocols used.

Model Import Connectors

Source Device Destination Device Destination Port Notes

Model Import Connector ns.glbs.zvelo.com TCP 443 A component of

for Reputation Security Reputation Security
Monitor Plus 1.6 Monitor Plus which
retrieves reputation
data from the threat
intelligence service
processes this data, and
forwards it to ESM/ESM
Express.

18
Model Import Connector tmc.tippingpoint.com TCP 443 A component of
for Reputation Security d.tippingpoint.com Reputation Security
Monitor 1.5 Monitor which retrieves
*.akamai.net reputation data from the
*.akamai.com threat intelligence
service (powered by
DVLabs), processes this
data, and forwards it to
ESM/ESM Express.
tmc.tippingpoint.com is
the application server
that provides the Web
Service. The Web Service
provides a URL to
d.tippingpoint.com to
the client from which
the actual data is
downloaded as files.
Since d.tippingpoint.com
is a cloud service
(Akamai based), the
underlying IP addresses
are subject to change all
the time and therefore
only domain based
filtering can be used
between the Model
Import Connector and
the Internet and not IP
based filtering.

Model Import Connector Active Directory TCP 389 or 636 The Model Import
for IdentityView Connector for Microsoft
Active Directory extracts
the user identity
information (or Actor
data) from the Active
Directory LDAP, and
then uses that data to
populate ESM/ESM
Express Manager with
resources.

Model Import Connector ESM/ESM Express TCP 8443 Model Import Connector
Manager to ESM/ESM Express
Manager secure and
encrypted channel.

19
SmartConnector Load Balancer
Source Device Destination Device Destination Port Notes

Primary Node Secondary Node TCP 9090 'vipPingPort' is internally used to

check if VIP address is still bound
to one of the member hosts for
continuous event collection.

Primary Node Secondary Node TCP 6702 Port is internally used to

communicate with another Load
Balancer to detect the health for
HA support.

Primary/Secondary SmartConnector TCP 9001 remote.management.listener.port

Node from agent.properties

TCP 8443 Web Service Listener.

Syslog Devices Primary/Secondary UDP 514 'vipAddress' is the virtual IP

Node Virtual IP Address addres that will be shared
between two member hosts to
handle seamless failover of
member host.

Syslog Devices Primary/Secondary TCP 514 'vipAddress' is the virtual IP

Node Virtual IP Address addres that will be shared
between two member hosts to
handle seamless failover of
member host.

Integrated Lights-Out (iLO)

Source Device Destination Device Destination Port Notes

Integrated Lights-Out TCP 22, 80, 443, 623, iLO Management

(iLO) 17990, 17988 technologies are
embedded management
technologies that
supports the complete
lifecycle of all ProLiant
servers, from initial
deployment to ongoing

20
 management and
service alerting.

Connector Appliance (v6.X)

Source Device Destination Device Destination Port Notes

Workstation Connector Appliance TCP 443 Web browser to

Connector Appliance
communication.

Workstation Connector Appliance TCP 22 SSH access for

troubleshooting and
diagnostics.

Connector Appliance NTP Server(s) UDP 123 Connector Appliance to

NTP server (for time
synchronization).

Connector Appliance DNS Server(s) UDP/TCP 53 Connector Appliance to

DNS server
communication.

Connector Appliance SMTP Server(s) TCP 25 Connector Appliance to

SMTP server (for
notifications).

Connector Appliance RADIUS Server(s) UDP 1645 or 1812 Connector Appliance to

RADIUS server (when
Connector Appliance is
configured to use
RADIUS password
authentication).

Connector Appliance ESM/ESM Express TCP 8443 SmartConnector to

SmartConnectors or Manager ESM/ESM Express
SmartConnectors Manager secure and
encrypted event
channel.

Connector Appliance Logger TCP 443 SmartConnector to

SmartConnectors or Logger SmartMessage
SmartConnectors secure and encrypted
event channel.

21
Connector Appliance NFS Server(s) TCP 111 Allows SmartConnectors
UDP 111 to read logs from NFS
TCP 2049 servers.
UDP 2049
TCP 2219
UDP 2219

Connector Appliance CIFS Server(s) TCP 445 Allows SmartConnectors

to read logs from CIFS
servers.

Connector Appliance Connector Appliance TCP 9001 Allows Connector

SmartConnectors and (SmartConnector) Appliance to manage
SmartConnectors TCP 9001-9004 (C3500) remote
SmartConnectors
TCP 9001-9008 (C5500) (appliance and/or
software).

Connector Appliance Syslog Server(s) UDP/TCP 514 Used to forward audit

events from Connector
Appliance to syslog
server(s).

Connector Appliance SCP Server TCP 22 (SCP) Allows backup of

Connector Appliance
configuration to remote
host.

DNS Malware Analytics (SaaS/Cloud)

Source Device Destination Device Destination Port Notes

DNS capture module SAAS analytic engine – Web Sockets – RFC DNS Malware
portal.dnsmalwareanalytics.com 6455 Analytics is a scalable,
Encryption WSS – TLS cloud-based threat
1.2 minimum detector that monitors
DNS traffic and rapidly
WAMP – Web identifies an infected
Application Messaging system, enabling
Protocol 2.0 immediate
remediation in real
time.

Workstation portal.dnsmalwareanalytics.com TCP 443 Web browser to SAAS

analytic engine
interface

22
Network Synergy Platform (v5.X)
Source Device Destination Device Destination Port Notes

Workstation NSP TCP 443 Web browser to NSP

communication.

NSP Managed devices TCP 20 & 21 (FTP) Configuration file

transfer.

NSP Managed devices TCP 22 (SSH, SCP, SFTP) Securely copy or transfer
files.

NSP Managed devices TCP 23 (telnet) Managed device access

through the appliance
only as needed.

NSP Managed devices UDP 69 (TFTP) Configuration file

transfer.

NSP Managed devices ICMP Device discovery.

NSP Managed devices Multiple ports Device discovery, if OS

fingerprinting is
selected.

Managed devices NSP TCP 20 & 21 (FTP) Configuration file

transfer.

Managed devices NSP TCP 22 (SSH, SCP) Securely copy or transfer

files (SSH proxy; SCP on
demand only).

Managed devices NSP UDP 69 (TFTP) Configuration file

transfer (TFTP on
demand only).

NSP SMTP Server(s) TCP 25 (SMTP) E-mail notifications (if

enabled on your
appliance).

NSP SNMP Server(s) UDP 161 & 162 (SNMP) SNMP notifications (if
your appliance is
configured to send
them).

23
 NSP Syslog Server(s) UDP 514 (syslog) Syslog messages (if your
appliance is configured
to send them).

NSP WINS Server(s) UDP/TCP 1512 NSP to WINS server

communication to
resolve Windows
NETBIOS names.

NSP NTP Server(s) UDP 123 NSP to NTP server (for

time synchronization).

NSP DNS Server(s) UDP/TCP 53 NSP to DNS server

communication.

NSP ESM/ESM Express TCP 8443 TRM Connector

Manager configured to integrate
NSP with ESM/ESM
Express and take TRM
actions on managed
devices through the NSP
appliance.

NSP Syslog SmartConnector UDP 514 (syslog) The NSP appliance

(running on Connector forwards the notification
Appliance or as a messages it generates to
SmartConnector) an Common Event
Format (CEF) Syslog
SmartConnector that
sends the events on to
the ESM/ESM Express
Manager.

The information that resides on your NSP appliance is well protected. Any port, except 443, is opened only for
the length of time it takes to perform the action related to that port. After the action has been performed, the
port is closed. The appliance opens no unnecessary ports or third-party software vulnerabilities that might
compromise the security of the information.

Micro Focus Trademark Information

MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus
(IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the
property of their respective owners.

24
Company Details
Company name: Micro Focus International plc
Place of registration: England and Wales
Registered number: 5134647
Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q

25