Views:

Required Ports
The following table lists and describes the ports that must be available to obtain full system functionality.
Port Service From To Description

Network ports required to use the SMS client
22/TCP SSH SMS Client SMS Server CLI Management of SMS
9033/TCP SMS SMS Client SMS Server Required for the SMS client to connect to the SMS server
10042/TCP SMS SMS Client SMS Server
443/TCP HTTPS SMS Client Browser SMS Server File downloads, such as client installation, exported reports, and Web services (if configured)
943/TCP HTTPS SMS Client SMS Server SMS Restore

Network ports required for the SMS to manage TippingPoint devices
161/UDP SNMP (agent) SMS Server IPS SMS Management (Bidirectional connectivity required)
443/TCP HTTPS SMS Server TPS/IPS/NGFW SMS Management
8162/UDP SNMP (trap) IPS/TPS SMS Server SMS Traps from device to SMS
8163/UDP SNMP (trap) IPS/TPS SMS Server
8443/UDP   Identity Agent SMS server SMS Management

Network ports required for the SMS to access the TMC for software and security updates
80/TCP HTTP SMS Server Outbound Digital Vaccine updates from TMC
443/TCP HTTPS SMS Server TMC Updates from TMC. For new SMS installations, this port is the NEW default for communication with the TMC.
4043/TCP HTTPS SMS Server TMC Updates from TMC.

Network ports required for the SMS to perform WhoIs lookups
43/TCP WhoIs SMS Server whois.arin.net
whois.apnic.net
whois.ripe.net
whois.lacnic.net		 Perform WhoIs lookups
 

Responder Ports
Responder is a policy-based service that reacts to triggers and performs a set of actions. You configure and enable Responder policies in the SMS that determine how the service reacts and what actions it takes. A policy can be triggered in several ways: thresholding manually, Web service, or escalation of an IPS Quarantine action. You can configure policies to include or exclude sets of IP addresses. A policy incorporates a dependency capability that allows actions in the list to execute conditionally based on the success or failure of other actions. The following table lists and describes the Active Response ports that should be made available. The use of Active Response on SMS determines these ports. Active Response (Actions) Port Availability.
Port Service From To Description
25/TCP SMTP SMS Server Mail Server Active Response Email action
162/UDP SNMP SMS Server Remote Host Active Response SNMP action
162/UDP SNMP SMS Server Remote Host Active Response NMS action
514/UDP Syslog SMS Server Syslog Server Active Response Syslog action
1812/UDP Radius SMS Server External Switch Radius proxy (required for Active Response Switch disconnect action)

Active Response (triggers) for the port availability
80/TCP HTTP SMS Server External Host Trigger Active Response/ via URL, IP correlation lookup, IP or MAC lookup
162/UDP SNMP SMS Server NMS Server SNMP Traps from an SNMP Client or NMS Server, such as 3Com Network Directory (3ND) to Active Response
443/TCP HTTPS SMS Server External Host Trigger Active Response via URL, IP correlation lookup, IP or MAC lookup
 

High Availability (HA) Ports
The following table lists and describes the High Availability ports you must make available. In addition to these HA ports, all of the ports listed in the "Required Port Availability" must be open for both Primary and Secondary SMS Servers. The SMS provides command options that allow you to disable or re-enable HA ports. By default, all SMS devices are set to yes or enabled. See "High Availability" in the SMS CLI Reference Guide.
Port Service From/To Description

SMS to SMS HA
22/TCP SSH SMS Primary ⇔SMS Secondary Secure remote command execution and file replication
1098/TCP RMI SMS Primary ⇔ SMS Secondary JAVA RMI for HA configuration and remote peer administration
1099/TCP RMI registry SMS Primary ⇔ SMS Secondary JAVA RMI for HA configuration and remote peer administration
10042/TCP SMS SMS Primary ⇔ SMS Secondary CLI command replication
3306/TCP MySQL SMS Primary ⇔ SMS Secondary Database replication
4444/TCP RMI SMS Primary ⇔ SMS Secondary JAVA RMI for HA configuration and remote peer administration
9033/TCP JMS SMS Primary ⇔ SMS Secondary JAVA Messaging Service for the SMS client to connect to the SMS server and for HA configuration.

IPS to IPS Transparent High-Availability (TRHA)
9591/TCP SSL IPS Primary ⇔ IPS Secondary Transparent High-Availability (TRHA) messaging is passed via SSL; Each "HA Ping/Heartbeat" message is sent at 60-second intervals.
   

Optional Ports
The following table lists and describes the optional ports you can make available.
Port Service From To Description

SMS Client Port
10042/TCP SMS SMS Client SMS Server SMS backup/restore

SNMP Client Port
161/UDP SNMP SNMP Client SMS Server To query SMS SNMP MIBs

Device Ports
123/UDP NTP IPS SMS Server Required only if IPS uses SMS for NTP time synchronization
6343/UDP sFlow® IPS sFlow® Server Send sFlow® data from NX-platform IPS to one or more sFlow® servers
10043/TCP SMS provision IPS SMS Server Remote Authentication
443/TCP URL Threat Analysis SMS Server DD Analyzer Send URL data from the SMS to the Deep Discovery Analyzer

SMS Server Ports
389/TCP Active Directory SMS server AD server SMS AD LDAP authentication
636/TCP Active Directory SMS server AD server SMS AD LDAP over SSL authentication
3306/TCP Database SMS server Any External database access
External server External replication
53/TCP/UDP DNS SMS server Name server Name resolution
135/TCP ID correlation SMS server AD server SMS AD authentication
239/UDP IP2ID SMS server IPS (A10) IDsentrie
111/TCP/UDP NFS SMS server File server Report export, database backup
369/TCP/UDP
2039/TCP/UDP
123/UDP NTP SMS server NTP server (time source) Time synchronization from external NTP server
1812/UDP RADIUS SMS server RADIUS server SMS user authentication
49/TCP TACACS+ SMS server TACACS+ server SMS user authentication
137/TCP/UDP Samba SMS server File server Report export, database backup
138/TCP/UDP
139/TCP/UDP
1512/TCP/UDP
25/TCP SMTP SMS server Mail server Email notifications, such as IPS events, Active Response
514/UDP Syslog SMS server Syslog server SMS audit and Syslog
943/TCP External system SMS backup/restore
 

SMS encryption protocols, algorithms, and cipher support
When the SMS is in FIPS mode, it does not support SSLv2 formatted hello, SSLv3, TLSv1.2, and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ciphers. The SMS does not support SSLv2 protocol at any time.
Port Protocol Ciphers/Algorithms Description
443 TLSv1.0
TLSv1.1
TLSv1.2
SSLv2Hello		 TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

HTTPS service:

  •  SSL provided by SunJSSE.
  • Encryption algorithms provided by SunJCE (Non- FIPS) and NSS (FIPS).
9033
10042		 TLSv1.0
TLSv1.1
TLSv1.2		 TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Client-server communication:

  • SSL provided by SunJSSE.
  • Encryption algorithms provided by SunJCE (Non- FIPS) and NSS (FIPS).
10043 TLSv1.0
TLSv1.1
TLSv1.2		 TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384		 Device provision manager (device remote authorization).
22 SSH-2 aes128-gcm
aes256-gcm
aes128-ctr
aes192-ctr
aes256-ctr		 SSH service:
  • SSH provided by OpenSSH.
  • Encryption algorithms provided by OpenSSL.
Keywords: network ports, protocols, network ports and protocols, tippingpoint device operations