Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What network ports and protocols are required for TippingPoint device operations?

    • Updated:
    • 24 Jul 2019
    • Product/Version:
    • TippingPoint 1500SSL
    • TippingPoint CoreController All
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint NGFW All
    • TippingPoint SecBlade All
    • TippingPoint SMS All
    • TippingPoint Threat Management Center
    • TippingPoint TPS All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary
This article discusses network ports and protocols required by TippingPoint devices for operation. While some of the ports are required, others will be required depending on your system configuration. You can make other ports available for optional tasks.
  • Required Ports
  • Active Response Ports
  • High Availability (HA) Ports
  • Optional Ports
  • SMS encryption protocols, algorithms, and cipher support
Details
Public
 

Required Ports

The following table lists and describes the ports that must be made available in order to obtain full system functionality.
PortServiceFromToDescription

Network ports required to use the SMS client

22/TCPSSHSMS ClientSMS ServerCLI Management of SMS
9033/TCPSMSSMS ClientSMS ServerRequired for the SMS client to connect to the SMS server
10042/TCPSMSSMS ClientSMS Server
443/TCPHTTPSSMS Client BrowserSMS ServerFile downloads, such as client installation, exported reports, Web services (if configured)
943/TCPHTTPSSMS ClientSMS ServerSMS Restore

Network ports required for the SMS to manage TippingPoint devices

161/UDPSNMP (agent)SMS ServerIPSSMS Management
443/TCPHTTPSSMS ServerTPS/IPS/NGFWSMS Management
8162/UDPSNMP (trap)IPS/TPSSMS ServerSMS Traps from device to SMS
8163/UDPSNMP (trap)IPS/TPSSMS Server
8443/UDP Identity AgentSMS serverSMS Management

Network ports required for the SMS to access the TMC for software and security updates

80/TCPHTTPSMS ServerOutboundDigital Vaccine updates from TMC
443/TCPHTTPSSMS ServerTMCUpdates from TMC. For new SMS installations, this port is the NEW default for communication with the TMC.
4043/TCPHTTPSSMS ServerTMCUpdates from TMC. If your installation is prior to v2.5.1, this port is the default for communication with the TMC. Upgrading does not change this port setting.

Network ports required for the SMS to perform WhoIs lookups

43/TCPWhoIsSMS Serverwhois.arin.net
whois.apnic.net
whois.ripe.net
whois.lacnic.net
Perform WhoIs lookups
 

Responder Ports

Responder is a policy-based service that reacts to triggers and performs a set of actions. You configure and enable Responder policies in the SMS that determine how the service reacts and what actions it takes. A policy can be triggered in several ways: thresholding, manually, Web service, or escalation of an IPS Quarantine action. You can configure policies to include or exclude sets of IP addresses. A policy incorporates a dependency capability that allows actions in the list to execute conditionally, based on the success or failure of other actions. The following table lists and describes the Active Response ports that should be made available. These ports are determined by the use of Active Response on SMS. Active Response (Actions) Port Availability.
PortServiceFromToDescription
25/TCPSMTPSMS ServerMail ServerActive Response Email action
162/UDPSNMPSMS ServerRemote HostActive Response SNMP action
162/UDPSNMPSMS ServerRemote HostActive Response NMS action
514/UDPSyslogSMS ServerSyslog ServerActive Response Syslog action
1812/UDPRadiusSMS ServerExternal SwitchRadius proxy (required for Active Response Switch disconnect action)

Active Response (triggers) for the port availability

80/TCPHTTPSMS ServerExternal HostTrigger Active Response/ via URL, IP correlation lookup, IP or MAC lookup
162/UDPSNMPSMS ServerNMS ServerSNMP Traps from an SNMP Client or NMS Server, such as 3Com Network Directory (3ND) to Active Response
443/TCPHTTPSSMS ServerExternal HostTrigger Active Response via URL, IP correlation lookup, IP or MAC lookup
 

High Availability (HA) Ports

The following table lists and describes the High Availability ports that you must make available. In addition to these HA ports, all of the ports listed in the "Required Port Availability" must be open for both Primary and Secondary SMS Servers. The SMS provides command options that allow you to disable or re-enable HA ports. By default all SMS devices are set to yes or enabled. See "High Availability" in the SMS CLI Reference Guide.
PortServiceFrom/ToDescription

SMS to SMS HA

22/TCPSSHSMS Primary ⇔SMS SecondarySecure remote command execution and file replication
1098/TCPRMISMS Primary ⇔ SMS SecondaryJAVA RMI for HA configuration and remote peer administration
1099/TCPRMI registrySMS Primary ⇔ SMS SecondaryJAVA RMI for HA configuration and remote peer administration
10042/TCPSMSSMS Primary ⇔ SMS SecondaryCLI command replication
3306/TCPMySQLSMS Primary ⇔ SMS SecondaryDatabase replication
4444/TCPRMISMS Primary ⇔ SMS SecondaryJAVA RMI for HA configuration and remote peer administration

IPS to IPS Transparent High-Availability (TRHA)

9591/TCPSSLIPS Primary ⇔ IPS SecondaryTransparent High-Availability (TRHA) messaging is passed via SSL; Each "HA Ping/Heartbeat" message is sent at 60 second intervals.
   

Optional Ports

The following table lists and describes the optional ports that you can make available.
PortServiceFromToDescription

SMS Client Port

10042/TCPSMSSMS ClientSMS ServerSMS backup/restore

SNMP Client Port

161/UDPSNMPSNMP ClientSMS ServerTo query SMS SNMP MIBs

Device Ports

123/UDPNTPIPSSMS ServerRequired only if IPS uses SMS for NTP time synchronization
6343/UDPsFlow®IPSsFlow® ServerSend sFlow® data from NX-platform IPS to one or more sFlow® servers
10043/TCPSMS provisionIPSSMS ServerRemote Authentication
443/TCPURL Threat AnalysisSMS ServerDD AnalyzerSend URL data from the SMS to the Deep Discovery Analyzer

SMS Server Ports

389/TCPActive DirectorySMS serverAD serverSMS AD LDAPauthentication
636/TCPActive DirectorySMS serverAD serverSMS AD LDAP over SSL authentication
3306/TCPDatabaseSMS serverAnyExternal database access
External serverExternal replication
53/TCP/UDPDNSSMS serverName serverName resolution
135/TCPID correlationSMS serverAD serverSMS AD authentication
239/UDPIP2IDSMS serverIPS (A10)IDsentrie
111/TCP/UDPNFSSMS serverFile serverReport export, database backup
369/TCP/UDP
2039/TCP/UDP
123/UDPNTPSMS serverNTP server (time source)Time synchronization from external NTP server
1812/UDPRADIUSSMS serverRADIUS serverSMS user authentication
49/TCPTACACS+SMS serverTACACS+ serverSMS user authentication
137/TCP/UDPSambaSMS serverFile serverReport export, database backup
138/TCP/UDP
139/TCP/UDP
1512/TCP/UDP
25/TCPSMTPSMS serverMail serverEmail notifications, such IPS events, Active Response
514/UDPSyslogSMS serverSyslog serverSMS audit and syslog
943/TCPExternal systemSMS backup/restore
 

SMS encryption protocols, algorithms, and cipher support

When the SMS is in FIPS mode, it does not support SSLv2 formatted hello, SSLv3, TLSv1.2, and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ciphers. The SMS does not support SSLv2 protocol at any time.
PortProtocolCiphers/AlgorithmsDescription
443TLSv1.0
TLSv1.1
TLSv1.2
SSLv2Hello
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3845
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3845

HTTPS service:

  •  SSL provided by SunJSSE.
  • Encryption algorithms provided by SunJCE (Non- FIPS) and NSS (FIPS).
9033
10042
TLSv1.0
TLSv1.1
TLSv1.2
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3845
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3845

Client-server communication:

  • SSL provided by SunJSSE.
  • Encryption algorithms provided by SunJCE (Non- FIPS) and NSS (FIPS).
10043TLSv1.0
TLSv1.1
TLSv1.2
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 (only supported with TLSv1.2)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3845
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3845
Device provision manager (device remote authorization).
22SSH-2aes128-ctr
aes192-ctr
aes256-ctr
SSH service:
  • SSH provided by OpenSSH.
  • Encryption algorithms provided by OpenSSL.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000085738
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.