Forcepoint DLP ports
Applies to: |
---|
|
The most robust and effective implementation of Forcepoint DLP depends on certain ports being open to support the mechanics of the software. The ports for Forcepoint DLP components are 17500–17515 by default. These ports must be left open for all Forcepoint DLP software and hardware configurations.
If you have a security policy in place, exclude these ports from that policy so that Forcepoint DLP can operate properly. If you do not, the policy you have in place may disrupt Forcepoint DLP functionality.
The tables in the rest of this section list the inbound and outbound ports required for each Forcepoint DLP component.
You can lock down or “harden” your security systems once these ports are open.
Human interface device (administrator client)
Outbound | ||
---|---|---|
To | Port | Purpose |
Data Security module | 9443 | User interface browsing |
Forcepoint DLP Endpoint client
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint DLP Server | 443 | Connect to endpoint server (secure connection, default) |
Forcepoint DLP Endpoint server
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 443 | Retrieve fingerprints and natural language processing scripts |
Forcepoint management server | 17443 | Incidents |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint management server | 443 | Retrieve fingerprints and natural language processing scripts |
Forcepoint DLP Endpoint Client | 443 | Endpoint communication |
Supplemental Forcepoint DLP Server | 17444 | Retrieve fingerprints and natural language processing scripts |
Service | Process name | Listening address/port |
---|---|---|
Endpoint Server (Forcepoint Data Security Web Server) | EPServer. exe |
TCP 0.0.0.0:443 TCP 0.0.0.0:17509 |
Crawler agent (discovery and fingerprinting)
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 443 | Secure communication |
Forcepoint DLP Server | 17500-17515 | Range of ports for communication with Forcepoint agents and machines |
Internet | 443 | Connectivity to cloud applications |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint management server | 9797 | Crawler listening The port is used only for the standalone crawler agent. |
Forcepoint management server
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security | 17500-17515 and 17700-17715 | Range of ports for communication with Forcepoint agents and machines. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data. |
Forcepoint DLP Server | 443 | Used to communicate with Data Protection Service and Microsoft Information Protection. |
Forcepoint DLP Server | 25 | Used for outgoing emails from the DLP Manager to DLP administrators. |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint DLP Server, Protector, Web Content Gateway | 17443 | Incidents, endpoint status, forensics. This port should be left open. It is not configurable. |
Security Manager | 17447 | Processing batch jobs such as scheduled tasks |
Security Manager | 17446 | Translating messages into sender/receiver protocols |
Crawler | 17514 | Enabling emailed reports for discovery tasks |
Forcepoint DLP Server, Endpoints, Protector, Web Content Gateway | 443 | Secure communication |
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security | 17500-17515 and 17700-17715 | Range of ports for communication with Forcepoint agents and machines. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data. |
Forcepoint DLP Server, Protector, Web Content Gateway | 9443 | Access user interface This port should be left open. It is not configurable. |
Forcepoint DLP Server | 993, 995 | Used to retrieve emails sent to the DLP Manager. |
Service | Process name | Listening address/port |
---|---|---|
DSS Manager (Forcepoint Data Security Manager) | DSSManager.exe | TCP 0.0.0.0:17443 |
MGMTD (Forcepoint Management Server) | mgmtd.exe | TCP 0.0.0.0:17500 |
Policy Engine | PolicyEngine.exe | TCP 0.0.0.0:17503 |
PAFPREP (Forcepoint Data Fingerprint Database) | PAFPREP.exe | TCP 0.0.0.0:17505 TCP 0.0.0.0:17506 |
DSSMessageBroker (Forcepoint Data Security Message Broker) | DSSMessage Broker.exe | TCP 0.0.0.0:17513 TCP 0.0.0.0:17514 |
EIPManagerProxy (Forcepoint Security Manager Web Server) | EIPManager Proxy.exe | TCP 0.0.0.0:9443 |
Supplemental Forcepoint DLP server
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 17443 | Incidents |
Forcepoint management server | 17500-17515 | Range of ports for communication with Forcepoint agents and machines. The range is needed for load balancing. |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint management server | 17500-17515 | Range of ports for communication with Forcepoint agents and machines. |
Forcepoint management server | 514 | Syslog |
Service | Process name | Listening address/port |
---|---|---|
OCRServer (Forcepoint Data OCR Engine) | OCRServ er.exe | TCP 0.0.0.0:17512 |
Web Content Gateway
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 443 | Fingerprint sync |
Forcepoint management server | 17443 | Forensics, incidents, mobile status |
Web protection components | 56992 | Linking Service |
Forcepoint DLP Server | 17500-17515 | Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing. |
Forcepoint Email Security
The following ports are used on the appliance for outbound connections to Forcepoint DLP.
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 17500-17515 and 17700-17715 | Settings deployment, fingerprint repository The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data. |
Forcepoint management server | 17443 | Forensics, incidents |
Forcepoint management server | 17444 | Used to pull configuration settings |
Forcepoint management server | 443 | Fingerprint repository sync |
Protector
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint DLP Server | 17500-17515 | Consecutive ports that allow communication with Forcepoint agents and machines. |
Forcepoint management server | 443 | Fingerprint sync |
Forcepoint management server | 17443 | Syslog, forensics, incidents, mobile status |
Next hop MTA | 25 | SMTP (explicit MTA) |
Forcepoint Web Security | 56992 | Linking Service |
Other | UDP 123 | Inbound/outbound NTPD (available on the appliance yet disabled by default) |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint management server | 17500-17515 | Consecutive ports that allow communication with Forcepoint agents and machines. |
Anywhere (including Security Manager) | 22 | SSH access |
Forcepoint DLP Server | 17500-17515 | Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing. |
Explicit MTA | 25 | SMTP |
ICAP client
Outbound | ||
---|---|---|
To | Port | Purpose |
Protector | 1344 | Receiving ICAP traffic |
Forcepoint Behavioral Analytics
Outbound | ||
---|---|---|
To | Port | Purpose |
FBA | 9093 | Send DLP entities, events and incidents to FBA |
Inbound | ||
---|---|---|
From | Port | Purpose |
FBA | 9093 | Fetch Risk Level updates from FBA |
Analytics engine
The following ports must be kept open on the server running the analytics engine:
Outbound | ||
---|---|---|
To | Port | Purpose |
Forcepoint management server | 17443 | Syslog, forensics, incidents, analytics engine status |
Forcepoint management server | 17500-17515 | Range of ports for communication with Forcepoint agents and machines. |
Forcepoint management server (local database) or remote SQL Server | 1433 | Database connection |
Inbound | ||
---|---|---|
From | Port | Purpose |
Forcepoint management server | 17500-17515 | Range of ports for communication with Forcepoint agents and machines. |