Forcepoint DLP ports

Applies to:
Forcepoint DLP, v8.5.x, v8.6.x, v8.7.x, v8.8.x, v8.9.x, v9.0, v10.x

The most robust and effective implementation of Forcepoint DLP depends on certain ports being open to support the mechanics of the software. The ports for Forcepoint DLP components are 17500–17515 by default. These ports must be left open for all Forcepoint DLP software and hardware configurations.

If you have a security policy in place, exclude these ports from that policy so that Forcepoint DLP can operate properly. If you do not, the policy you have in place may disrupt Forcepoint DLP functionality.

The tables in the rest of this section list the inbound and outbound ports required for each Forcepoint DLP component.

You can lock down or “harden” your security systems once these ports are open.

Important: Forcepoint DLP agents and machines with a policy engine, such as a Forcepoint DLP Server or Content Gateway machine, must have direct connection to the Forcepoint management server. When deployed in a DMZ or behind a firewall, the relevant ports must be allowed.

Human interface device (administrator client)

Outbound
To	Port	Purpose
Data Security module	9443	User interface browsing

Forcepoint DLP Endpoint client

Outbound
To	Port	Purpose
Forcepoint DLP Server	443	Connect to endpoint server (secure connection, default)

Forcepoint DLP Endpoint server

Outbound
To	Port	Purpose
Forcepoint management server	443	Retrieve fingerprints and natural language processing scripts
Forcepoint management server	17443	Incidents

Inbound
From	Port	Purpose
Forcepoint management server	443	Retrieve fingerprints and natural language processing scripts
Forcepoint DLP Endpoint Client	443	Endpoint communication
Supplemental Forcepoint DLP Server	17444	Retrieve fingerprints and natural language processing scripts

Service	Process name	Listening address/port
Endpoint Server (Forcepoint Data Security Web Server)	EPServer. exe	TCP 0.0.0.0:443 TCP 0.0.0.0:17509

Service

Process name

Listening address/port

Endpoint Server (Forcepoint Data Security Web Server)

EPServer. exe

TCP 0.0.0.0:443

TCP 0.0.0.0:17509

Crawler agent (discovery and fingerprinting)

Outbound
To	Port	Purpose
Forcepoint management server	443	Secure communication
Forcepoint DLP Server	17500-17515	Range of ports for communication with Forcepoint agents and machines
Internet	443	Connectivity to cloud applications

Inbound
From	Port	Purpose
Forcepoint management server	9797	Crawler listening The port is used only for the standalone crawler agent.

Forcepoint management server

Outbound
To	Port	Purpose
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security	17500-17515 and 17700-17715	Range of ports for communication with Forcepoint agents and machines. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.
Forcepoint DLP Server	443	Used to communicate with Data Protection Service and Microsoft Information Protection.
Forcepoint DLP Server	25	Used for outgoing emails from the DLP Manager to DLP administrators.

Inbound
From	Port	Purpose
Forcepoint DLP Server, Protector, Web Content Gateway	17443	Incidents, endpoint status, forensics. This port should be left open. It is not configurable.
Security Manager	17447	Processing batch jobs such as scheduled tasks
Security Manager	17446	Translating messages into sender/receiver protocols
Crawler	17514	Enabling emailed reports for discovery tasks
Forcepoint DLP Server, Endpoints, Protector, Web Content Gateway	443	Secure communication
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security	17500-17515 and 17700-17715	Range of ports for communication with Forcepoint agents and machines. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.
Forcepoint DLP Server, Protector, Web Content Gateway	9443	Access user interface This port should be left open. It is not configurable.
Forcepoint DLP Server	993, 995	Used to retrieve emails sent to the DLP Manager.

Service	Process name	Listening address/port
DSS Manager (Forcepoint Data Security Manager)	DSSManager.exe	TCP 0.0.0.0:17443
MGMTD (Forcepoint Management Server)	mgmtd.exe	TCP 0.0.0.0:17500
Policy Engine	PolicyEngine.exe	TCP 0.0.0.0:17503
PAFPREP (Forcepoint Data Fingerprint Database)	PAFPREP.exe	TCP 0.0.0.0:17505 TCP 0.0.0.0:17506
DSSMessageBroker (Forcepoint Data Security Message Broker)	DSSMessage Broker.exe	TCP 0.0.0.0:17513 TCP 0.0.0.0:17514
EIPManagerProxy (Forcepoint Security Manager Web Server)	EIPManager Proxy.exe	TCP 0.0.0.0:9443

Supplemental Forcepoint DLP server

Outbound
To	Port	Purpose
Forcepoint management server	17443	Incidents
Forcepoint management server	17500-17515	Range of ports for communication with Forcepoint agents and machines. The range is needed for load balancing.

Inbound
From	Port	Purpose
Forcepoint management server	17500-17515	Range of ports for communication with Forcepoint agents and machines.
Forcepoint management server	514	Syslog

Service	Process name	Listening address/port
OCRServer (Forcepoint Data OCR Engine)	OCRServ er.exe	TCP 0.0.0.0:17512

Web Content Gateway

Outbound
To	Port	Purpose
Forcepoint management server	443	Fingerprint sync
Forcepoint management server	17443	Forensics, incidents, mobile status
Web protection components	56992	Linking Service
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.

Forcepoint Email Security

The following ports are used on the appliance for outbound connections to Forcepoint DLP.

Outbound
To	Port	Purpose
Forcepoint management server	17500-17515 and 17700-17715	Settings deployment, fingerprint repository The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.
Forcepoint management server	17443	Forensics, incidents
Forcepoint management server	17444	Used to pull configuration settings
Forcepoint management server	443	Fingerprint repository sync

Protector

Outbound
To	Port	Purpose
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines.
Forcepoint management server	443	Fingerprint sync
Forcepoint management server	17443	Syslog, forensics, incidents, mobile status
Next hop MTA	25	SMTP (explicit MTA)
Forcepoint Web Security	56992	Linking Service
Other	UDP 123	Inbound/outbound NTPD (available on the appliance yet disabled by default)

Inbound
From	Port	Purpose
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines.
Anywhere (including Security Manager)	22	SSH access
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Explicit MTA	25	SMTP

ICAP client

Outbound
To	Port	Purpose
Protector	1344	Receiving ICAP traffic

Forcepoint Behavioral Analytics

Outbound
To	Port	Purpose
FBA	9093	Send DLP entities, events and incidents to FBA

Inbound
From	Port	Purpose
FBA	9093	Fetch Risk Level updates from FBA

Analytics engine

The following ports must be kept open on the server running the analytics engine:

Outbound
To	Port	Purpose
Forcepoint management server	17443	Syslog, forensics, incidents, analytics engine status
Forcepoint management server	17500-17515	Range of ports for communication with Forcepoint agents and machines.
Forcepoint management server (local database) or remote SQL Server	1433	Database connection

Inbound
From	Port	Purpose
Forcepoint management server	17500-17515	Range of ports for communication with Forcepoint agents and machines.