Forcepoint DLP ports

Applies to:
  • Forcepoint DLP, v8.5.x, v8.6.x, v8.7.x, v8.8.x, v8.9.x, v9.0, v10.x

The most robust and effective implementation of Forcepoint DLP depends on certain ports being open to support the mechanics of the software. The ports for Forcepoint DLP components are 17500–17515 by default. These ports must be left open for all Forcepoint DLP software and hardware configurations.

If you have a security policy in place, exclude these ports from that policy so that Forcepoint DLP can operate properly. If you do not, the policy you have in place may disrupt Forcepoint DLP functionality.

The tables in the rest of this section list the inbound and outbound ports required for each Forcepoint DLP component.

You can lock down or “harden” your security systems once these ports are open.

Important: Forcepoint DLP agents and machines with a policy engine, such as a Forcepoint DLP Server or Content Gateway machine, must have direct connection to the Forcepoint management server. When deployed in a DMZ or behind a firewall, the relevant ports must be allowed.

Human interface device (administrator client)

Outbound
To Port Purpose
Data Security module 9443 User interface browsing

Forcepoint DLP Endpoint client

Outbound
To Port Purpose
Forcepoint DLP Server 443 Connect to endpoint server (secure connection, default)

Forcepoint DLP Endpoint server

Outbound
To Port Purpose
Forcepoint management server 443 Retrieve fingerprints and natural language processing scripts
Forcepoint management server 17443 Incidents
Inbound
From Port Purpose
Forcepoint management server 443 Retrieve fingerprints and natural language processing scripts
Forcepoint DLP Endpoint Client 443 Endpoint communication
Supplemental Forcepoint DLP Server 17444 Retrieve fingerprints and natural language processing scripts
Service Process name Listening address/port
Endpoint Server (Forcepoint Data Security Web Server) EPServer. exe

TCP 0.0.0.0:443

TCP 0.0.0.0:17509

Crawler agent (discovery and fingerprinting)

Outbound
To Port Purpose
Forcepoint management server 443 Secure communication
Forcepoint DLP Server 17500-17515 Range of ports for communication with Forcepoint agents and machines
Internet 443 Connectivity to cloud applications
Inbound
From Port Purpose
Forcepoint management server 9797 Crawler listening

The port is used only for the standalone crawler agent.

Forcepoint management server

Outbound
To Port Purpose
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security 17500-17515 and 17700-17715 Range of ports for communication with Forcepoint agents and machines.

The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.

Forcepoint DLP Server 443 Used to communicate with Data Protection Service and Microsoft Information Protection.
Forcepoint DLP Server 25 Used for outgoing emails from the DLP Manager to DLP administrators.
Inbound
From Port Purpose
Forcepoint DLP Server, Protector, Web Content Gateway 17443 Incidents, endpoint status, forensics.

This port should be left open. It is not configurable.

Security Manager 17447 Processing batch jobs such as scheduled tasks
Security Manager 17446 Translating messages into sender/receiver protocols
Crawler 17514 Enabling emailed reports for discovery tasks
Forcepoint DLP Server, Endpoints, Protector, Web Content Gateway 443 Secure communication
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security 17500-17515 and 17700-17715 Range of ports for communication with Forcepoint agents and machines.

The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.

Forcepoint DLP Server, Protector, Web Content Gateway 9443 Access user interface

This port should be left open. It is not configurable.

Forcepoint DLP Server 993, 995 Used to retrieve emails sent to the DLP Manager.
Service Process name Listening address/port
DSS Manager (Forcepoint Data Security Manager) DSSManager.exe TCP 0.0.0.0:17443
MGMTD (Forcepoint Management Server) mgmtd.exe TCP 0.0.0.0:17500
Policy Engine PolicyEngine.exe TCP 0.0.0.0:17503
PAFPREP (Forcepoint Data Fingerprint Database) PAFPREP.exe TCP 0.0.0.0:17505

TCP 0.0.0.0:17506

DSSMessageBroker (Forcepoint Data Security Message Broker) DSSMessage Broker.exe TCP 0.0.0.0:17513

TCP 0.0.0.0:17514

EIPManagerProxy (Forcepoint Security Manager Web Server) EIPManager Proxy.exe TCP 0.0.0.0:9443

Supplemental Forcepoint DLP server

Outbound
To Port Purpose
Forcepoint management server 17443 Incidents
Forcepoint management server 17500-17515 Range of ports for communication with Forcepoint agents and machines.

The range is needed for load balancing.

Inbound
From Port Purpose
Forcepoint management server 17500-17515 Range of ports for communication with Forcepoint agents and machines.
Forcepoint management server 514 Syslog
Service Process name Listening address/port
OCRServer (Forcepoint Data OCR Engine) OCRServ er.exe TCP 0.0.0.0:17512

Web Content Gateway

Outbound
To Port Purpose
Forcepoint management server 443 Fingerprint sync
Forcepoint management server 17443 Forensics, incidents, mobile status
Web protection components 56992 Linking Service
Forcepoint DLP Server 17500-17515 Consecutive ports that allow communication with Forcepoint agents and machines.

The range is needed for load balancing.

Forcepoint Email Security

The following ports are used on the appliance for outbound connections to Forcepoint DLP.

Outbound
To Port Purpose
Forcepoint management server 17500-17515 and 17700-17715 Settings deployment, fingerprint repository

The second range is used when Web Content Gateway and Forcepoint Email Security are both installed, for email DLP system health and log data.

Forcepoint management server 17443 Forensics, incidents
Forcepoint management server 17444 Used to pull configuration settings
Forcepoint management server 443 Fingerprint repository sync

Protector

Outbound
To Port Purpose
Forcepoint DLP Server 17500-17515 Consecutive ports that allow communication with Forcepoint agents and machines.
Forcepoint management server 443 Fingerprint sync
Forcepoint management server 17443 Syslog, forensics, incidents, mobile status
Next hop MTA 25 SMTP (explicit MTA)
Forcepoint Web Security 56992 Linking Service
Other UDP 123 Inbound/outbound NTPD (available on the appliance yet disabled by default)
Inbound
From Port Purpose
Forcepoint management server 17500-17515 Consecutive ports that allow communication with Forcepoint agents and machines.
Anywhere (including Security Manager) 22 SSH access
Forcepoint DLP Server 17500-17515 Consecutive ports that allow communication with Forcepoint agents and machines.

The range is needed for load balancing.

Explicit MTA 25 SMTP

ICAP client

Outbound
To Port Purpose
Protector 1344 Receiving ICAP traffic

Forcepoint Behavioral Analytics

Outbound
To Port Purpose
FBA 9093 Send DLP entities, events and incidents to FBA
Inbound
From Port Purpose
FBA 9093 Fetch Risk Level updates from FBA

Analytics engine

The following ports must be kept open on the server running the analytics engine:

Outbound
To Port Purpose
Forcepoint management server 17443 Syslog, forensics, incidents, analytics engine status
Forcepoint management server 17500-17515 Range of ports for communication with Forcepoint agents and machines.
Forcepoint management server (local database) or remote SQL Server 1433 Database connection
Inbound
From Port Purpose
Forcepoint management server 17500-17515 Range of ports for communication with Forcepoint agents and machines.