About the communication ports that Symantec Endpoint Protection uses
If the Symantec Endpoint Protection Manager computer and Symantec Endpoint Protection client computers run firewall software, you must open certain ports for remote deployment and for communication between the management server and clients. See your firewall software product documentation for instructions to open ports or allow applications to use ports.
Warning: | The firewall in the Symantec Endpoint Protection client is disabled by default at initial installation. To ensure firewall protection, leave the Windows firewall enabled on the clients until the software is installed and the client is restarted. The Symantec Endpoint Protection client firewall automatically disables the Windows firewall when the computer restarts. |
Table: Ports for client and server installation and communication
Function | Component | Protocol and port |
|---|
Push deployment | Management server and client | TCP 139 and 445 on management servers and clients UDP 137 and 138 on management servers and clients TCP ephemeral ports on management servers and clients TCP 22 on Mac clients |
Group Update Provider communication | Management server and Group Update Provider Group Update Provider and clients | TCP 2967 on all devices Note: | You can change this default port. |
|
General communication | Management server and client | For management servers and clients: TCP 8014 for management servers, by default. You can change TCP 8014 (HTTP) to TCP 443 (HTTPS). TCP ephemeral port on clients.
For remote management servers and consoles: TCP 8443 for remote management servers and console TCP ephemeral ports and 9090 on consoles TCP 8445 for remote reporting consoles
|
Replication communication | Site to site between database servers | TCP 8443 between database servers |
Remote Symantec Endpoint Protection Manager console installation | Management server and remote management server console | TCP 9090 on remote management servers TCP ephemeral ports on remote consoles Note: | You can change the port. |
|
Web services | Remote Monitoring and Management (RMM) Symantec Protection Center | TCP 8446 for RMM Web services TCP 8444 for Symantec Protection Center Web services |
External database communication | Remote SQL Server and management server | TCP 1433 on remote SQL Server TCP ephemeral ports on management servers Note: | Port 1433 is the default port. |
|
Symantec Network Access Control Enforcer communication | Management server and Enforcer | TCP 1812 on management servers TCP ephemeral ports on Enforcers Note: | RADIUS servers also use port 1812; do not install the management server on the same server. You cannot change the port on the management server. |
Client authentication by the Enforcer on UDP 39,999 |
LiveUpdate | LiveUpdate client and server | TCP ephemeral ports on clients TCP 80 on LiveUpdate servers |
Windows Vista and later contain a firewall that is enabled by default. If the firewall is enabled, you might not be able to install or deploy the client software remotely. If you have problems deploying the client to computers running these operating systems, configure their firewalls to allow the required traffic.
If you decide to use the Windows firewall after deployment, you must configure it to allow file and printer sharing (port 445).
For more information about configuring Windows firewall settings, see the Windows documentation.