Ports used for communication in Symantec AntiVirus 10.x and Symantec Client Security 3.x

Article:TECH101169  |  Created: 2005-01-30  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH101169
Article Type
Technical Solution


Environment

Issue



This document discusses the ports that Symantec AntiVirus 10.x and Symantec Client Security 3.x use for communication between servers and clients.


Solution




Installation ports
The following table describes the network protocols and ports that must to be available to perform network installations of the product:

Function Location Protocol Port range
Client deployment Symantec System Center TCP local ports
1024–4999
Client deployment Target clients TCP local ports
1024–5000
Client deployment Management server and target clients TCP 139
Server deployment Target servers TCP local ports
1024–5000
Server deployment Management server and target servers TCP 139, 38293



Remote installation
Remote installation tools such as ClientRemote Install and AV Server Rollout use TCP port 139 on the targeted computers. If you plan to install Symantec Client Security or Symantec AntiVirus onto a computer running Windows 2003/XP, then read Windows XP Service Pack 2 or Windows Server 2003 firewall prevents remote installation.


Client/server communication ports
The following table describes the network protocols and ports that must be available to perform the standard functions of the product. Configurable ports are marked with an asterisk (*).

Function Location Protocol Port range
General communication Symantec System Center, servers TCP local ports
1024–4999
General communication Symantec System Center, servers, clients TCP 2967*
General communication NetWare servers TCP 2968*
General communication Clients TCP local ports
1024–5000


Rtvscan
Rtvscan makes a request to Winsock for TCP port 2967 on IP-based networks. This is the only port needed for default client-to-server communication. On NetWare servers, Rtvscan.nlm listens on TCP port 2968.


Note: Some versions of the Administrator's Guide erroneously state that Symantec AntiVirus uses port 2043. It actually uses port 2967.



On Windows computers, this value can be configured by using the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort

If the request for the static port fails, then Rtvscan uses a dynamic TCP port. This port is assigned by Winsock on that server and can be different each time that Rtvscan requests a port.

Roaming clients

  • The SAVRoam service used by roaming clients connects to the server TCP port 2967 with a random port.
  • Clients communicate with the roam server on Port 38293 (PDS) and it must be open.



Central management ports
The following table describes the network protocols and ports required to be available in order to manage the product centrally:

Function Location Protocol Port range
Discovery Servers UDP 38293
Discovery Symantec System Center UDP local ports 1024–4999


Intel PDS Service
A Windows-based computer running a Symantec AntiVirus server installation runs the Intel PDS Service. Intel PDS listens for ping packets from servers. It responds with a pong packet containing information on how to communicate with RTVScan. Intel PDS listens on UDP port 38293 for ping packets. This value cannot be configured.

Other server-to-server communications
In server-to-server communication, the sending Symantec AntiVirus server picks a random port, starting at TCP 1025 and moving up from that point. From that point, traffic is returned on that random port. To allow communication to pass through a firewall or gateway, create rules to allow any port to accept TCP communication on 2967 and 38293 and to allow outbound TCP communication from ports 2967 and UDP on 38293:

TCP Allow 2967 to *
UDP Allow 38293 to *
TCP Allow * to 2967
UDP Allow * to 38293



On NetWare servers, Rtvscan.nlm listens on TCP port 2968. If you have NetWare servers, create the following rules:

TCP Allow 2968 to *
TCP Allow * to 2968



Ports for specific components and features
The following table describes the network protocols and ports required for certain optional components of the product:

Component Location Protocol Port range
Quarantine Central Quarantine Server TCP 2847 (HTTP)
2848 (HTTPS)
Msgsys Servers UDP 38037
Msgsys Servers TCP 38292
Legacy management Servers and clients; see below UDP 2967, 2968


Quarantine
Quarantine servers connect to the Digital Immune System by using HTTP on TCP port 2847 and HTTPS on TCP port 2848. For information about general configuration of Quarantine server and how to modify the TCP ports, see the document Setting up Symantec Central Quarantine for Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x.

Msgsys
Msgsys is an Alert Management System (AMS) process for generating and sending configured AMS alerts. Msgsys communications uses UDP port 38037 and TCP port 38292.

Communication with legacy clients
To allow a Symantec AntiVirus 10.x server to communicate with clients running Symantec AntiVirus 9.x or earlier, you must set the Server Tuning Options in Symantec System Center. For help with this, read the document Managing legacy clients with Symantec Client Security 3.x and Symantec AntiVirus Corporate Edition 10.x.

Because legacy clients use UDP communication, you must create rules to allow any port to accept UDP communication on 2967 and to allow outbound UDP communication from port 2967:

UDP Allow 2967 to *
UDP Allow * to 2967


Configuring ports to protect clients
Because these ports are listening for incoming traffic, they should be protected from being accessed from computers that are outside of the network. To do so, do the following:

  • On the network, block external access to these ports with a perimeter firewall.
  • On mobile computers, close the ports when the computer is not on the corporate network. This can be accomplished by blocking any unauthorized network traffic with a firewall rule or by using Location Awareness in Symantec Client Security to differentiate between corporate network traffic and other insecure communication.





References
For a list of ports that are used in Windows 2003/2000/NT, see the Microsoft document How to Configure a Firewall for Domains and Trusts (179442).


For information about the deployment of Windows Firewall settings, see the Microsoft document Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.




Legacy ID



2005033011582148


Article URL http://www.symantec.com/docs/TECH101169


Terms of use for this information are found in Legal Notices