Which Communications Ports does Symantec Endpoint Protection use?

Article:TECH163787  |  Created: 2011-07-01  |  Updated: 2013-10-02  |  Article URL http://www.symantec.com/docs/TECH163787
Article Type
Technical Solution


Which Communications Ports does Symantec Endpoint Protection use?


The following table lists ports and processes associated with Symantec Endpoint Protection version 11.0, 12.0 and 12.1:

Communications Ports and Protocols

Port Number Port Type Initiated By Listening Process Description
80, 8014 TCP SEP Clients svchost.exe (IIS)
httpd.exe (Apache)
Communication between the SEP manager and SEP clients and Enforcers.
(8014 in MR3 and later builds, 80 in older).
The 11.x product line uses IIS. The 12.x product line uses Apache.
443 TCP SEP Clients svchost.exe (IIS)
httpd.exe (Apache)
Optional secured HTTPS communication between a SEP Manager and SEP clients and Enforcers.
1433 TCP SEP Manager sqlserver.exe Communication between a SEP Manager and a Microsoft SQL Database Server if they reside on separate computers.
1812 UDP Enforcer 11.x: w3wp.exe
12.x: httpd.exe (Apache)
RADIUS communication between a SEP Manager and Enforcers for authenticating unique ID information with the Enforcer.
2638 TCP SEP Manager 11.x: dbsrv9.exe
12.1.x: dbsrv11.exe
Communication between the Embedded Database and the SEP Manager.
2967 TCP SEP Clients Smc.exe The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.
8005/8765 TCP SEP Manager SemSvc.exe This is the Tomcat Shutdown port.
In the 11.x product line SEP Manager listens on the Tomcat default port of 8005 except RU7 uses 8765.  Also in 12.x product line port 8765 is used instead.
8045 TCP SEP Manager SemSvc.exe In the SEP 11 RU6 SEPM, the registry is started by the Tomcat servlet container. CreamTec's AjaxSwing uses the existing registry to communicate with its client agents that run in stand alone mode
8443 TCP Remote Java or
Web Console
SemSvc.exe HTTPS communication between a remote management console and the SEP Manager. All login information and administrative communication takes place using this secure port.
8444 TCP Symantec Protection Center v 2.X SemSvc.exe This is the SEPM web services port. SPC 2.X makes Data Feed and Workflow requests to SEPM over this port.
8445 TCP Reporting Console httpd.exe (Apache) Added in 12.1.x. HTTPS reporting console
9090 TCP Remote Web Console SemSvc.exe Initial HTTP communication between a remote management console and the SEP Manager (to display the login screen only).
39999 UDP Enforcer SNAC.exe (Windows SNAC)
CClientCtl.exe (Windows ODC)
Communication between the SEP Cients and the Enforcer. This is used to authenticate Clients by the Enforcer.




















In SEP 11, the Symantec Endpoint Protection Manager (SEPM) uses two web servers: Internet Information Services (IIS) and Tomcat (Apache Tomcat). IIS uses port 80 (or 8014) and 443 - Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat use the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.  SEP 12.1 uses only Apache on the ports seen in the table above.

Client-Server Communication:
For IIS, SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the client server communication it uses port 80 (or 8014) and 443 by default. In addition, the Enforcers use RADIUS to communicate in real-time with the manager console for client authentication. This is done on UDP port 1812.

Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.
8444 is used by the SPC 2.x remote console to make Data Feed and Workflow requests.
8445 is used by SEPM for reporting data, and returns report data to SPC 2.x over this port.

Client-Enforcer Authentication:
The clients communicate with the Enforcer using a proprietary communication protocol. This communication uses a challenge-response to authenticate the clients. The default port for this is UDP 39,999.

Article URL http://www.symantec.com/docs/TECH163787

Terms of use for this information are found in Legal Notices