Link Search Menu Expand Document

Orchestrator and EdgeConnect TCP/IP Ports

This page provides information about the default ports that Orchestrator and EdgeConnect appliances use.

Protocol & Port Application Where Used
TCP 21 FTP Orchestrator as a Server: Outbound1
TCP 22 SCP

SSH
Orchestrator as a Server: Outbound1
Orchestrator as a Server: Outbound & Inbound
TCP 25 SMTP Orchestrator as a Server: Outbound
TCP 49 TACACS+
Orchestrator as a Server: Outbound
Appliance: as a Client
TCP/UDP 53 DNS Orchestrator as a Server: Outbound
Appliance: as a Client
TCP 80 HTTP Orchestrator as a Server: Outbound2
Orchestrator as a Server: Inbound3
Orchestrator: as a Client
Appliance: as a Client
UDP 123 NTP Orchestrator as a Server: Outbound
Orchestrator: as a Client
Appliance: as a Server and Client
UDP 161 SNMP Appliance: as a Client
TCP 443 HTTPS Orchestrator as a Server: Outbound & Inbound3
Orchestrator: as a Client for AWS (optional)4 and for Google Maps5
Appliance: as a Server
TCP 465, 587 SMTPS Orchestrator as a Server: Outbound
UDP 514 Syslog Orchestrator as a Server: Outbound6
Appliance: as a Client6
UDP 1812, 1813 RADIUS Orchestrator as a Server: Outbound7
Appliance: as a Client7
UDP 4163 UDP Data Plane8
UDP 500, 4500 IPSEC Data Plane8
UDP 12000, 12010 IPSEC_UDP9 Data Plane8
IP 47 GRE Data Plane8
IP 50 IPSEC Data Plane8
  1. FTP and SCP are optional and used as backups to customer-owned servers in the on-prem version of Orchestrator. You can always use the HTTPS port, as it is already allowed. This is not applicable to Orchestrator-as-a-service.

  2. Orchestrator communicates with Cloud Portal over both HTTPS and WebSockets over TLS 1.2.

  3. Inbound HTTP/HTTPS connections can be restricted to authorized subnets only. EdgeConnect talks on these ports.

  4. Access to AWS S3 is required for case creation and uploading files to Support. If you need to configure firewall access, you can allow outbound connections to *.s3.amazonaws.com. Refer to this page for more information — the destination S3 bucket is in the us-east-1 region. If outbound access is prohibited, users can download files from Orchestrator and manually attach to new or existing cases.

  5. Google Maps is used to populate topology view charts — additional firewall access may be required.

  6. Audit log and Syslog ports are configurable.

  7. These ports may differ. Verify the ports are the same as the server during configuration.

  8. By default, IPSEC_UDP will be used for all tunnels, other protocols only need to be allowed if they are configured.

  9. These ports may differ. The port will be the same as what you set the default UDP port in the Orchestrator settings during configuration.