Orchestrator and EdgeConnect TCP/IP Ports
This page provides information about the default ports that Orchestrator and EdgeConnect appliances use.
Protocol & Port | Application | Where Used |
---|---|---|
TCP 21 | FTP | Orchestrator as a Server: Outbound1 |
TCP 22 | SCP SSH |
Orchestrator as a Server: Outbound1 Orchestrator as a Server: Outbound & Inbound |
TCP 25 | SMTP | Orchestrator as a Server: Outbound |
TCP 49 | TACACS+ |
Orchestrator as a Server: Outbound Appliance: as a Client |
TCP/UDP 53 | DNS | Orchestrator as a Server: Outbound Appliance: as a Client |
TCP 80 | HTTP | Orchestrator as a Server: Outbound2 Orchestrator as a Server: Inbound3 Orchestrator: as a Client Appliance: as a Client |
UDP 123 | NTP | Orchestrator as a Server: Outbound Orchestrator: as a Client Appliance: as a Server and Client |
UDP 161 | SNMP | Appliance: as a Client |
TCP 443 | HTTPS | Orchestrator as a Server: Outbound & Inbound3 Orchestrator: as a Client for AWS (optional)4 and for Google Maps5 Appliance: as a Server |
TCP 465, 587 | SMTPS | Orchestrator as a Server: Outbound |
UDP 514 | Syslog | Orchestrator as a Server: Outbound6 Appliance: as a Client6 |
UDP 1812, 1813 | RADIUS | Orchestrator as a Server: Outbound7 Appliance: as a Client7 |
UDP 4163 | UDP | Data Plane8 |
UDP 500, 4500 | IPSEC | Data Plane8 |
UDP 12000, 12010 | IPSEC_UDP9 | Data Plane8 |
IP 47 | GRE | Data Plane8 |
IP 50 | IPSEC | Data Plane8 |
-
FTP and SCP are optional and used as backups to customer-owned servers in the on-prem version of Orchestrator. You can always use the HTTPS port, as it is already allowed. This is not applicable to Orchestrator-as-a-service.
-
Orchestrator communicates with Cloud Portal over both HTTPS and WebSockets over TLS 1.2.
-
Inbound HTTP/HTTPS connections can be restricted to authorized subnets only. EdgeConnect talks on these ports.
-
Access to AWS S3 is required for case creation and uploading files to Support. If you need to configure firewall access, you can allow outbound connections to *.s3.amazonaws.com. Refer to this page for more information — the destination S3 bucket is in the us-east-1 region. If outbound access is prohibited, users can download files from Orchestrator and manually attach to new or existing cases.
-
Google Maps is used to populate topology view charts — additional firewall access may be required.
-
Audit log and Syslog ports are configurable.
-
These ports may differ. Verify the ports are the same as the server during configuration.
-
By default, IPSEC_UDP will be used for all tunnels, other protocols only need to be allowed if they are configured.
-
These ports may differ. The port will be the same as what you set the default UDP port in the Orchestrator settings during configuration.