Workload Security components communicate over your network using the following:
Before deployment, your network administrator might need to configure firewalls, AWS
security groups, and web proxies to allow those network services.
Default settings are displayed. Many network settings are configurable. For example,
if your network has a web proxy, you could configure agents to connect through it on port 1443, instead of directly
to Workload Security on port 443. If you change the default settings, then firewalls
must allow communications via the new settings.
The following network diagram provides an overview:
Required Workload Security IP addresses and port numbers
The following table is organized by source address (the deployment component which
starts the TCP connection or UDP session). Replies (packets in the same connection
but opposite direction, from the destination address) usually must be allowed, too.
Workload Security servers usually have dynamic IP addresses (that is, other computers
in your deployment use DNS queries to find the current IP address of a Workload Security
FQDN when required). For the list of Workload Security domain names, see Required Workload Security URLs.
Some ports are required only if you use specific components and features. Some services
might have static IP addresses. These exceptions and optional features are indicated.
All ports in the table are destination ports (also known as listening ports). Like
many software,
Workload Security also uses a range of dynamic, ephemeral source ports when opening
a socket. Rarely, ephemeral source ports might be blocked, which causes connectivity issues. If that happens, you must also open the source
ports.
| SourceAddress | DestinationAddress | Port(Default) | Protocol | |
| Administrator's computer | DNS server | 53 | DNS over UDP | |
| NTP server | 123 | NTP over UDP | ||
|
Workload Security
|
443 | HTTPS over TCP | ||
|
Workload Security
Subnets:
|
SIEM or Syslog server(if any) | 514 | Syslog over UDP | |
| SIEM or Syslog server(if any) | 6514 | Syslog over TLS | ||
|
Agents,
|
4118 | HTTPS over TCP | ||
| Agents | DNS server | 53 | DNS over UDP | |
| NTP server | 123 | NTP over UDP | ||
| SIEM or Syslog server(if any) | 514 | Syslog over UDP | ||
|
Workload Security
|
443 | HTTPS over TCP | ||
| Relays(if any) | 4122 | HTTPS over TCP | ||
| Smart Protection Network | 80 | HTTP over TCP | ||
| 443 | HTTPS over TCP | |||
| Smart Protection Server(if any, instead of Smart Protection Network, for File Reputation feature) | 8080 | HTTP over TCP | ||
| Smart Protection Server(if any, instead of Smart Protection Network, for File Reputation feature) | 80 | HTTP over TCP | ||
| 443 | HTTPS over TCP | |||
| Smart Protection Server(if any, instead of Smart Protection Network, for Web Reputation feature) | 5274 | HTTP over TCP | ||
| 5275 | HTTPS over TCP | |||
| Relays(if any) | All destination addresses, ports, and protocols required by agents (each relay contains an agent) | |||
| Other relays(if any) | 4122 | HTTPS over TCP | ||
|
Localhost
(on relays, its agent connects locally, not to a remote
relay)
Only configure if the server's other software uses the same port
(a port conflict), or if host firewalls such as iptables
or Windows Firewall block localhost connections (server
connecting internally to itself). Network firewalls do
not need to allow this port because localhost
connections do not reach the network.
|
4123 | N/A | ||
| 80 | HTTP over TCP | |||
| 443 | HTTPS over TCP | |||
|
Download Center,
|
443 | HTTPS over TCP | ||
| DNS server | 53 | DNS over UDP | ||
| NTP server | 123 | NTP over UDP | ||
| Workload Security | 443 | HTTPS over TCP | ||
|
VMware vCenter
|
443 | HTTPS over TCP | ||
| Microsoft Active Directory | 389 | STARTTLS and LDAP over TCP and UDP | ||
| 636 | LDAPS over TCP and UDP | |||
| Service Gateway(if any) | DNS server | 53 | DNS over UDP | |
| NTP server | 123 | NTP over UDP | ||
| Trend Micro Smart Protection Network(for File Reputation feature) | 80 | HTTP over TCP | ||
| 443 | HTTPS over TCP | |||
| API clients(if any) | Workload Security | 443 | HTTPS over TCP | |
Required Workload Security URLs
Web proxies and URL filters can inspect the HTTP layer of connections: valid
certificates, URL (such as
/index), fully-qualified domain name
(FQDN) (such as Host: store.example.com:8080), and more. Allow all
URLs on every FQDN listed in the following table.For example, agents and relays must be able to download software updates from
files.trendmicro.com on port 80 or 443. You have allowed that
TCP/IP connection on your firewall. However, the connection contains the HTTP
or
HTTPS protocol, which can be blocked not only by firewalls, but also by web proxies
and web filters. Therefore you must configure them to allow
https://files.trendmicro.com/ or
http://files.trendmicro.com/ and all sub-URLs.Some FQDNs are required only if you use specific components and features, as
indicated.
| Source Address | Destination Address | Host FQDN | Protocols | ||
| Agents,Relays(if any) | Workload Security | Agent 20.0 build 1541 and later:
The FQDNs for your region:
If your firewall
does not support wild card FQDNs (such as
*workload.<region>.cloudone.trendmicro.com),
then instead you must individually allow every required
FQDN. |
HTTPS
HTTP
|
||
|
Agent 20.0 build 1540 and earlier:
The FQDNs for your region:
and the legacy domain names:
If your firewall does not support wild card FQDNs (such as
*workload.<region>.cloudone.trendmicro.com),
then instead you must individually allow every required
FQDN. |
HTTPS
HTTP
|
||||
|
Download Center,
|
|
HTTPS
HTTP
|
|||
| Trend Micro Update Server / Active Update |
|
HTTPS
HTTP
|
|||
|
Trend Vision One
|
|
HTTPS
HTTP
|
|||
| Agents | Smart Protection Network |
Only required for the Global Census feature's behavior monitoring, and predictive machine learning.
|
HTTPS
HTTP
|
||
Agent 20.0 and later:
Agent 12.0:
Agent 11.0:
Agent 10.0:
Only required for Smart Feedback.
|
HTTPS
HTTP
|
||||
Only required for Smart Scan.
|
HTTPS
HTTP
|
||||
Only required for predictive machine learning.
|
HTTPS
HTTP
|
||||
Only required for the File Reputation feature's behavior monitoring, predictive machine learning, and process memory scans.
|
HTTPS
HTTP
|
||||
Only required for Web Reputation.
|
HTTPS
HTTP
|
||||
| Smart Protection Server(if any, instead of Smart Protection Network) |
Only required for File Reputation and Web Reputation. Other
features still require the Smart Protection Network, and cannot
use this local server.
|
HTTPS
HTTP
|
|||
| Workload
Security
Agents,
|
Agent 20.0 build 1559 and later:
The FQDNs for your region:
If your firewall
does not support wild card FQDNs (such as
*workload.<region>.cloudone.trendmicro.com),
then instead you must individually allow every required
FQDN. |
HTTPS | |||
|
Agent 20.0 build 1558 and earlier:
The FQDNs for your region:
and the legacy domain name:
If your firewall does not support wild card FQDNs (such as
*workload.<region>.cloudone.trendmicro.com),
then instead you must individually allow every required
FQDN. |
HTTPS | ||||
| Data Center Gateway(if any) | Workload Security |
The FQDNs for your region:
Australia:
Canada:
Germany:
India:
Japan:
Singapore:
UK:
USA:
|
HTTPS | ||
| API clients(if any) | Workload Security |
The FQDNs for your region:
and depending on which API you use, one of the following
legacy domain names:
If your web filter
does not support wild card FQDNs (such as
*workload.<region>.cloudone.trendmicro.com),
then instead you must individually allow every required
FQDN. |
HTTPS | ||
| Notification Service | Workload Security |
The FQDNs for your region:
If your firewall does not support wild card FQDNs such as
c1ws-notification.<region>.cloudone.trendmicro.com,
then you must individually allow every FQDN. |
HTTPS | ||