Documentation Version: er2.0.28-docs-1.1

Network Requirements

This section covers the following topics:

  1. Master Server Network Requirements
  2. Node Agent Network Requirements
  3. Proxy Agent Network Requirements

Master Server Network Requirements

If you have any firewalls configured between the Master Server and

make sure that the following connections are allowed:

TCP port

Allowed connections

To/From

Description

80/443 Inbound From: Hosts connecting to the Web Console.

To allow hosts on the network to access the Web Console.

If you have enabled HTTPS on the Master Server (see Enable HTTPS), you can safely disable port 80.
8843 Outbound To: Ground Labs update server.

(optional) To allow the Master Server to receive updates from the Ground Labs update server.

Connecting to the Ground Labs update server requires the Master Server to have a working internet connection.
11117 Inbound From: Node or Proxy Agent hosts. To allow Node and Proxy Agents to establish a connection to the Master Server.

Node Agent Network Requirements

On Node Agent hosts, the following connections must be allowed:

TCP port

Allowed connections

To/From

Description

11117 Outbound To: Master Server. A Node Agent establishes a connection to the Master Server on this port to send reports and receive instructions.

Proxy Agent Network Requirements

Proxy Agents must be able to connect to:

Details can be found in these sections below:

(Recommended) Put Proxy Agents on the same subnet as their intended Targets.

Agentless Scan

Make sure that the Target host fulfils the following requirements:

Target Host (Destination)

Proxy Agent (Source)

TCP Port Allowed Connections

Comments

Windows host Windows Proxy Agent

Port 135.

For Targets running Windows Server 2008 and newer:

  • Dynamic ports 9152 - 65535

For Targets running Windows Server 2003R2 and older:

  • Port 139 and 445
  • Dynamic ports 1024 - 65535

WMI can be configured to use static ports instead of dynamic ports.
Unix or Unix-like host Windows or Unix Proxy Agent Port 22. Target host must have an SSH server running. Proxy Agent host must have an SSH client installed.
For best results, use a Proxy Agent host that matches the Target host platform. For example, Debian Proxy Agent hosts should scan Debian Target hosts.

See Agentless Scan for more information.

Network Storage

Protocol/Target type

Destination TCP port (default)

Description

CIFS/SMB server

445

*See description for additional ports.

To scan Windows remote file shares via CIFS.

Additional ports

For Windows 2000 and older:

  • 137 (UDP)
  • 138 (UDP)
  • 139 (TCP)
SSH server 22 To scan Unix or Unix-like remote file shares via SSH.
NFS server

2049 (TCP or UDP)

*See description for additional ports.

To scan NFS file shares.

Additional ports

NFSv4 requires only port 2049 (TCP only).

NFSv3 and older must allow connections on the following ports:

111 (TCP or UDP)

Dynamic ports assigned by rpcbind.

rpcbind assigns dynamic ports to the following services required by NFSv3 and older:

  • rpc.rquotad
  • rpc.lockd (TCP and UDP)
  • rpc.mountd
  • rpc.statd

To find out which ports these services are using on your NFS server, check with your system administrator.

You can assign static ports to the required services, removing the need to allow connections for the entire dynamic port range. For more information, check with your system administrator.

WebSites and Cloud Services

Destination TCP port (default)

Protocol/Target type

Description

80 HTTP server To scan websites.
443 HTTPS server To scan HTTPS websites.
443 Cloud services To scan cloud services.

Emails

Destination TCP port (default)

Protocol/Target type

Description

143 IMAP server

To scan email accounts using IMAP.

993 IMAPS server To scan email accounts using IMAPS.
443 Microsoft Exchange Server (EWS) To scan Microsoft Exchange servers via EWS.
1352 IBM / Lotus Notes client To scan IBM / Lotus Notes clients.

Databases

Destination TCP port (default)

Protocol/Target type

Description

50000 IBM DB2 server To scan IBM DB2 databases.
9088 IBM Informix server To scan IBM Informix databases.
3306 MySQL or MariaDB server To scan MySQL or MariaDB databases.
1433 Microsoft SQL server To scan Microsoft SQL databases.
1521 Oracle database server To scan Oracle databases.
5432 PostgreSQL server To scan PostgreSQL databases.
3638 Sybase/SAP ASE To scan Sybase/SAP ASE databases.
1025 Teradata database server To scan Teradata databases.
8629 Tibero database server To scan Tibero databases.