What are the server addresses/ports used to update the McAfee AV client?
Description
What are the server addresses/ports used to update the McAfee AV client?
A notice has been issued for SonicWall Enforced Client's (McAfee and Kaspersky). Please see Notice: End of Support for SonicWall Enforced Client for more information.
Resolution
Question:
What are the server addresses/ports used to update the McAfee AV client?
Answer:
The McAfee EWS (Email and Web Security) / MEG (McAfee Emaill Gateway) 7.x Appliances must access servers outside of the local infrastructure to obtain the latest updates and query real time databases. To access these update servers and databases, certain ports must be open on the infrastructure firewall.
NOTE: The update servers for MEG 7 are different than those used to update MEG 6.7.2.
The following ports are required to be opened on your firewall for the Appliance to function properly:
MEG 7.6.2 and later:
| Use | Application Protocol | Transport Protocol | Port | Destination | Direction | Note |
| Admin UI / onbox quarantine digest | SSL | TCP | 10443 | Your MEG appliance | Inbound | |
| Anti-virus updates | FTP | TCP | 21 | ftp.nai.com | Outbound | FTP uses PASV. |
| Anti-virus updates | HTTP | TCP | 80 | update.nai.com | Outbound | |
| 2nd Anti-Virus Engine/signature updates | SSL | TCP | 443 | tau.mcafee.com mwg-update.mcafee.com | Outbound | |
| Anti-Spam Engine | HTTP | TCP | 443 | tau.mcafee.com | Outbound | |
| Anti-Spam Rules and Streaming updates | HTTP | TCP | 80 | http://su3.mcafee.com/su3 http://sav-su3-1.mcafee.com 208.69.152.139 192.187.128.17 | Outbound | Packet types: X-SU3X-SU3-Component-Name X-SU3-Component-Type X-SU3-Status |
| Directory Service (and Active Directory) | LDAP | TCP | 389 | Your directory server | Outbound | |
| Domain Name System (DNS) | DNS | TCP/UDP | 53 | Your DNS server | Outbound | Used for various name resolution, for example McAfee update servers, email delivery, RBL lookup. |
| Email Hybrid | Proprietary | TCP | 25 | Your MEG appliance | Inbound | SaaS cloud to appliance for inbound email. |
| Email Hybrid | SSL | TCP | 443 | 208.65.144.0/21 208.81.64.0/21 | Outbound | SaaS API web service URLs (hybridapi.mxlogic.com). |
| Global Threat Intelligence (GTI) Message Reputation (TrustedSource) | SSL | TCP | 443 | tunnel.web.trustedsource.org | Outbound | GTI lookups use port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. See KB78732. |
| Global Threat Intelligence (GTI) File Reputation (Artemis) | DNS | UDP | 53 | Your DNS server | Outbound | |
| Global Threat Intelligence (GTI) Feedback | SSL | TCP | 443 | gtifeedback.trustedsource.org | Outbound | GTI feedback uses port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. See KB78732. |
| LDAP (and Active Directory) Global Catalog | LDAP | TCP | 3268 | Your directory server | Outbound | |
| McAfee Quarantine Manager | HTTP HTTPS | TCP | 80 443 | Your MQM server | Bidirectional | |
| Secure LDAP (and Active Directory) | LDAP | TCP | 636 | Your directory server | Outbound | |
| Secure LDAP (and Active Directory) Global Catalog | LDAP | TCP | 3269 | Your directory server | Outbound | |
| Secure Web Mail client | SSL | TCP | 443 | Your MEG appliance | Inbound | |
| Software updates, for example patches | FTP | TCP | 21 | ftp.nai.com | Outbound | Uses PASV. |
| URL reputation database update | HTTP | TCP | 80 | list.smartfilter.com | Outbound | |
| URL reputation lookup | SSL | TCP | 443 | tunnel.web.trustedsource.org | Outbound | GTI lookups use port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. See KB78732. |
EWS 5.6, MEG 7.0, MEG 7.5, and MEG 7.6 up to 7.6.1:
| Use | Application Protocol | Transport Protocol | Port Number | Destination | Direction | Note |
| Admin UI / onbox quarantine digest (EWS) | SSL | TCP | 443 | Your EWS appliance | Inbound | |
| Admin UI / onbox quarantine digest (MEG) | SSL | TCP | 10443 | Your MEG appliance | Inbound | |
| Anti Virus updates | FTP | TCP | 21 | ftp.nai.com | Outbound | Uses PASV. |
| Anti Virus updates | HTTP | TCP | 80 | update.nai.com | Outbound | |
| 2nd Anti-Virus Engine/signature updates | SSL | TCP | 443 | tau.mcafee.com mwg-update.mcafee.com | Outbound | |
| Anti-Spam Engine | FTP | TCP | 21 | ftp.nai.com | Outbound | Uses PASV. |
| Anti-Spam Rules and Streaming updates | HTTP | TCP | 80 | http://su3.mcafee.com/su3 http://sav-su3-1.mcafee.com 208.69.152.139 192.187.128.17 | Outbound | Packet types: X-SU3X-SU3-Component-Name X-SU3-Component-Type X-SU3-Status |
| Directory Service (and Active Directory) | LDAP | TCP | 389 | Your directory server | Outbound | |
| Domain Name System (DNS) | DNS | TCP/UDP | 53 | Your DNS server | Outbound | Used for various name resolution, for example McAfee update servers, email delivery, RBL lookup. |
| Email Hybrid | Proprietary | TCP | 25 | Your MEG appliance | Inbound | SaaS Control Console to appliance for inbound email. |
| Email Hybrid | SSL | TCP | 443 | 208.65.144.0/21 208.81.64.0/21 | Outbound | Appliance to the SaaS API web service URLs (hybridapi.mxlogic.com). |
| Global Threat Intelligence (GTI) Feedback | SSL | TCP | 443 | gtifeedback.trustedsource.org | Outbound | GTI feedback uses port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. See KB78732. |
| Global Threat Intelligence (GTI) File Reputation (Artemis) | DNS | UDP | 53 | Your DNS server | Outbound | |
| Global Threat Intelligence (GTI) Message Reputation (TrustedSource) | SSL | TCP | 443 | tunnel.web.trustedsource.org | Outbound | GTI lookups use port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. See KB78732. |
| LDAP (and Active Directory) Global Catalog | LDAP | TCP | 3268 | Your directory server | Outbound | Available on MEG 7.x. |
| MQM legacy communication port | Proprietary | TCP | 49500 | Your MQM server | Bidirectional | Available on EWS 5.6 and MEG 7.0. |
| MQM communication port | HTTP | TCP | 80 | Your MQM server | Bidirectional | Condition applies if your firewall sits between MQM server and the appliance. |
| MQM communication port | HTTPS | TCP | 443 | Your MQM server | Bidirectional | Available on MEG 7.5 or later. |
| Secure LDAP (and Active Directory) | Secure LDAP | TCP | 636 | Your directory server | Outbound | Available on MEG 7.x. |
| Secure LDAP (and Active Directory) Global Catalog | Secure LDAP | TCP | 3269 | Your directory server | Outbound | Available on MEG 7.x. |
| Secure Web Mail client | SSL | TCP | 443 | Your MEG appliance | Inbound | Available on MEG 7.x. |
| Software package updates, for example patches | FTP | TCP | 21 | ftp.nai.com | Outbound | Uses PASV. |
| URL reputation database update | HTTP | TCP | 80 | list.smartfilter.com | Outbound | |
| URL reputation lookup | SSL | TCP | 443 | tunnel.web.trustedsource.org | Outbound | GTI lookups use port 443, but they are not HTTPS. Using HTTPS proxy will break the GTI protocol. |
Port list and description:
The following tables display the ports needed by McAfee ePO (ePolicy Orchestrator ) for communication through a firewall:
For the purpose of this article:
- Bi-directional means that a connection can be initiated from either direction
- Inbound means the connection is initiated by a remote system
- Outbound means the connection can be initiated by the local system
| Port | Default | Description | Traffic direction |
| Agent-server communication port | 80 | TCP port used by the ePO Server service to receive requests from agents. | Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler. |
| Agent-server communication secure port (4.5 and later agents only) Software Manager | 443 | TCP port used by the ePO Server service to receive requests from agents and remote Agent Handlers. TCP port used by the ePO server's Software Manager to connect to McAfee. | Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler. |
| Agent wake-up communication port SuperAgent repository port | 8081 | TCP port used by agents to receive agent wakeup requests from the ePO server or Agent Handler. TCP port used by SuperAgents configured as repositories to receive content from the ePO server during repository replication, and to serve content to client machines. | Inbound connection from the ePO server/Agent Handler to the McAfee Agent. Inbound connection from client machines to SuperAgents configured as repositories. |
| Agent broadcast communication port | 8082 | UDP port used by SuperAgents to forward messages from the ePO server/Agent Handler. | Outbound connection from the SuperAgents to other McAfee Agents. |
| Console-to-application server communication port | 8443 | TCP port used by the ePO Application Server service to allow web browser UI access. | Inbound connection to the ePO server from ePO Console. |
| Client-to-server authenticated communication port | 8444 | Used by the Agent Handler to talk to the ePO server to get required information (like LDAP servers). | Outbound connection from remote Agent Handlers to the ePO server. |
| SQL server TCP port | 1433 | TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process. | Outbound connection from the ePO server/Agent Handler to the SQL server. |
| SQL server UDP port | 1434 | UDP port used to request the TCP port that the SQL instance hosting the ePO database is using. | Outbound connection from the ePO server/Agent Handler to the SQL server. |
| LDAP server port | 389 | TCP port used to retrieve LDAP information from Active Directory servers. | Outbound connection from the ePO server/Agent Handler to an LDAP server. |
| SSL LDAP server port | 636 | TCP port used to retrieve LDAP information from Active Directory servers. | Outbound connection from the ePO server/Agent Handler to an LDAP server. |
ePO (Ports/Traffic Quick Reference)
ePO Server
| Default Port | Protocol | Traffic direction |
| 80 | TCP | Inbound connection to the ePO server |
| 389 | TCP | Outbound connection from the ePO server |
| 443 | TCP | Inbound/Outbound connection to/from the ePO server |
| 636 | TCP | Outbound connection from the ePO server |
| 1433 | TCP | Outbound connection from the ePO server |
| 1434 | UDP | Outbound connection from the ePO server |
| 8081 | TCP | Outbound connection from the ePO server |
| 8443 | TCP | Inbound connection to the ePO server |
| 8444 | TCP | Inbound connection to the ePO server |
Remote Agent Handler(s)
| Default Port | Protocol | Traffic direction |
| 80 | TCP | Inbound/Outbound connection to/from the Agent Handler |
| 389 | TCP | Outbound connection from the Agent Handler |
| 443 | TCP | Inbound/Outbound connection to/from the Agent Handler |
| 636 | TCP | Outbound connection from the Agent Handler |
| 1433 | TCP | Outbound connection from the Agent Handler |
| 1434 | UDP | Outbound connection from the Agent Handler |
| 8081 | TCP | Outbound connection from the Agent Handler |
| 8443 | TCP | Outbound connection from the Agent Handler |
| 8444 | TCP | Outbound connection from the Agent Handler |
McAfee Agent
| Default Port | Protocol | Traffic direction |
| 80 | TCP | Outbound connection to the ePO server/Agent Handler |
| 443 | TCP | Outbound connection to the ePO server/Agent Handler |
| 8081 | TCP | Inbound connection from the ePO server/Agent Handler. If the agent is a SuperAgent repository then inbound connection from other McAfee Agents. |
| 8082 | UDP | Inbound connection to Agents. Inbound/Outbound connection from/to SuperAgents |
SQL Server
| Default Port | Protocol | Traffic direction |
| 1433 | TCP | Inbound connection from the ePO server/Agent Handler |
| 1434 | UDP | Inbound connection from the ePO server/Agent Handler |
See Also:
- https://kc.mcafee.com/corporate/index?page=content&id=KB66797
- https://kc.mcafee.com/corporate/index?page=content&id=KB72970&actp=LIST
Related Articles
not finding your answers?