Table of contents
Topics on this page
Required Workload Security IP addresses and port numbers
Required Workload Security URLs

Port numbers, URLs, and IP addresses for GovCloud

Before deploying Workload Security in GovCloud, your network administrator needs to configure firewalls, AWS security groups, and web proxies to allow those network services. These parameters are limited in GovCloud to ensure secure connections:

Default settings are displayed. Many network settings are configurable. For example, if your network has a web proxy, you could configure agents to connect through it on port 1443, instead of directly to Workload Security on port 443. If you change the default settings, then firewalls must allow communications via the new settings.

The following network diagram provides an overview:

Network diagram of default source addresses, destination addresses, and destination ports that are also described in the tables

Required Workload Security IP addresses and port numbers

The following table is organized by source address (the deployment component which starts the TCP connection or UDP session). Replies (packets in the same connection but opposite direction, from the destination address) usually must be allowed, too.

Workload Security servers usually have dynamic IP addresses (that is, other computers in your deployment use DNS queries to find the current IP address of a Workload Security FQDN when required). For the list of Workload Security domain names, see Required Workload Security URLs.

Some ports are required only if you use specific components and features. Some services might have static IP addresses. These exceptions and optional features are indicated.

All ports in the table are destination ports (also known as listening ports). Like many software, Workload Security also uses a range of dynamic, ephemeral source ports when opening a socket. Rarely, ephemeral source ports might be blocked, which causes connectivity issues. If that happens, you must also open the source ports.

Source
Address		 Destination
Address		 Port
(Default)		 Protocol
Administrator's computer DNS server 53 DNS over UDP
NTP server 123 NTP over UDP

Workload Security

 443 HTTPS over TCP

Workload Security

Subnet:

3.30.186.224/27 		SIEM or Syslog server
(if any) 		514 Syslog over UDP
SIEM or Syslog server
(if any) 		6514 Syslog over TLS

Agents,
Relays
(if any)

Only required if you enable bidirectional or manager-initiated communication.

 4118 HTTPS over TCP
Agents DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
SIEM or Syslog server
(if any)		 514 Syslog over UDP

Workload Security

 443 HTTPS over TCP
Relays
(if any)		 4122 HTTPS over TCP
Smart Protection Network 80 HTTP over TCP
443 HTTPS over TCP
Service Gateway
(if any, instead of Smart Protection Network, for File Reputation feature)		 8080 HTTP over TCP
Smart Protection Server
(if any, instead of Smart Protection Network, for File Reputation feature)		 80 HTTP over TCP
443 HTTPS over TCP
Smart Protection Server
(if any, instead of Smart Protection Network, for Web Reputation feature)		 5274 HTTP over TCP
5275 HTTPS over TCP
Relays
(if any) 		All destination addresses, ports, and protocols required by agents (each relay contains an agent)
Other relays
(if any)		 4122 HTTPS over TCP

Localhost
(on relays, its agent connects locally, not to a remote relay)

Only configure if the server's other software uses the same port (a port conflict), or if host firewalls such as iptables or Windows Firewall block localhost connections (server connecting internally to itself). Network firewalls do not need to allow this port because localhost connections do not reach the network.

 4123 N/A

Trend Micro Update Server / Active Update

 80 HTTP over TCP
443 HTTP over TCP

Download Center,
or its mirror on a local web server
(if any)

 443 HTTPS over TCP
Data Center Gateway
(if any) 		DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
Workload Security 443 HTTPS over TCP
VMware vCenter 443 HTTPS over TCP
Microsoft Active Directory 389 STARTTLS and LDAP over TCP and UDP
636 LDAPS over TCP and UDP
Service Gateway
(if any) 		DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
Trend Micro Smart Protection Network
(for File Reputation feature)		 80 HTTP over TCP
443 HTTPS over TCP
API clients
(if any) 		Workload Security 443 HTTPS over TCP

Required Workload Security URLs

Web proxies and URL filters can inspect the HTTP layer of connections: valid certificates, URL (such as /index), fully-qualified domain name (FQDN) (such as Host: store.example.com:8080), and more. Allow all URLs on every FQDN listed in the following table.

For example, agents and relays must be able to download software updates from files.trendmicro.com on port 80 or 443. You have allowed that TCP/IP connection on your firewall. However, the connection contains the HTTP or HTTPS protocol, which can be blocked not only by firewalls, but also by web proxies and web filters. Therefore you must configure them to allow https://files.trendmicro.com/ or http://files.trendmicro.com/ and all sub-URLs.

Some FQDNs are required only if you use specific components and features, as indicated.

Source Address Destination Address Host FQDN Protocols
Agents,
Relays
(if any)

Workload Security
Agent 20.0 and later:

The FQDNs for GovCloud:

  • workload.gov-us-1.cloudonegov.trendmicro.com
  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
  • dsmim.workload.gov-us-1.cloudonegov.trendmicro.com
  • relay.workload.gov-us-1.cloudonegov.trendmicro.com
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com

HTTPS

HTTP

Download Center,
or its mirror on a local web server
(if any)
  • files.trendmicro.com
    or the local web server's FQDN

HTTPS

HTTP

Trend Micro Update Server / Active Update
  • iaus.activeupdate.trendmicro.com
  • iaus.trendmicro.com
  • ipv6-iaus.trendmicro.com
  • ipv6-iaus.activeupdate.trendmicro.com

HTTPS

HTTP

Trend Micro Vision One
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com

HTTPS

HTTP
Agents Smart Protection Network
  • dsaas1100-en-census.trendmicro.com

Only required for the Global Census feature's behavior monitoring, and predictive machine learning.

HTTPS

HTTP
Agent 20.0 and later:
  • ds200-en.fbs25.trendmicro.com
Agent 12.0:
  • ds120-en.fbs25.trendmicro.com
Agent 11.0:
  • deepsecurity1100-en.fbs25.trendmicro.com
Agent 10.0:
  • deepsecurity1000-en.fbs20.trendmicro.com

Only required for Smart Feedback.

HTTPS

HTTP
  • dsaas.icrc.trendmicro.com

Only required for the Smart Scan feature.

HTTPS

HTTP
  • dsaas-en-f.trx.trendmicro.com
  • dsaas-en-b.trx.trendmicro.com

Only required for predictive machine learning.

HTTPS

HTTP
  • deepsecaas11-en.gfrbridge.trendmicro.com

Only required for the File Reputation feature's behavior monitoring, predictive machine learning, and process memory scans.

HTTPS

HTTP
  • dsaas.url.trendmicro.com

Only required for the Web Reputation feature.

HTTPS

HTTP
Smart Protection Server
(if any, instead of Smart Protection Network)
  • Your Smart Protection Server's FQDN

Only required for the File Reputation and Web Reputation features. Other features still require the Smart Protection Network, and cannot use this local server.

HTTPS

HTTP
Workload Security

Agents,
Relays
(if any)

Only required if you enable bidirectional or manager-initiated communication.

The FQDNs for GovCloud:

  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
    Note that Cloud One for GovCloud only uses 001 and 002.
 HTTPS
Data Center Gateways
(if any)		 Workload Security

The FQDNs for GovCloud:

  • gateway.workload.us-1.cloudone.trendmicro.com
  • gateway-control.workload.us-1.cloudone.trendmicro.com

HTTPS
API clients
(if any)		 Workload Security

The FQDNs for GovCloud:

  • workload.gov-us-1.cloudonegov.trendmicro.com
  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
  • dsmim.workload.gov-us-1.cloudonegov.trendmicro.com
  • relay.workload.gov-us-1.cloudonegov.trendmicro.com
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com

HTTPS