Before deploying Workload Security in GovCloud, your network administrator needs to configure firewalls, AWS security groups, and web proxies to allow those network services. These parameters are limited in GovCloud to ensure secure connections:
Default settings are displayed. Many network settings are configurable. For example, if your network has a web proxy, you could configure agents to connect through it on port 1443, instead of directly to Workload Security on port 443. If you change the default settings, then firewalls must allow communications via the new settings.
The following network diagram provides an overview:
ports-diagram-dsaas=20250508101818.png

Required Workload Security IP addresses and port numbers

The following table is organized by source address (the deployment component which starts the TCP connection or UDP session). Replies (packets in the same connection but opposite direction, from the destination address) usually must be allowed, too.
Workload Security servers usually have dynamic IP addresses (that is, other computers in your deployment use DNS queries to find the current IP address of a Workload Security FQDN when required). For the list of Workload Security domain names, see Required Workload Security URLs.
Some ports are required only if you use specific components and features. Some services might have static IP addresses. These exceptions and optional features are indicated.
All ports in the table are destination ports (also known as listening ports). Like many software, Workload Security also uses a range of dynamic, ephemeral source ports when opening a socket. Rarely, ephemeral source ports might be blocked, which causes connectivity issues. If that happens, you must also open the source ports.
SourceAddress DestinationAddress Port(Default) Protocol
Administrator's computer DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
Workload Security 443 HTTPS over TCP
Workload Security
Subnet:
3.30.186.224/27		 SIEM or Syslog server(if any) 514 Syslog over UDP
SIEM or Syslog server(if any) 6514 Syslog over TLS
Agents,
Relays(if any)
Only required if you enable bidirectional or manager-initiated communication.
 4118 HTTPS over TCP
Agents DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
SIEM or Syslog server(if any) 514 Syslog over UDP
Workload Security 443 HTTPS over TCP
Relays(if any) 4122 HTTPS over TCP
Smart Protection Network 80 HTTP over TCP
443 HTTPS over TCP
Service Gateway(if any, instead of Smart Protection Network, for File Reputation feature) 8080 HTTP over TCP
Smart Protection Server(if any, instead of Smart Protection Network, for File Reputation feature) 80 HTTP over TCP
443 HTTPS over TCP
Smart Protection Server(if any, instead of Smart Protection Network, for Web Reputation feature) 5274 HTTP over TCP
5275 HTTPS over TCP
Relays(if any) All destination addresses, ports, and protocols required by agents (each relay contains an agent)
Other relays(if any) 4122 HTTPS over TCP
Localhost
(on relays, its agent connects locally, not to a remote relay)
Only configure if the server's other software uses the same port (a port conflict), or if host firewalls such as iptables or Windows Firewall block localhost connections (server connecting internally to itself). Network firewalls do not need to allow this port because localhost connections do not reach the network.
 4123 N/A
Trend Micro Update Server / Active Update 80 HTTP over TCP
443 HTTP over TCP
Download Center,
or its mirror on a local web server(if any)
 443 HTTPS over TCP
Data Center Gateway(if any) DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
Workload Security 443 HTTPS over TCP
VMware vCenter 443 HTTPS over TCP
Microsoft Active Directory 389 STARTTLS and LDAP over TCP and UDP
636 LDAPS over TCP and UDP
Service Gateway(if any) DNS server 53 DNS over UDP
NTP server 123 NTP over UDP
Trend Micro Smart Protection Network(for File Reputation feature) 80 HTTP over TCP
443 HTTPS over TCP
API clients(if any) Workload Security 443 HTTPS over TCP

Required Workload Security URLs

Web proxies and URL filters can inspect the HTTP layer of connections: valid certificates, URL (such as /index), fully-qualified domain name (FQDN) (such as Host: store.example.com:8080), and more. Allow all URLs on every FQDN listed in the following table.
For example, agents and relays must be able to download software updates from files.trendmicro.com on port 80 or 443. You have allowed that TCP/IP connection on your firewall. However, the connection contains the HTTP or HTTPS protocol, which can be blocked not only by firewalls, but also by web proxies and web filters. Therefore you must configure them to allow https://files.trendmicro.com/ or http://files.trendmicro.com/ and all sub-URLs.
Some FQDNs are required only if you use specific components and features, as indicated.
Source Address Destination Address Host FQDN Protocols
Agents,Relays(if any) Workload Security Agent 20.0 and later:
The FQDNs for GovCloud:
  • workload.gov-us-1.cloudonegov.trendmicro.com
  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
  • dsmim.workload.gov-us-1.cloudonegov.trendmicro.com
  • relay.workload.gov-us-1.cloudonegov.trendmicro.com
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
HTTPS
HTTP
Download Center,
or its mirror on a local web server(if any)
  • files.trendmicro.com
    or the local web server's FQDN
HTTPS
HTTP
Trend Micro Update Server / Active Update
  • iaus.activeupdate.trendmicro.com
  • iaus.trendmicro.com
  • ipv6-iaus.trendmicro.com
  • ipv6-iaus.activeupdate.trendmicro.com
HTTPS
HTTP
Trend Micro Vision One
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com
HTTPS
HTTP
Agents Smart Protection Network
  • dsaas1100-en-census.trendmicro.com
Only required for the Global Census feature's behavior monitoring, and predictive machine learning.
HTTPS
HTTP
Agent 20.0 and later:
  • ds200-en.fbs25.trendmicro.com
Agent 12.0:
  • ds120-en.fbs25.trendmicro.com
Agent 11.0:
  • deepsecurity1100-en.fbs25.trendmicro.com
Agent 10.0:
  • deepsecurity1000-en.fbs20.trendmicro.com
Only required for Smart Feedback.
HTTPS
HTTP
  • dsaas.icrc.trendmicro.com
Only required for the Smart Scan feature.
HTTPS
HTTP
  • dsaas-en-f.trx.trendmicro.com
  • dsaas-en-b.trx.trendmicro.com
Only required for predictive machine learning.
HTTPS
HTTP
  • deepsecaas11-en.gfrbridge.trendmicro.com
Only required for the File Reputation feature's behavior monitoring, predictive machine learning, and process memory scans.
HTTPS
HTTP
  • dsaas.url.trendmicro.com
Only required for the Web Reputation feature.
HTTPS
HTTP
Smart Protection Server(if any, instead of Smart Protection Network)
  • Your Smart Protection Server's FQDN
Only required for the File Reputation and Web Reputation features. Other features still require the Smart Protection Network, and cannot use this local server.
HTTPS
HTTP
Workload Security
Agents,
Relays(if any)
Only required if you enable bidirectional or manager-initiated communication.
The FQDNs for GovCloud:
  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
Note
Note
Cloud One for GovCloud only uses 001 and 002.
HTTPS
Data Center Gateways(if any) Workload Security
The FQDNs for GovCloud:
  • gateway.workload.us-1.cloudone.trendmicro.com
  • gateway-control.workload.us-1.cloudone.trendmicro.com
 HTTPS
API clients(if any) Workload Security
The FQDNs for GovCloud:
  • workload.gov-us-1.cloudonegov.trendmicro.com
  • agents-001.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
  • dsmim.workload.gov-us-1.cloudonegov.trendmicro.com
  • relay.workload.gov-us-1.cloudonegov.trendmicro.com
  • xdr-resp-gw.workload.gov-us-1.cloudonegov.trendmicro.com
  • agents.workload.gov-us-1.cloudonegov.trendmicro.com
 HTTPS