Topics on this page

Port numbers, URLs, and IP addresses

Workload Security default port numbers, URLs, IP addresses, and protocols are listed in the sections below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.

Workload Security port numbers
Workload Security URLs
Workload Security IP addresses

If your network uses a proxy, you can configure Workload Security to connect to it instead of directly to the components listed on this page. For details, see Configure proxies.

In addition to the ports on this page, Workload Security uses ephemeral ports when opening a socket (source port). Under rare circumstances these may be blocked, causing connectivity issues. For details, see Activation Failed - Blocked port.

Workload Security port numbers

The following diagram shows the default ports in a Workload Security system. For details, see the table below the diagram.

In the table below:

'Mandatory ports' refer to ports that must be opened to ensure the proper functioning of the Workload Security system.
'Optional ports' refer to ports that may be opened depending on the feature or component you want to deploy.
'Port' is used in place of 'port number' for brevity.

Port type	Default port number and protocol
Deep Security Agent listening (inbound) port	Optional port: 4118/HTTPS — Deep Security Agent port. Leave 4118/HTTPS closed if you plan on using agent-initiated communication. Only open it if you plan on using bidirectional or manager-initiated communication. By default, agent-initiated communication is used, which is why 4118/HTTPS is listed here as 'optional'. See Agent-manager communication for details.
Deep Security Agent outbound ports	Mandatory ports: 53/DNS over TCP or UDP — DNS server port 80/HTTP, 443/HTTPS — Smart Protection Network port, Smart Protection Server for File Reputation, Workload Security port 123/NTP over UDP — NTP server port Optional ports: 514/Syslog over UDP — SIEM or syslog server port. Allow port 514 if you want the agent to send its security events directly to your SIEM or syslog server. The port number is configurable in Workload Security. 5274/HTTP, 5275/HTTPS — Smart Protection Server ports for Web Reputation. Ports 5274 and 5275 are only required for Web Reputation, not Firewall. Allow ports 5274 and 5275 if you are hosting a Smart Protection Server in your local network or Virtual Private Network (VPC), instead of having your agents connect to the cloud-based Smart Protection Network over 80/HTTP and 443/HTTPS. For details, see the Smart Protection Server documentation, or Deploy a Smart Protection Server in AWS. 4122/HTTPS — Deep Security Relay port. Allow 4122/HTTPS if you want to host relays in your local network. Local relays are typically not required. See Deploy Deep Security Relay for details.
Deep Security Relay listening (inbound) ports	Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can listen on the following ports. Allow the agent listening port, since it applies to the relay too 4122/HTTPS — Deep Security Relay port 4123 — This port is for communication between the agent and its own internal relay Port 4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the relay itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).
Deep Security Relay outbound ports	Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can connect outbound to the following ports. 80/HTTP, 443/HTTPS — Trend Micro Update Server/Active Update and Download Center ports 4122 — port of other Deep Security Relays
Ports of components receiving traffic from Workload Security	Optional ports: 514/Syslog over UDP — SIEM or syslog server port. Allow port 514 if you want to forward events to an external SIEM or syslog server. 514 is configurable in Workload Security. 4118/HTTPS — Deep Security Agent port. Leave 4118/HTTPS closed if you plan on using agent-initiated communication. Only open it if you plan on using bidirectional or manager-initiated communication. By default, agent-initiated communication is used, which is why 4118/HTTPS is listed here as 'optional'. See Agent-manager communication for details. 4122/HTTPS — Deep Security Relay port. Allow 4122/HTTPS if you want to host relays in your local network. Local relays are typically not required. See Deploy Deep Security Relay for details.
Data center gateway outbound ports (towards the internet)	These ports are only required if you've set up a data center gateway. 53/DNS - DNS server port, can be forwarded by an internal DNS server. 443/TLS - Port that data center gateway uses to communicate with Workload Security.
Data center gateway outbound ports (towards an intranet)	These ports are only required if you've set up a data center gateway. 443/TLS - Port that data center gateway uses to communicate with vCenter servers. The port number may change depending on the vCenter configuration.

Workload Security URLs

If you need to restrict the URLs that are allowed in your environment, read this section.

You'll need to make sure your firewall allows traffic from the 'Source' to the 'Destinations' listed in the table below. For each FQDN, make sure you allow access to its associated HTTP and HTTPS URLs. For example, for the FQDN files.trendmicro.com, allow access to http://files.trendmicro.com:80 and https://files.trendmicro.com:443.

Source	Destination server or service name	Destination fully-qualified domain name (FQDN)
Deep Security Agent, Deep Security Relay	Workload Security heartbeat and activation servers	app.deepsecurity.trendmicro.com agents.deepsecurity.trendmicro.com dsmim.deepsecurity.trendmicro.com relay.deepsecurity.trendmicro.com *.workload.us-1.cloudone.trendmicro.com
API clients	Deep Security APIs	app.deepsecurity.trendmicro.com/webservice/Manager?WSDL app.deepsecurity.trendmicro.com/api app.deepsecurity.trendmicro.com/rest *.workload.us-1.cloudone.trendmicro.com
Deep Security Agent, Deep Security Relay	Download Center or web server Hosts software.	files.trendmicro.com
Deep Security Agent	Smart Protection Network - Global Census Service Used for behavior monitoring, and predictive machine learning.	dsaas1100-en-census.trendmicro.com
Deep Security Agent	Smart Protection Network - Good File Reputation Service Used for behavior monitoring, predictive machine learning, and process memory scans.	deepsecaas11-en.gfrbridge.trendmicro.com
Deep Security Agent	Smart Protection Network - Smart Feedback	20.0 and later agents connect to: ds200-en.fbs25.trendmicro.com ds200-jp.fbs25.trendmicro.com 12.0 and later agents connect to: ds120-en.fbs25.trendmicro.com ds120-jp.fbs25.trendmicro.com 11.0 and later agents connect to: deepsecurity1100-en.fbs25.trendmicro.com deepsecurity1100-jp.fbs25.trendmicro.com 10.0 agents connect to: deepsecurity1000-en.fbs20.trendmicro.com deepsecurity1000-jp.fbs20.trendmicro.com deepsecurity1000-sc.fbs20.trendmicro.com
Deep Security Agent	Smart Protection Network - Smart Scan Service	dsaas.icrc.trendmicro.com
Deep Security Agent	Smart Protection Network - predictive machine learning	dsaas-en-f.trx.trendmicro.com dsaas-en-b.trx.trendmicro.com
Deep Security Agent	Smart Protection Network - Web Reputation Service	dsaas.url.trendmicro.com
Deep Security Agent	Event Channel - XDR Activity Monitoring	ak5ih4ev105f2-ats.iot.us-east-1.amazonaws.com azrb5zzyvrkw6-ats.iot.us-east-1.amazonaws.com
Deep Security Agent, Deep Security Relay	Trend Micro Update Server (also called Active Update) and Download Center	iaus.activeupdate.trendmicro.com iaus.trendmicro.com ipv6-iaus.trendmicro.com ipv6-iaus.activeupdate.trendmicro.com
Data Center Gateway	Workload Security - Gateway control channel	ak5ih4ev105f2-ats.iot.us-east-1.amazonaws.com azrb5zzyvrkw6-ats.iot.us-east-1.amazonaws.com
Data Center Gateway	Workload Security - Gateway data channel	gateway.workload.us-1.cloudone.trendmicro.com

Workload Security IP addresses

If you need to restrict the IP addresses that are allowed in your environment, read this section to determine which ones must be allowed inbound and outbound.

Inbound IP addresses

If a firewall or AWS security group restricts which IP addresses are allowed inbound to your network, make sure to allow traffic inbound from the Workload Security subnet to the destination components listed below.

Source	Destination component, port, and protocol (on your network)	Notes
Workload Security Subnet 34.205.5.0/27	SIEM or syslog server Default port: 514 Protocol: syslog over UDP	Only allow this traffic if you configured a SIEM or syslog server.
Deep Security Agent Default port: 4118 Protocol: HTTPS over TCP	Only allow this traffic if you configured your agents to use bidirectional or manager-initiated communication. (By default, agents use agent-initiated communication.)
Deep Security Relay Default port: 4122 Protocol: HTTPS over TCP	Only allow this traffic if you deployed relays in your local network. (Under normal circumstances, you don't need local relays.)

Source

Destination component, port, and protocol (on your network)

Notes

Workload Security

Subnet 34.205.5.0/27

SIEM or syslog server

Default port: 514

Protocol: syslog over UDP

Only allow this traffic if you configured a SIEM or syslog server.

Deep Security Agent

Default port: 4118

Protocol: HTTPS over TCP

Only allow this traffic if you configured your agents to use bidirectional or manager-initiated communication. (By default, agents use agent-initiated communication.)

Deep Security Relay

Default port: 4122

Protocol: HTTPS over TCP

Only allow this traffic if you deployed relays in your local network. (Under normal circumstances, you don't need local relays.)

For Workload Security accounts created prior to 2020-11-23

The static IP addresses in the "Outbound IP addresses" section only apply to Deep Security as a Service or Workload Security accounts created prior to 2020-11-23. The IP addresses in this section will be valid until 2022-12-31. On 2022-12-31, all agents will automatically begin using the URLs listed in the Workload Security URLs section. Please ensure you've allowed access to the appropriate URLs prior to 2022-12-31 to ensure agents continue to connect to the service without interruption.

To determine when your account was created, click your tenant name at the top of the console and select Account Details. Your information is listed next to Created.

Outbound IP addresses

If a firewall or AWS security group restricts which IP addresses are allowed outbound from your network, make sure to allow HTTPS traffic outbound on port 443 to the Trend Micro destination IPv4 addresses listed in the table below.

Source (on your network)	Destination component, port, and protocol	Destination IP addresses
Deep Security Agents, administrator's computer	Workload Security GUI Port: 443 Protocol: HTTPS over TCP	34.196.38.94 34.198.27.224 34.198.6.142 34.205.210.199 34.205.219.175 34.205.239.162 34.226.116.82 34.233.153.57 35.153.222.175 35.169.254.68 35.169.43.208 35.172.176.62 50.17.162.194 52.0.124.201 52.0.33.128 52.202.124.22 52.207.138.122 52.22.162.229 52.3.171.31 52.72.111.249 52.72.211.36 52.87.46.150 54.175.211.84 54.80.120.113
Deep Security Agents, Deep Security Relays	Trend Micro Update Server (also called Active Update) and Download Center Port: 443 Protocol: HTTPS over TCP	3.210.17.243 3.222.238.73 18.205.30.1 18.210.96.90 34.193.172.66 34.194.74.60 34.196.197.189 34.204.219.38 34.204.220.78 34.205.83.195 34.227.254.106 34.232.200.81 52.2.63.133 52.3.39.108 52.4.197.109 52.20.8.32 52.21.149.243 52.44.144.238 52.55.188.35 52.201.199.128 52.204.10.77 52.206.54.30 52.206.193.178 52.207.18.27 54.86.152.157 54.87.173.241 54.144.77.16 54.156.82.102 54.160.187.232 54.165.40.223 54.165.117.76 54.174.156.3 54.175.39.189 54.210.11.136 54.211.23.144 54.221.238.214 174.129.163.104
Deep Security Agents	Workload Security heartbeat and activation servers Port: 443 Protocol: HTTPS over TCP	34.192.67.219 34.196.25.105 34.199.44.254 34.204.244.61 34.206.23.113 34.206.95.140 34.206.146.6 34.206.215.233 52.23.102.52 52.54.141.100 52.54.240.176 54.86.2.200
Deep Security Agents	Component: Workload Security fast heartbeat Port: 443 Protocol: HTTPS over TCP	34.192.145.157 34.199.111.255 34.204.221.63 34.206.179.241 52.44.129.132 52.45.95.227 52.55.183.116 52.73.88.81 52.202.143.169 52.206.208.21 54.208.106.230 54.152.108.196 54.85.86.247 18.204.77.2 54.84.198.181 52.0.58.66 52.6.19.160 18.233.125.165 34.227.134.223 52.73.122.26 34.233.252.54 34.236.163.142 52.44.40.85 3.209.15.127 52.70.113.18 3.210.118.160 54.175.77.19 3.225.117.164 54.224.63.108 52.72.213.26 18.235.177.174 34.203.45.194 54.165.185.17
Deep Security Agents	Smart Protection Network Ports: 80 and 443 Protocols: HTTP and HTTPS, over TCP	Trend Micro's cloud-based Smart Protection Network does not have static IP addresses. If you want to use the Smart Protection Network but need to restrict your outbound communication, we suggest you deploy a Smart Protection Server in your environment. For information on how to do this, see Deploy a Smart Protection Server in AWS.