Topics on this page
Workload Security port numbers
Workload Security URLs
Workload Security IP addresses
Inbound IP addresses
Outbound IP addresses

Port numbers, URLs, and IP addresses

Workload Security default port numbers, URLs, IP addresses, and protocols are listed in the sections below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.

If your network uses a proxy, you can configure Workload Security to connect to it instead of directly to the components listed on this page. For details, see Configure proxies.

In addition to the ports on this page, Workload Security uses ephemeral ports when opening a socket (source port). Under rare circumstances these may be blocked, causing connectivity issues. For details, see Activation Failed - Blocked port.

Workload Security port numbers

The following diagram shows the default ports in a Workload Security system. For details, see the table below the diagram.

In the table below:

  • 'Mandatory ports' refer to ports that must be opened to ensure the proper functioning of the Workload Security system.
  • 'Optional ports' refer to ports that may be opened depending on the feature or component you want to deploy.
  • 'Port' is used in place of 'port number' for brevity.
Port type Default port number and protocol
Deep Security Agent listening (inbound) port

Optional port:

  • 4118/HTTPS — Deep Security Agent port. Leave 4118/HTTPS closed if you plan on using agent-initiated communication. Only open it if you plan on using bidirectional or manager-initiated communication. By default, agent-initiated communication is used, which is why 4118/HTTPS is listed here as 'optional'. See Agent-manager communication for details.
Deep Security Agent outbound ports

Mandatory ports:

  • 53/DNS over TCP or UDP — DNS server port
  • 80/HTTP, 443/HTTPS — Smart Protection Network port, Smart Protection Server for File Reputation, Workload Security port
  • 123/NTP over UDP — NTP server port

Optional ports:
Deep Security Relay listening (inbound) ports

Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can listen on the following ports.

  • Allow the agent listening port, since it applies to the relay too
  • 4122/HTTPS — Deep Security Relay port
  • 4123 — This port is for communication between the agent and its own internal relay

Port 4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the relay itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict).
Deep Security Relay outbound ports

Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can connect outbound to the following ports.

  • 80/HTTP, 443/HTTPS — Trend Micro Update Server/Active Update and Download Center ports
  • 4122 — port of other Deep Security Relays

Ports of components receiving traffic from Workload Security

Optional ports:

  • 514/Syslog over UDP — SIEM or syslog server port. Allow port 514 if you want to forward events to an external SIEM or syslog server. 514 is configurable in Workload Security.
  • 4118/HTTPS — Deep Security Agent port. Leave 4118/HTTPS closed if you plan on using agent-initiated communication. Only open it if you plan on using bidirectional or manager-initiated communication. By default, agent-initiated communication is used, which is why 4118/HTTPS is listed here as 'optional'. See Agent-manager communication for details.
  • 4122/HTTPS — Deep Security Relay port. Allow 4122/HTTPS if you want to host relays in your local network. Local relays are typically not required. See Deploy Deep Security Relay for details.

Data center gateway outbound ports (towards the internet)

These ports are only required if you've set up a data center gateway.

  • 53/DNS - DNS server port, can be forwarded by an internal DNS server.
  • 443/TLS - Port that data center gateway uses to communicate with Workload Security.

Data center gateway outbound ports (towards an intranet)

These ports are only required if you've set up a data center gateway.

  • 443/TLS - Port that data center gateway uses to communicate with vCenter servers. The port number may change depending on the vCenter configuration.

Workload Security URLs

If you need to restrict the URLs that are allowed in your environment, read this section.

You'll need to make sure your firewall allows traffic from the 'Source' to the 'Destinations' listed in the table below. For each FQDN, make sure you allow access to its associated HTTP and HTTPS URLs. For example, for the FQDN files.trendmicro.com, allow access to http://files.trendmicro.com:80 and https://files.trendmicro.com:443.

Source Destination server or service name Destination fully-qualified domain name (FQDN)
Deep Security Agent, Deep Security Relay Workload Security heartbeat and activation servers
  • app.deepsecurity.trendmicro.com
  • agents.deepsecurity.trendmicro.com
  • dsmim.deepsecurity.trendmicro.com
  • relay.deepsecurity.trendmicro.com
  • *.workload.us-1.cloudone.trendmicro.com
API clients Deep Security APIs
  • app.deepsecurity.trendmicro.com/webservice/Manager?WSDL
  • app.deepsecurity.trendmicro.com/api
  • app.deepsecurity.trendmicro.com/rest
  • *.workload.us-1.cloudone.trendmicro.com
Deep Security Agent, Deep Security Relay

Download Center or web server

Hosts software.
  • files.trendmicro.com
Deep Security Agent

Smart Protection Network -
Global Census Service

Used for behavior monitoring, and predictive machine learning.
  • dsaas1100-en-census.trendmicro.com
Deep Security Agent

Smart Protection Network -
Good File Reputation Service

Used for behavior monitoring, predictive machine learning, and process memory scans.
  • deepsecaas11-en.gfrbridge.trendmicro.com
Deep Security Agent Smart Protection Network -
Smart Feedback

20.0 and later agents connect to:

  • ds200-en.fbs25.trendmicro.com
  • ds200-jp.fbs25.trendmicro.com

12.0 and later agents connect to:

  • ds120-en.fbs25.trendmicro.com
  • ds120-jp.fbs25.trendmicro.com

11.0 and later agents connect to:

  • deepsecurity1100-en.fbs25.trendmicro.com
  • deepsecurity1100-jp.fbs25.trendmicro.com

10.0 agents connect to:

  • deepsecurity1000-en.fbs20.trendmicro.com 
  • deepsecurity1000-jp.fbs20.trendmicro.com
  • deepsecurity1000-sc.fbs20.trendmicro.com
Deep Security Agent Smart Protection Network -
Smart Scan Service
  • dsaas.icrc.trendmicro.com
Deep Security Agent

Smart Protection Network -
predictive machine learning
  • dsaas-en-f.trx.trendmicro.com
  • dsaas-en-b.trx.trendmicro.com
Deep Security Agent Smart Protection Network -
Web Reputation Service
  • dsaas.url.trendmicro.com
Deep Security Agent Event Channel -
XDR Activity Monitoring
  • ak5ih4ev105f2-ats.iot.us-east-1.amazonaws.com
  • azrb5zzyvrkw6-ats.iot.us-east-1.amazonaws.com
Deep Security Agent, Deep Security Relay Trend Micro Update Server (also called Active Update) and Download Center
  • iaus.activeupdate.trendmicro.com
  • iaus.trendmicro.com
  • ipv6-iaus.trendmicro.com
  • ipv6-iaus.activeupdate.trendmicro.com
Data Center Gateway Workload Security - Gateway control channel
  • ak5ih4ev105f2.iot.us-east-1.amazonaws.com
Data Center Gateway Workload Security - Gateway data channel
  • gateway.workload.us-1.cloudone.trendmicro.com

Workload Security IP addresses

If you need to restrict the IP addresses that are allowed in your environment, read this section to determine which ones must be allowed inbound and outbound.

Inbound IP addresses

If a firewall or AWS security group restricts which IP addresses are allowed inbound to your network, make sure to allow traffic inbound from the Workload Security subnet to the destination components listed below.

Source Destination component, port, and protocol (on your network)
 Notes

Workload Security

Subnet 34.205.5.0/27

SIEM or syslog server

Default port: 514

Protocol: syslog over UDP

Only allow this traffic if you configured a SIEM or syslog server.

Deep Security Agent

Default port: 4118

Protocol: HTTPS over TCP

 Only allow this traffic if you configured your agents to use bidirectional or manager-initiated communication. (By default, agents use agent-initiated communication.)

Deep Security Relay

Default port: 4120

Protocol: HTTPS over TCP

 Only allow this traffic if you deployed relays in your local network. (Under normal circumstances, you don't need local relays.)
For Workload Security accounts created prior to 2020-11-23

The static IP addresses in the "Outbound IP addresses" section only apply to Deep Security as a Service or Workload Security accounts created prior to 2020-11-23. The IP addresses in this section will be valid until 2022-12-31. On 2022-12-31, all agents will automatically begin using the URLs listed in the Workload Security URLs section. Please ensure you've allowed access to the appropriate URLs prior to 2022-12-31 to ensure agents continue to connect to the service without interruption.

To determine when your account was created, click your tenant name at the top of the console and select Account Details. Your information is listed next to Created.

Outbound IP addresses

If a firewall or AWS security group restricts which IP addresses are allowed outbound from your network, make sure to allow HTTPS traffic outbound on port 443 to the Trend Micro destination IPv4 addresses listed in the table below.

Source (on your network) Destination component, port, and protocol Destination IP addresses
Deep Security Agents, administrator's computer

Workload Security GUI

Port: 443

Protocol: HTTPS over TCP

34.196.38.94

34.198.27.224

34.198.6.142

34.205.210.199

34.205.219.175

34.205.239.162

34.226.116.82

34.233.153.57

35.153.222.175

35.169.254.68

35.169.43.208

35.172.176.62

50.17.162.194

52.0.124.201

52.0.33.128

52.202.124.22

52.207.138.122

52.22.162.229

52.3.171.31

52.72.111.249

52.72.211.36

52.87.46.150

54.175.211.84

54.80.120.113
Deep Security Agents, Deep Security Relays

Trend Micro Update Server (also called Active Update) and Download Center

Port: 443

Protocol: HTTPS over TCP

34.194.74.60

34.196.197.189

34.204.219.38

34.205.83.195

52.2.63.133

52.21.149.243

52.44.144.238

52.55.188.35

52.201.199.128

52.206.54.30

54.86.152.157

54.87.173.241
Deep Security Agents

Workload Security heartbeat and activation servers

Port: 443

Protocol: HTTPS over TCP

34.192.67.219

34.196.25.105

34.199.44.254

34.204.244.61

34.206.23.113

34.206.95.140

34.206.146.6

34.206.215.233

52.23.102.52

52.54.141.100

52.54.240.176

54.86.2.200
Deep Security Agents

Component: Workload Security fast heartbeat

Port: 443

Protocol: HTTPS over TCP

 

34.192.145.157

34.199.111.255

34.204.221.63

34.206.179.241

52.44.129.132

52.45.95.227

52.55.183.116

52.73.88.81

52.202.143.169

52.206.208.21

54.208.106.230

54.152.108.196

54.85.86.247

18.204.77.2

54.84.198.181

52.0.58.66

52.6.19.160

18.233.125.165

34.227.134.223

52.73.122.26

34.233.252.54

34.236.163.142

52.44.40.85

3.209.15.127

52.70.113.18

3.210.118.160

54.175.77.19

3.225.117.164

54.224.63.108

52.72.213.26

18.235.177.174

34.203.45.194

54.165.185.17
Deep Security Agents

Smart Protection Network

Ports: 80 and 443

Protocols: HTTP and HTTPS, over TCP

 Trend Micro's cloud-based Smart Protection Network does not have static IP addresses. If you want to use the Smart Protection Network but need to restrict your outbound communication, we suggest you deploy a Smart Protection Server in your environment. For information on how to do this, see Deploy a Smart Protection Server in AWS.