Port numbers, URLs, and IP addresses
Workload Security default port numbers, URLs, IP addresses, and protocols are listed in the sections below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.
If your network uses a proxy, you can configure Workload Security to connect to it instead of directly to the components listed on this page. For details, see Configure proxies.
In addition to the ports on this page, Workload Security uses ephemeral ports when opening a socket (source port). Under rare circumstances these may be blocked, causing connectivity issues. For details, see Activation Failed - Blocked port.
Workload Security port numbers
The following diagram shows the default ports in a Workload Security system. For details, see the table below the diagram.
In the table below:
- 'Mandatory ports' refer to ports that must be opened to ensure the proper functioning of the Workload Security system.
- 'Optional ports' refer to ports that may be opened depending on the feature or component you want to deploy.
- 'Port' is used in place of 'port number' for brevity.
| Port type | Default port number and protocol |
|---|---|
| Deep Security Agent listening (inbound) port |
Optional port:
|
| Deep Security Agent outbound ports |
Mandatory ports:
Optional ports:
|
| Deep Security Relay listening (inbound) ports |
Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can listen on the following ports.
Port 4123 should not be listening to connections from other computers, and you don't need to configure it in network firewall policies. But if you have firewall software (such as Windows Firewall or iptables) on the relay itself, verify that it does not block this connection to itself. Also verify that other applications do not use the same port (a port conflict). |
| Deep Security Relay outbound ports |
Relays are typically not required. For details, see Deploy Deep Security Relay. If you do decide to deploy relays, then make sure they can connect outbound to the following ports.
|
|
Ports of components receiving traffic from Workload Security |
Optional ports:
|
Workload Security URLs
If you need to restrict the URLs that are allowed in your environment, read this section.
You'll need to make sure your firewall allows traffic from the 'Source' to the 'Destinations' listed in the table below. For each FQDN, make sure you allow access to its associated HTTP and HTTPS URLs. For example, for the FQDN files.trendmicro.com, allow access to http://files.trendmicro.com:80 and https://files.trendmicro.com:443.
| Source | Destination server or service name | Destination fully-qualified domain name (FQDN) |
|---|---|---|
| Deep Security Agent, Deep Security Relay | Workload Security |
In the list above, app.deepsecurity[...] is the Workload Security FQDN, agents.deepsecurity[...] and dsmim.deepsecurity[...] are the Workload Security heartbeat and activation server FQDNs, and relay.deepsecurity[...] is the FQDN of the relays hosted by Workload Security. For details on the heartbeat and activation servers, see SSL implementation and credential provisioning. |
| API clients | Deep Security APIs |
|
| Deep Security Agent, Deep Security Relay |
Download Center or web server Hosts software. |
|
| Deep Security Agent |
Smart Protection Network - Used for behavior monitoring, and predictive machine learning. |
|
| Deep Security Agent |
Smart Protection Network - Used for behavior monitoring, predictive machine learning, and process memory scans. |
|
| Deep Security Agent | Smart Protection Network - Smart Feedback |
20.0 and later agents connect to:
12.0 and later agents connect to:
11.0 and later agents connect to:
10.0 agents connect to:
|
| Deep Security Agent | Smart Protection Network - Smart Scan Service |
|
| Deep Security Agent |
Smart Protection Network - |
|
| Deep Security Agent | Smart Protection Network - Web Reputation Service |
|
| Deep Security Agent | Event Channel - XDR Activity Monitoring |
|
Workload Security IP addresses
If you need to restrict the IP addresses that are allowed in your environment, read this section to determine which ones must be allowed inbound and outbound.
Inbound IP addresses
If a firewall or AWS security group restricts which IP addresses are allowed inbound to your network, make sure to allow traffic inbound from the Workload Security subnet to the destination components listed below.
| Source | Destination component, port, and protocol (on your network) |
Notes |
|---|---|---|
|
Workload Security Subnet 34.205.5.0/27 |
SIEM or syslog server Default port: 514 Protocol: syslog over UDP |
Only allow this traffic if you configured a SIEM or syslog server. |
|
Deep Security Agent Default port: 4118 Protocol: HTTPS over TCP |
Only allow this traffic if you configured your agents to use bidirectional or manager-initiated communication. (By default, agents use agent-initiated communication.) | |
|
Deep Security Relay Default port: 4120 Protocol: HTTPS over TCP |
Only allow this traffic if you deployed relays in your local network. (Under normal circumstances, you don't need local relays.) |
Outbound IP addresses
If a firewall or AWS security group restricts which IP addresses are allowed outbound from your network, make sure to allow HTTPS traffic outbound on port 443 to the Trend Micro destination IPv4 addresses listed in the table below.
| Source (on your network) | Destination component, port, and protocol | Destination IP addresses |
|---|---|---|
| Deep Security Agents, administrator's computer |
Workload Security GUI Port: 443 Protocol: HTTPS over TCP |
34.196.38.94 34.198.27.224 34.198.6.142 34.205.210.199 34.205.219.175 34.205.239.162 34.226.116.82 34.233.153.57 35.153.222.175 35.169.254.68 35.169.43.208 35.172.176.62 50.17.162.194 52.0.124.201 52.0.33.128 52.202.124.22 52.207.138.122 52.22.162.229 52.3.171.31 52.72.111.249 52.72.211.36 52.87.46.150 54.175.211.84 54.80.120.113 |
| Deep Security Agents, Deep Security Relays |
Trend Micro Update Server (also called Active Update) and Download Center Port: 443 Protocol: HTTPS over TCP |
34.194.74.60 34.196.197.189 34.204.219.38 34.205.83.195 52.2.63.133 52.21.149.243 52.44.144.238 52.55.188.35 52.201.199.128 52.206.54.30 54.86.152.157 54.87.173.241 |
| Deep Security Agents |
Workload Security heartbeat and activation servers Port: 443 Protocol: HTTPS over TCP |
34.192.67.219 34.196.25.105 34.199.44.254 34.204.244.61 34.206.23.113 34.206.95.140 34.206.146.6 34.206.215.233 52.23.102.52 52.54.141.100 52.54.240.176 54.86.2.200 |
| Deep Security Agents |
Component: Workload Security fast heartbeat Port: 443 Protocol: HTTPS over TCP
|
34.192.145.157 34.199.111.255 34.204.221.63 34.206.179.241 52.44.129.132 52.45.95.227 52.55.183.116 52.73.88.81 52.202.143.169 52.206.208.21 54.208.106.230 54.152.108.196 54.85.86.247 18.204.77.2 54.84.198.181 52.0.58.66 52.6.19.160 18.233.125.165 34.227.134.223 52.73.122.26 34.233.252.54 34.236.163.142 52.44.40.85 3.209.15.127 52.70.113.18 3.210.118.160 54.175.77.19 3.225.117.164 54.224.63.108 52.72.213.26 18.235.177.174 34.203.45.194 54.165.185.17 |
| Deep Security Agents |
Smart Protection Network Ports: 80 and 443 Protocols: HTTP and HTTPS, over TCP |
Trend Micro's cloud-based Smart Protection Network does not have static IP addresses. If you want to use the Smart Protection Network but need to restrict your outbound communication, we suggest you deploy a Smart Protection Server in your environment. For information on how to do this, see Deploy a Smart Protection Server in AWS. |