Default Port

Protocol

In/Out

Hostname

Purpose

20/21

TCP

In or out

AsyncOS IPs, FTP server

FTP for aggregation of log files.

Data ports TCP 1024 and higher must also all be open.

For more information, search for FTP port information in the Knowledge Base. See Knowledge Base Articles (TechNotes) .

22

SSH

Out

AsyncOS IPs

Centralized configuration manager configuration push.

Also used for backups.

22

TCP

In

AsyncOS IPs

SSH access to the CLI, aggregation of log files.

22

TCP

Out

SCP server

SCP push to log server.

23

Telnet

In

AsyncOS IPs

Telnet access to the CLI.

23

Telnet

Out

Telnet Server

Telnet upgrades

25

TCP

Out

Any

SMTP to send email.

25

TCP

In

AsyncOS IPs

SMTP to receive bounced email or if injecting email from outside firewall.

53

UDP/TCP

Out

DNS servers

DNS if configured to use Internet root servers or other DNS servers outside the firewall. Also for SenderBase queries.

80

HTTP

In

AsyncOS IPs

HTTP access to the GUI for system monitoring.

80

HTTP

Out

downloads.ironport.com

Service updates, except for AsyncOS upgrades .

80

HTTP

Out

upgrades.ironport.com

AsyncOS upgrades.

801

HTTP

In and Out

AsyncOS IPs

HTTP access to the GUI using trailblazerconfig CLI command.

82

HTTP

In

AsyncOS IPs

Used for viewing the spam quarantine.

83

HTTPS

In

AsyncOS IPs

Used for viewing the spam quarantine.

110

TCP

Out

POP server

POP authentication for end users for spam quarantine.

123

UDP

In & Out

NTP server

NTP if time servers are outside firewall.

143

TCP

Out

IMAP server

IMAP authentication for end users for spam quarantine.

161

UDP

In

AsyncOS IPs

SNMP Queries.

162

UDP

Out

Management station

SNMP Traps.

389 or

3268

LDAP

Out

LDAP servers

LDAP if LDAP directory servers are outside firewall. LDAP authentication for Cisco Spam Quarantine.

636 or 3269

LDAPS

Out

LDAPS

LDAPS — ActiveDirectory’s global catalog server (uses SSL).

443

TCP

In

AsyncOS IPs

Secure HTTP ( https ) access to the GUI for system monitoring.

443

TCP

Out

update-static.ironport.com

Verify the latest files for the update server.

443

TCP

Out

update-manifests.ironport.com

Obtain the list of the latest files from the update server (for physical hardware email gateways.)

443

TCP

Out

update-manifests.sco.cisco.com

Obtain the list of the latest files from the update server (for virtual email gateways.)

443

TCP

Out

phonehome.senderbase.org

Receive/send Outbreak Filters.

443

TCP

Out

File Analysis server URL as configured on your Web Security appliance on the Security Services > Anti-Malware and Reputation page, in the Advanced section > Advanced Settings for File Analysis.

File Analysis server URL as configured on your Email Security appliance on the Security Services > File Reputation and Analysis page, in the Advanced Settings for File Analysis section.

Display detailed file analysis results on the File Analysis server.

• Web security reporting: (Cloud File Analysis) Ensure That the Management Appliance Can Reach the File Analysis Server

443

HTTPS

In and Out

api-sse.cisco.com

Used to register your email gateway with Cisco Threat Response.

443

HTTPS

In and Out

api.eu.sse.itd.cisco.com

Used to register your email gateway with Cisco Threat Response.

443

HTTPS

In and Out

est.sco.cisco.com

Used to download a certificate to verify whether your email gateway is accessing a verified site when registering to Cisco Threat Response.

443

HTTPS

In and Out

AsyncOS IPs

HTTPS access to the GUI using trailblazerconfig CLI command.

514

UDP/TCP

Out

Syslog server

Syslog logging.

1024 and higher

—

—

—

See information above for Port 21 (FTP.)

7025

TCP

In and out

AsyncOS IPs

Pass policy, virus, and outbreak quarantine data between Cisco Secure Email Gateways and Cisco Secure Manager Email and Web Gateways when this feature is centralized.

32137

TCP

6080

HTTP

In or Out

Access to API ports for HTTP Server

6443

HTTPS

In or Out

Access to API ports for HTTPS Server