Firewall ports
You might need to open the following ports on your DMZ firewall, depending on your network configuration:
| Port | Protocol | Direction | Required for |
|---|---|---|---|
| 20 | FTP | In/Out | Backup & Restore if using an FTP server located beyond the firewall. |
| 21 | FTP | In/Out | Backup & Restore and Transaction Logging if using an FTP server located beyond the firewall. |
| 21 | FTPS (exp) | In/Out | Backup & Restore and Transaction Logging. |
| 22 | TCP | In | SSH access to the console. |
| 22 | SFTP | Out | Backup & Restore, and, server containing lexical data for import |
| 25 | TCP | In | Inbound SMTP |
| 25 | TCP | Out | Outbound SMTP. If your system uses an alternative port, open that instead. |
| 53 | UDP/TCP | In/Out | TRUSTmanager LiveFeed checks |
| 53 | UDP/TCP | Out | DNS requests, if using DNS servers beyond the firewall. Only allow outbound requests to the specified DNS servers, and responses from those servers. |
| 80 | TCP | In | HTTP access to the PMM interface (if using PMM) |
| 80 |
TCP |
Out | HTTP access to the Sophos, Avira, or Kaspersky Update Servers for fetching anti-virus updates and software upgrades. Sophos update servers: Avira update servers: aav-update-1.clearswift.net, aav-update-2.clearswift.net, aav-update-3.clearswift.net, aav-update-4.clearswift.net, aav-update-5.clearswift.net, aav-update-6.clearswift.net, *.apc.avira.com Kaspersky update servers: |
| 80 | TCP | Out | HTTP access to the |
| 80 | TCP | Out | HTTP access to the policy rule/engine and spam update servers |
| 80 | TCP | Out | Clearswift Spam Detection stats from clearswiftstat.mailshell.net |
| 80 | TCP | Out | Access to SpamLogic Rule/Engine updates sn12.mailshell.net, db11.spamcatcher.net, verio.mailshell.net, ruledownloads.mailshell.net, tisdk.mailshell.net |
| 80 | TCP | Out | HTTP access to the Secure Email Gateway online help |
| 80 | TCP | Out | Access to the Service Availability List: services1.clearswift.net, services2.clearswift.net, services3.clearswift.net |
| 80 | TCP | Out | Access to the RSS Feed from www.clearswift.com |
| 123 | UDP | In/Out | Access to NTP services, if configured. The following servers are configured by default: 0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org. |
| 135 | TCP | Out | User authentication using NTLM (when using PMM in Full Mode) |
| 137 | UDP | Out | User authentication using NTLM (when using PMM in Full Mode) |
| 139 | TCP | Out | User authentication using NTLM (when using PMM in Full Mode) |
| 161 | UDP | Out | SNMP inbound: the port used by an SNMP browser when scannning the |
| 162 | UDP | Out | SNMP alerts |
| 389 | TCP | In/Out | LDAP directory access (if you use LDAP servers beyond the firewall) |
| 389 | TCP | In/Out | LDAP Key Server Queries |
| 443 |
TCP |
In/Out | HTTPS access to the Clearswift Secure Email Gateway web interface and for communications between Peer |
| 443 | TCP | Out | HTTPS access to the |
| 443 | TCP | In/Out |
Kaspersky KSN lookup. (While this is using port 443, the traffic is not standard HTTP/S. Do not try to route through an SSL proxy.) The KSN lookup servers are: ksn1.kaspersky-labs.com, ksn2.kaspersky-labs.com, ksn3.kaspersky-labs.com, ksn4.kaspersky-labs.com |
| 443 | TCP | Out | HTTPS access to the |
| 443 | TCP | Out | Access to Clearswift product and Operating System updates at products.clearswift.net and rh7-repo.clearswift.net. |
| 443 | TCP | In/Out | HTTPS Key Server Queries |
| 443 | TCP | Out | Access to Sophos Sandboxing Server (port is used for sending potential malware for scanning, and this traffic must not be blocked): https://sandbox.sophos.com https://apac.sandbox.sophos.com https://de.sandbox.sophos.com https://uk.sandbox.sophos.com https://us.sandbox.sophos.com |
| 443 | HTTP/S | Out | Access to Sophos URL Lookup Server: t4.sophosxl.net |
| 443 | TCP | Out | Access to the SpamAssassin ruleset database: spamassassin.clearswift.net |
| 443 | TCP | Out | Access to the PhishTank URL database: phishtank.clearswift.net |
| 445 | TCP | Out | User authentication using NTLM (when using PMM in Full Mode) |
| 514 | TCP | Out | Access to the central SYSLOG server (log export) |
| 636 | TCP | In/Out | Secure LDAP/S directory access |
| 990 | FTPS | In/Out | Backup & Restore and Transaction Logging. Also used to connect the |
| 3268 | TCP | Out | LDAP connection to an active directory global catalog port (if you are using LDAP servers beyond the firewall) |
| 3269 | TCP | In/Out | LDAP and SSL connection to an active directory global catalog port (if you are using LDAP servers beyond the firewall) |
| 9090 | TCP | In/Out | Connection to Red Hat Cockpit |
| 11371 | TCP | In/Out | HTTPS Key Server Queries |
| 19200 | UDP | In/Out | Broadcasting of greylisting data to Peer |