Communication ports for Symantec Endpoint Protection

If the computers that run
Symantec Endpoint Protection Manager
and the
Symantec Endpoint Protection
client also run third-party firewall software or hardware, you must open certain ports. These ports are for remote deployment and for communication between the management server and clients. See your firewall product documentation for instructions to open ports or allow applications to use ports.
By default, the firewall component of
Symantec Endpoint Protection
already allows traffic on these ports.
The firewall in the
Symantec Endpoint Protection
client is disabled by default at initial installation until the computer restarts. To ensure firewall protection, leave the Windows firewall enabled on the clients until the software is installed and the client is restarted. The
Symantec Endpoint Protection
client firewall automatically disables the Windows firewall when the computer restarts.
Ports for client and server installation and communication
Protocol and port number
Used for
Listening process
Description
Applicable versions
TCP 139, 445
UDP 137, 138
Push deployment from
Symantec Endpoint Protection Manager
to Windows computers
svchost.exe
  • Initiated by
    Symantec Endpoint Protection Manager
    (clientremote.exe)
  • Not configurable
Also uses TCP ephemeral ports.
All
TCP 22
Push deployment from
Symantec Endpoint Protection Manager
to Mac computers
launchd
  • Initiated by
    Symantec Endpoint Protection Manager
    (clientremote.exe)
  • Not configurable
All
TCP 2967
Group Update Provider (GUP) web-caching proxy functionality
ccSvcHst.exe (12.1.5 and later)
Smc.exe (earlier than 12.1.5)
  • Initiated by
    Symantec Endpoint Protection
    clients
  • Configurable
All
TCP 2968
WSS Traffic Redirection Client Authentication
ccSvcHst.exe
  • Initiated by
    Symantec Endpoint Protection
    clients
  • Configurable
As of 14.2
TCP 2638
Communication between the embedded database and
Symantec Endpoint Protection Manager
dbsrv16.exe
  • Initiated by
    Symantec Endpoint Protection Manager
  • Configurable
All
TCP 1433
Communication between a remote SQL Server database and
Symantec Endpoint Protection Manager
sqlserver.exe
  • Initiated by
    Symantec Endpoint Protection Manager
  • Configurable
The
Symantec Endpoint Protection Manager
management server also uses TCP ephemeral ports.
All
TCP 8443
Server communication (HTTPS)
SemSvc.exe
All logon information and administrative communication takes place using this secure port.
  • Initiated by the Java-based remote console or web-based remote console, or by replication partners
  • Configurable
Symantec Endpoint Protection Manager
listens on this port.
All
TCP 8444
Web services for Symantec Protection Center (SPC) 2.0
SemSvc.exe
This port is the Symantec Protection Center 2.0 web services port. Symantec Protection Center 2.0 makes Data Feed and Workflow requests to
Symantec Endpoint Protection Manager
over this port.
Symantec Protection Center 2.0 is not supported for use with
Symantec Endpoint Protection
14.x.
12.1.x
TCP 9090
Web console communication
SemSvc.exe
This port is used only for initial HTTP communication between the remote management console and
Symantec Endpoint Protection Manager
. This initial communication includes installation, and to display the logon screen only.
  • Initiated by the remote Web console
  • Configurable
Also uses TCP ephemeral ports.
All
TCP 8014
Communication between
Symantec Endpoint Protection Manager
(HTTP) and the
Symantec Endpoint Protection
client
httpd.exe (Apache)
  • Initiated by
    Symantec Endpoint Protection
    clients
  • Configurable
Clients also use TCP ephemeral ports.
All
TCP 443
Communication between the
Symantec Endpoint Protection Manager
(HTTPS) and the
Symantec Endpoint Protection
client
httpd.exe (Apache)
  • Initiated by
    Symantec Endpoint Protection
    clients
  • Configurable
  • Optional for 12.1.x, but the default for new installations of 14.x
Clients also use TCP ephemeral ports.
All
TCP 443
Communication between the
Symantec Endpoint Protection Manager
and the cloud console
prunsvr.exe
For information on which domains to add to the proxy bypass list for the cloud console, see:
As of 14.0.1
HTTPS 443
Communication between the
Symantec Endpoint Protection
roaming client and the cloud console
None
Managed clients that have intermittent communication with
Symantec Endpoint Protection Manager
upload their critical events directly to the cloud console.
Symantec Endpoint Protection Manager
must be enrolled with the cloud console.
As of 14.2
HTTP 8081
HTTPS 8082
Communication between
Symantec Endpoint Protection Manager
and the Content Analysis server appliance
Symantec Endpoint Protection Manager
The management server uses this port to communicate with the Content Analysis server or the Malware Analysis Appliance.
14.2.x versions only. Deprecated in 14.3.
TCP 8445
Used by the remote reporting console
httpd.exe (Apache)
  • Initiated by the reporting console
  • Configurable
All
TCP 8446
Web services
semapisrv.exe (14.x)
SemSvc.exe (12.1.x)
Remote management applications use this port to send web services traffic over HTTPS.
  • Initiated by Remote Monitoring and Management (RMM) and by EDR
  • Configurable
  • Used for Java Remote Console (as of version 14.0.1)
All
TCP 8447
Process launcher
semlaunchsrv.exe
This virtual service account launches any
Symantec Endpoint Protection Manager
processes that require higher privileges, so that these other services do not need to have them. Only honors requests from localhost.
  • Initiated by
    Symantec Endpoint Protection Manager
    (SemSvc.exe)
  • Configurable
All, as of 12.1.5
TCP 8765
Server control
SemSvc.exe
Used by
Symantec Endpoint Protection Manager
for Tomcat web service for shutdown.
  • Initiated by
    Symantec Endpoint Protection Manager
  • Configurable
All
TCP 1100
Remote object registry
SemSvc.exe
Tells AjaxSwing on which port to run RMI Registry.
  • Initiated by AjaxSwing
  • Not configurable
All
UDP 514
Forwarding data to a Syslog server
(Optional)
SemSvc.exe
  • Outbound traffic from Syslog server to
    Symantec Endpoint Protection Manager
  • Inbound traffic to Syslog server
  • Configurable
Traffic to or from
Symantec Endpoint Protection Manager
uses UDP ephemeral ports.
  • Windows Vista and later contain a firewall that is enabled by default. If the firewall is enabled, you might not be able to install or deploy the client software remotely. If you have problems deploying the client to computers running these operating systems, configure their firewalls to allow the required traffic.
  • If you decide to use the Windows firewall after deployment, you must configure it to allow file and printer sharing (port 445).
For more information about configuring Windows firewall settings, see the Windows documentation.