ID #1236

What ports should be opened on Firewall for communication between eScan Server and client computers?

What ports should be opened on Firewall for communication between eScan Server and client computers?

 

An Enterprise or Corporate customer uses firewall, to block attacks and to prevent unwanted traffic from passing to and fro within a network.

 

Wide Area Network includes remote branches or roaming clients. Considering this environment, this document guides you through the ports being used by eScan server, Update agents and Clients, and which ports needs to be open on firewall for smooth deployment of virus signatures and policies.

 

Ports

Purpose

On eScan Server

TCP 10443

On which eScan Server Web Console listens

Administrator can access eScan Web console using this port to manage eScan Deployment, Policies and tasks

TCP 3333

To provide update version to Update agents and clients.

Client  PC  uses  this  connection  to  request  if  there  is  any  new  updates available to download or not.

TCP 2021

FTP port from where Update Agents and clients download Virus signatures, policies and upload system information and mwav.log.

If this port is closed UA and clients will not download virus signatures or policies. ****

TCP 2221

HTTP   port   from   where  Update   Agents   and   clients   download   Virus signatures, policies.

If this port is closed UA and clients will not download virus signatures or policies. ***

TCP 2222

eScan agent listens on this port

TCP 2225

eScan server accepts client events on this port

TCP 2226

eScan Server listen on this port in system mode.

This port need NOT be allowed/opened on firewall

TCP 2227

eScan accepts self-events on this port. This port need NOT be allowed/opened on firewall

 

 

 

 

On a PC assigned with Update Agent Role

TCP 3333

To provide update version to Update agents and clients.

Client  PC  uses  this  connection  to  request  if  there  is  any  new  updates available to download or not.

TCP 2021

FTP ports from clients downloads Virus signatures

TCP 2222

eScan agent listens on this port

TCP 2227

eScan accepts self-events on this port

 

On eScan Client

TCP 2222

eScan agent listens on this port and Used to receive requests sent from eScan server.

If   this   port   is   closed   eScan  server  will   not   be  able   to   send   any requests/tasks to the client.

TCP 2227

eScan accepts self-events on this port

 

 ****eScan Server use FTP port 2021 to distribute virus signatures and policies to clients. If eScan server or clients are behind Firewall, customer needs to enable PASV mode i.e. Passive mode

 

Passive mode is an alternative mode for establishing File Transfer Protocol (FTP) connections. PASV mode is designed for FTP clients behind firewalls.

 

PASV mode works by allowing FTP clients to initiate sending of both control and data messages. Ordinarily, only FTP servers initiate the data requests. Because many client firewalls reject incoming messages like these FTP requests, PASV mode makes FTP "firewall-friendly."

 

If eScan server or clients are behind firewall, then you need to open following ports on Firewall to make sure downloading of virus signatures and policy updates doesn’t stop.

 

TCP port 10443

TCP port 3333

TCP Port 2222

TCP port 2021

TCP port 2225

TCP port range 3023 – 4023 ( These port numbers can be different, depending upon the configuration)

 

[Port range 3023 – 4023 are examples given in the document, administrator can open any range after 3333 port, since 3333 port is being used by eScan server. In this guide we have opened 1000 ports from 3023 to 4023, this is an example and actual range can be depends on the number of clients connect to the server over the WAN. If you have 100 users you can open range of 100 ports on your firewall and so on.]

  

Once these ports are open on firewall make the below changes on eScan Server to synchronize.

 

Open the eserv.ini file from %program files%\eScan folder and insert the following entries under the

[General] section.

 

AddPassivePort=1
StartingPassivePort=3023
NoofPassivePorts=1000 

Ser_Pasv_IPAddr=192.x.x.x    - (eScan server public ip)

  

In case of, roaming clients or remote branches which are connected to eScan Server over the internet, may force administrator to install eScan Server on a Public IP or NAT it with Firewall Public IP. If you NAT it with Firewall Public IP, then you need to add the NATTED IP address in front of “Ser_Pasv_IPAddr=” entry.

 

This settings are cumbersome and it pose a security risk when you open n number of ports in your firewall, what if we open only few ports instead of opening 1000 number of ports. Hence we provided an option of HTTP download along with FTP.

 

***By default, eScan server installs with FTP port enabled, if you want to change it to HTTP please refer to the document called “http_readme.txt” which resides in eScan server Installation folder. Open this file and search for point number 3. How to Add HTTP download along with FTP download for Signature update and policies?

 

Once you are done with the settings, you need to open below ports on Firewall.

 

TCP port 10443

TCP port 2221

TCP Port 2222

TCP port 2225

 

[ HTTP Port for downloading Virus signature and policies, this option is available in eScan version 11.0.1139.1229 and later ]

Tags: firewall, port, ports

Related entries:

You cannot comment on this entry