Firewall Ports

The following table lists the ports you might need to open on your DMZ firewall, depending on your network configuration:

Port	Protocol	Direction	Required for
20	FTP	In/Out	Backup & Restore, if using an FTP server located beyond the firewall.
21	FTP	In/Out	Backup & Restore and Transaction Logging, if using an FTP server located beyond the firewall.
21	FTPS (explicit)	In/Out	Backup & Restore and Transaction Logging.
22	SFTP	In/Out	Backup & Restore and Transaction Logging. Also used to connect the Gateway with your Server containing lexical data for import.
25	TCP	In	Inbound SMTP.
25*	TCP	Out	Outbound SMTP.
53	UDP/TCP	In/Out	TRUSTmanager LiveFeed checks
53	TCP	Out	DNS requests, if using DNS servers beyond the firewall. Only allow outbound requests to the specified DNS servers, and responses from those servers.
53	UDP	Out
80	TCP	In	HTTP access to the PMM interface, if you are using PMM.
80	TCP	Out	HTTP access to the online help (clearswifthelp.clearswift.com)
80	TCP	Out	Access to product updates from repo.clearswift.net and rh.repo.clearswift.net
80	TCP	Out	HTTP access to the Kaspersky and/or Sophos Update Servers for fetching anti-virus updates. Update servers: kav-update-8-1.clearswift.net, kav-update-8-2.clearswift.net, kav-update-8-3.clearswift.net, kav-update-8-4.clearswift.net, kav-update-8-5.clearswift.net. kav-update-8-6.clearswift.net, sav-update-1.clearswift.net, sav-update-2.clearswift.net,sav-update-3.clearswift.net, sav-update-4.clearswift.net, sav-update-5.clearswift.net, sav-update-6.clearswift.net,
80	TCP	Out	HTTP access to the Clearswift Update Server repo.clearswift.net for fetching software upgrades.
80	TCP	Out	HTTP access to the ClearswiftJunk Email and Malware Detection Servers, bulkmail1.clearswift.net, bulkmail2.clearswift.net, bulkmail3.clearswift.net, bulkmail4.clearswift.net and bulkmail5.clearswift.net for the classification of messages.
80	TCP	Out	HTTP access to policy rule/engine and spam update servers: http://sn12.mailshell.net http://sn60.mailshell.net http://db11spamcatcher.net http://verio.mailshell.net http://tisdk.mailshell.net http://ruledownloads.com http://rules-mailshell.co.uk http://rulesdownload.mailshell.net http://spamcatcher.net
80	TCP	Out	Clearswift Spam Detection stats from Clearswiftstat.mailshell.net
80	TCP	Out	Access to the RSS Feed from www.clearswift.com
80	TCP	Out	Access to the service availability list
123	UDP	Out	Access to NTP services, if configured. The following servers are configured by default: 0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org.
135	TCP	Out	User Authentication using NTLM when using PMM in Full Mode.
137	UDP	Out	User Authentication using NTLM when using PMM in Full Mode.
139	TCP	Out	User Authentication using NTLM when using PMM in Full Mode.
162	UDP	In	SNMP alerts
389	TCP	In/Out	LDAP directory access, if you use LDAP servers beyond the firewall.
389	TCP	In/Out	LDAP Key Server Queries.
443	TCP	In/Out	Kaspersky KSN lookup (While this is using port 443, the traffic is not standard HTTP/S. Do not try to route through an SSL proxy)
443	TCP	In	HTTPS access to the Clearswift SECURE Exchange Gateway Web Interface and for communications between Peer Gateways.
443	TCP	Out	HTTPS access to the Clearswift Update Server applianceupdate.clearswift.com for license management, handling Managed Lexical Expression Lists and for communications between Peer Gateways. 86.188.240.24 213.106.99.208 46.236.38.70
443	TCP	In/Out	HTTPS Key Server Queries.
445	TCP	Out	User Authentication using NTLM when using PMM in Full Mode.
514	TCP	Out	Central SYSLOG Server (log export).
636	TCP	In/Out	Secure LDAP/S directory access.
990	FTPS	In/Out	Backup & Restore and Transaction Logging. Also used to connect the Gateway with your server containing lexical data for import.
11371	TCP	In/Out	HTTP Key Server Queries.
3268	TCP	Out	LDAP connection to an active directory global catalog port, if you use LDAP servers beyond the firewall.
3269	TCP	In/Out	LDAP and SSL connection to an active directory global catalog port, if you use LDAP servers beyond the firewall.

Port

Protocol

Direction

Required for

FTP

In/Out

Backup & Restore, if using an FTP server located beyond the firewall.

FTP

In/Out

Backup & Restore and Transaction Logging, if using an FTP server located beyond the firewall.

FTPS (explicit)

In/Out

Backup & Restore and Transaction Logging.

SFTP

In/Out

Backup & Restore and Transaction Logging. Also used to connect the Gateway with your Server containing lexical data for import.

TCP

Inbound SMTP.

25*

TCP

Out

Outbound SMTP.

UDP/TCP

In/Out

TRUSTmanager LiveFeed checks

TCP

Out

DNS requests, if using DNS servers beyond the firewall. Only allow outbound requests to the specified DNS servers, and responses from those servers.

UDP

Out

TCP

HTTP access to the PMM interface, if you are using PMM.

TCP

Out

HTTP access to the online help (clearswifthelp.clearswift.com)

TCP

Out

Access to product updates from repo.clearswift.net and rh.repo.clearswift.net

TCP

Out

HTTP access to the Kaspersky and/or Sophos Update Servers for fetching anti-virus updates. Update servers:

kav-update-8-1.clearswift.net, kav-update-8-2.clearswift.net, kav-update-8-3.clearswift.net, kav-update-8-4.clearswift.net, kav-update-8-5.clearswift.net. kav-update-8-6.clearswift.net, sav-update-1.clearswift.net, sav-update-2.clearswift.net,sav-update-3.clearswift.net, sav-update-4.clearswift.net, sav-update-5.clearswift.net, sav-update-6.clearswift.net,

TCP

Out

HTTP access to the Clearswift Update Server repo.clearswift.net for fetching software upgrades.

TCP

Out

HTTP access to the ClearswiftJunk Email and Malware Detection Servers, bulkmail1.clearswift.net, bulkmail2.clearswift.net, bulkmail3.clearswift.net, bulkmail4.clearswift.net and bulkmail5.clearswift.net for the classification of messages.

TCP

Out

HTTP access to policy rule/engine and spam update servers:

http://sn12.mailshell.net

http://sn60.mailshell.net

http://db11spamcatcher.net

http://verio.mailshell.net

http://tisdk.mailshell.net

http://ruledownloads.com

http://rules-mailshell.co.uk

http://rulesdownload.mailshell.net

http://spamcatcher.net

TCP

Out

Clearswift Spam Detection stats from Clearswiftstat.mailshell.net

TCP

Out

Access to the RSS Feed from www.clearswift.com

TCP

Out

Access to the service availability list

123

UDP

Out

Access to NTP services, if configured. The following servers are configured by default: 0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org.

135

TCP

Out

User Authentication using NTLM when using PMM in Full Mode.

137

UDP

Out

User Authentication using NTLM when using PMM in Full Mode.

139

TCP

Out

User Authentication using NTLM when using PMM in Full Mode.

162

UDP

SNMP alerts

389

TCP

In/Out

LDAP directory access, if you use LDAP servers beyond the firewall.

389

TCP

In/Out

LDAP Key Server Queries.

443

TCP

In/Out

Kaspersky KSN lookup (While this is using port 443, the traffic is not standard HTTP/S. Do not try to route through an SSL proxy)

443

TCP

HTTPS access to the Clearswift SECURE Exchange Gateway Web Interface and for communications between Peer Gateways.

443

TCP

Out

HTTPS access to the Clearswift Update Server applianceupdate.clearswift.com for license management, handling Managed Lexical Expression Lists and for communications between Peer Gateways.

86.188.240.24

213.106.99.208

46.236.38.70

443

TCP

In/Out

HTTPS Key Server Queries.

445

TCP

Out

User Authentication using NTLM when using PMM in Full Mode.

514

TCP

Out

Central SYSLOG Server (log export).

636

TCP

In/Out

Secure LDAP/S directory access.

990

FTPS

In/Out

Backup & Restore and Transaction Logging. Also used to connect the Gateway with your server containing lexical data for import.

11371

TCP

In/Out

HTTP Key Server Queries.

3268

TCP

Out

LDAP connection to an active directory global catalog port, if you use LDAP servers beyond the firewall.

3269

TCP

In/Out

LDAP and SSL connection to an active directory global catalog port, if you use LDAP servers beyond the firewall.

Exchange Server Firewall Ports

The following table lists the ports you might need to open in Windows Firewall on your Exchange Server:

Port	Protocol	Direction	Required for
10443	TCP	Out	HTTPS access to the Clearswift SECURE Exchange Gateway web service.
23953	TCP	In/Out	Communication with other SXG Interceptors.
23955	TCP	In/Out	LDAP access to SXG configuration store.