Firewall Information

The following table lists the possible ports that may need to be opened for proper operation of Cisco Secure Email Gateway (these are the default values).

Firewall Ports
Default Port	Protocol	In/Out	Hostname	Purpose
20/21	TCP	In or out	AsyncOS IPs, FTP server	FTP for aggregation of log files. Data ports TCP 1024 and higher must also all be open. For more information, search for FTP port information in the Knowledge Base. See Knowledge Base Articles (TechNotes) .
22	SSH	Out	AsyncOS IPs	Centralized configuration manager configuration push. Also used for backups.
22	TCP	In	AsyncOS IPs	SSH access to the CLI, aggregation of log files.
22	TCP	Out	SCP server	SCP push to log server.
23	Telnet	In	AsyncOS IPs	Telnet access to the CLI.
23	Telnet	Out	Telnet Server	Telnet upgrades
25	TCP	Out	Any	SMTP to send email.
25	TCP	In	AsyncOS IPs	SMTP to receive bounced email or if injecting email from outside firewall.
53	UDP/TCP	Out	DNS servers	DNS if configured to use Internet root servers or other DNS servers outside the firewall. Also for SenderBase queries.
80	HTTP	In	AsyncOS IPs	HTTP access to the GUI for system monitoring.
80	HTTP	Out	downloads.ironport.com	Service updates, except for AsyncOS upgrades .
80	HTTP	Out	upgrades.ironport.com	AsyncOS upgrades.
801	HTTP	In and Out	AsyncOS IPs	HTTP access to the GUI using `trailblazerconfig` CLI command.
82	HTTP	In	AsyncOS IPs	Used for viewing the spam quarantine.
83	HTTPS	In	AsyncOS IPs	Used for viewing the spam quarantine.
110	TCP	Out	POP server	POP authentication for end users for spam quarantine.
123	UDP	In & Out	NTP server	NTP if time servers are outside firewall.
143	TCP	Out	IMAP server	IMAP authentication for end users for spam quarantine.
161	UDP	In	AsyncOS IPs	SNMP Queries.
162	UDP	Out	Management station	SNMP Traps.
389 or 3268	LDAP	Out	LDAP servers	LDAP if LDAP directory servers are outside firewall. LDAP authentication for Cisco Spam Quarantine.
636 or 3269	LDAPS	Out	LDAPS	LDAPS — ActiveDirectory’s global catalog server (uses SSL).
443	TCP	In	AsyncOS IPs	Secure HTTP ( https ) access to the GUI for system monitoring.
443	TCP	Out	update-static.ironport.com	Verify the latest files for the update server.
443	TCP	Out	update-manifests.ironport.com	Obtain the list of the latest files from the update server (for physical hardware email gateways.)
443	TCP	Out	update-manifests.sco.cisco.com	Obtain the list of the latest files from the update server (for virtual email gateways.)
443	TCP	Out	phonehome.senderbase.org	Receive/send Outbreak Filters.
443	TCP	Out	File Analysis server URL as configured on your Web Security appliance on the Security Services > Anti-Malware and Reputation page, in the Advanced section > Advanced Settings for File Analysis. File Analysis server URL as configured on your Email Security appliance on the Security Services > File Reputation and Analysis page, in the Advanced Settings for File Analysis section.	Display detailed file analysis results on the File Analysis server. Web security reporting: (Cloud File Analysis) Ensure That the Management Appliance Can Reach the File Analysis Server
443	HTTPS	In and Out	api-sse.cisco.com	Used to register your email gateway with Cisco XDR.
443	HTTPS	In and Out	api.eu.sse.itd.cisco.com	Used to register your email gateway with Cisco Cloud Services Portal.
443	HTTPS	In and Out	est.sco.cisco.com	Used to download a certificate to verify whether your email gateway is accessing a verified site when registering to Cisco Cloud Services Portal.
443	HTTPS	In and Out	AsyncOS IPs	HTTPS access to the GUI using `trailblazerconfig` CLI command.
514	UDP/TCP	Out	Syslog server	Syslog logging.
1024 and higher	—	—	—	See information above for Port 21 (FTP.)
7025	TCP	In and out	AsyncOS IPs	Pass policy, virus, and outbreak quarantine data between Cisco Secure Email Gateways and Cisco Secure Manager Email and Web Gateways when this feature is centralized.
32137	TCP
6080	HTTP	In or Out		Access to API ports for HTTP Server
6443	HTTPS	In or Out		Access to API ports for HTTPS Server