Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Download Servers and Open Ports Needed for Updating Secure Web Gateway

Secure Web Gateway needs to access several download servers to retrieve files with updated information used for filtering web traffic and maintaining the appliance system. If you are running a firewall in your configuration, particular ports must be open to allow communication with the download servers.

The data that is retrieved from the download servers includes: 

  • Categories and reputation scores for URL filtering with Trusted Source
  • Signatures for the anti-malware filtering engines
  • Signatures for Application Control
  • Data Loss Protection (DLP) information
  • New product versions
  • Operating system upgrades

In the following, more information is provided about the download servers that Secure Web Gateway needs to access and the ports that must be open to allow communication through a firewall.

Download Servers

The download server infrastructure for Secure Web Gateway is a worldwide cluster with multiple servers. This ensures that there is normally a download server available for Secure Web Gateway to retrieve updated information from.

The table below shows the host names and IP addresses of the download servers that Secure Web Gateway should be able to connect to.

NOTE: The IP addresses of the download servers are subject to change.

Host name IP address or addresses,, (US) (Germany) (Japan) multiple IP addresses (Content Delivery Network) (AWS, Europe) (AWS, US) (AWS, APAC)

Open Ports

The table below shows the ports that should be open to allow communication through a firewall. Only default ports are included, but you can configure additional ports. Depending on your configuration, not all inbound ports need to be open by default.

The meaning of the terms in the Direction column is as follows:

  • Inbound — Remote system initiates connection
  • Outbound — Local system initiates connection
  • Bidirectional — Connection can be initiated from either side
Port Direction Transport
Destination Use Note
22 Inbound TCP SSH Local Secure shell for the administrator  
161 Inbound TCP/UDP SNMP Local SNMP  
1080 Inbound TCP SOCKS Local SOCKS proxy  
1344 Inbound TCP ICAP Local ICAP  
2000 - 20000 Inbound TCP FTP Local Passive FTP data connection From FTP client to Secure Web Gateway
2121 Inbound TCP FTP Local FTP control port  
4005 Inbound TCP IFP Local IFP  
4711 Inbound TCP HTTP Local User interface for the administrator Also REST if enabled
4712 Inbound TCP HTTPS Local User interface for the administrator Also REST if enabled
4713 Inbound TCP HTTP Local File server  
4714 Inbound TCP HTTPS Local File server  
5050 Inbound TCP Yahoo Local Yahoo proxy  
5190 Inbound TCP ICQ Local ICQ proxy  
5222 Inbound TCP XMPP Local XMPP (Jabber) proxy  
9090 Inbound TCP HTTP Local HTTP(S) proxy  
9393 Inbound TCP HTTPS Local Intel Active System Console  
16000 - 17000 Inbound UDP   Local SOCKS UDP relay  
20001–40000 Inbound TCP FTP Local Active FTP data connection From FTP server to Secure Web Gateway
520 Bidirectional UDP RIP Your RIP routers IP routing  
12346 Bidirectional TCP Proprietary Your Secure Web Gateway appliances Secure Web Gateway cluster communication  
  Bidirectional IP GRE Your Secure Web Gateway appliances or WCCP routers WCCP and traffic tunneling between Secure Web Gateway nodes  
  Bidirectional IP OSPF Your OSPF routers IP routing  
  Bidirectional IP VRRP Your Secure Web Gateway appliances VIP failover  
  Bidirectional IP Proprietary Your Secure Web Gateway appliances Network driver cluster communication  
21 Outbound TCP FTP Arbitrary FTP servers File transfer protocol Active and passive
25 Outbound TCP SMTP Your email server Email notifications  
53 Outbound TCP/UDP DNS Your DNS server Domain Name System  
443 Outbound TCP HTTPS Your Secure Web Gateway appliances System update  
80, 443 Outbound TCP HTTP(S) Arbitrary HTTP(S) servers HTTP(S) user traffic Other ports depending on configuration
80, 443 Outbound TCP HTTP(S) Update servers, CRL download servers, OCSP requests, telemetry Centralized updater  
80, 443 Outbound TCP HTTP(S) Your customer-maintained subscribed list servers Subscribed lists manager  
80, 443 Outbound TCP HTTP(S) Your scheduled job servers (upload, download) Scheduled jobs manager  
123 Outbound TCP/UDP NTP Your NTP servers Time synchronization  
162 Outbound TCP/UDP SNMP Your SNMP trap sink SNMP traps  
389 Outbound TCP LDAP Your directory servers Directory service or Active Directory  
443 Outbound TCP HTTPS Your Trusted Source server GTI cloud lookups (reputation, categories, geolocation, file reputation)  
443 Outbound TCP HTTPS Your Trusted Source server GTI telemetry (malicious URL feedback)  
445 Outbound TCP SMB Your NTLM server NTLM authentication  
514 Outbound TCP/UDP syslog Your syslog servers syslog  
636 Outbound TCP LDAP Your directory servers Secure directory or Active Directory  
1344 Outbound TCP ICAP Your ICAP servers ICAP  
2020 (Source) Outbound TCP FTP Local Active FTP data connection From Secure Web Gateway to FTP client
8883 Outbound TCP DXL Connection to the DXl broker Communication between Secure Web Gateway and DXL broker installed on ePO  
Your proxy ports Outbound TCP HTTP Your parent proxies HTTP proxy For user traffic and several internal connections, configured individually


  • Was this article helpful?