Required Ports Reference
This reference lists the network paths used by an Audit Service. Unless stated otherwise, connections are initiated by the Audit Service host.
AlloyScan connectivity
| Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|
| Audit Service host | AlloyScan instance | TCP | 443 | Service registration, task communication, and audit data upload over HTTPS. |
| Audit Service host | AWS, Azure, or Google Cloud API endpoints | TCP | 443 | Cloud resource scan and audit over provider APIs. |
Windows computers
Windows audit uses PowerShell Remoting over WinRM. When PowerShell Remoting is already enabled on the target, TCP 5985 is the only target port required for scan and audit.
| Required when | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|
| PowerShell Remoting is enabled | Windows target | TCP | 5985 | WinRM over HTTP for Windows recognition, device identification, and audit. |
| Domain credentials are used | Domain controller | TCP | 88 | Kerberos authentication. Domain authentication fails if this port is unavailable. |
| Current-user information is collected from Active Directory | Domain controller | TCP | 389 | LDAP queries. Audit can continue without this port, but current-user information is not collected. |
Enabling PowerShell Remoting remotely
The following ports are needed only when PowerShell Remoting is not enabled and the Audit Service must recognize the Windows target and enable remoting remotely.
| Purpose | Protocol | Port |
|---|---|---|
| RPC endpoint mapping | TCP | 135 |
| Windows recognition | TCP | 139 |
| SMB communication | TCP | 445 |
| Enable PowerShell Remoting remotely | UDP | 135 |
| Detect a remote Audit Agent | UDP | 139 |
The firewall must also allow RPC traffic used for Windows recognition, device identification, and remote PowerShell Remoting setup.
For Windows domain constraints, see Supported Targets.
Linux and macOS computers
| Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|
| Audit Service host | Linux or macOS target | TCP | 22 by default | SSH access for agentless audit. Use the port configured in the Linux and macOS credential if the target uses a non-standard SSH port. |
Hypervisors
| Target | Protocol | Port | Purpose |
|---|---|---|---|
| Microsoft Hyper-V host | TCP | 5985 | WinRM for Hyper-V host management and audit. |
| VMware ESXi host | TCP | 80 | HTTP communication. |
| VMware ESXi host | TCP | 443 | HTTPS communication. |
| VMware ESXi host | TCP | 902 | ESXi recognition. |
| Xen or Citrix Hypervisor host | TCP | 22 by default | SSH access. Use the port configured in the Hypervisor credential if the host uses a non-standard SSH port. |
Network devices
| Target | Protocol | Port | Purpose |
|---|---|---|---|
| SNMP device | UDP | 161 | SNMPv1, SNMPv2c, or SNMPv3 data collection. |
| Printer | TCP | 9100 | Printer recognition in environments where SNMP alone does not identify the device. |
| NAS device | TCP | 139 | NAS recognition. |
Printer audit data is collected through SNMP on UDP 161. TCP 9100 is used only for printer recognition when required.
Network scanning
| Protocol | Port | Purpose |
|---|---|---|
| UDP | 53 | DNS resolution. |
| UDP | 137 | NetBIOS name resolution. |
| UDP | 138 | NetBIOS communication. |
| ICMPv4 | Not applicable | Reachability checks such as ping. Recommended for optimal discovery. |