Required ports for agentless audit
Preview
To ensure smooth performance and optimal functionality of the agentless audit using the Alloy Audit Service, certain TCP and UDP ports need to be open within your secure network, whether it is a domain or LAN. This page provides an overview of the required port settings for various operating systems, network devices, and services.
NOTE: These requirements do not apply to the agent-based audit process, where computers are audited by agents installed on them.
Windows
For successful agentless auditing on Windows systems, certain ports need to be open. The required ports depend on whether PowerShell Remoting is enabled and available.
- If PowerShell Remoting is properly configured and access is allowed from the audit service host to the remote machine, only the ports listed under "Required Ports" must be opened.
- If PowerShell Remoting is disabled or unavailable, additional ports must be opened to maintain the auditing functionality. These additional ports are listed under the section "Ports required if PowerShell Remoting is unavailable."
NOTE: The ports listed under "Ports recommended if PowerShell Remoting is unavailable" may be important in certain environments. Consider opening them, if necessary.
| Port Number | Protocol | Purpose | Notes |
|---|---|---|---|
| Required ports | |||
|
88 |
TCP |
Login and password verification, specifically for Kerberos authentication |
|
| 389 | TCP | Information retrieval from Active Directory through LDAP (Lightweight Directory Access Protocol) | Failure to open this port will impact the audit’s ability to gather user information from Active Directory. |
| 5985 | TCP | Remote execution of PowerShell commands | |
| Ports required if PowerShell Remoting is unavailable | |||
| 135 | TCP | Windows recognition and communication | If these ports are not open, the node type may not be recognized as Windows or could be incorrectly identified as another type. |
| 139 | TCP | Windows recognition | |
| 445 | TCP | SMB (Server Message Block) communication, primarily for file sharing | |
| Ports recommended if PowerShell Remoting is unavailable | |||
| 135 | UDP | RPC (Remote Procedure Call) communication |
If this port is closed, the Device ID may not be collected from the computer during the discovery phase. If auditing fails, the error messages may not accurately reflect the reason. |
| 139 | UDP | Named pipes communication | This port may be important in certain environments. Consider opening it, if required. |
In addition, the following protocols and services may require attention on your firewall:
-
Pipes: Verify that pipes are functional and not blocked by the firewall. If they are not functional or are blocked, the Device ID may not be collected from the computer during the discovery phase. If auditing fails, the error messages may not accurately reflect the reason.
-
RPC: Ensure that your firewall allows RPC traffic for services like WMI (Windows Management Instrumentation). If RPC traffic is not allowed, during the discovery phase, the Device ID may not be collected from the computer. If auditing fails, the error messages may not accurately reflect the reason.
Linux and macOS
When implementing agentless auditing for Linux or macOS systems within your secure network, make sure to have the following port available:
| Port Number | Protocol | Purpose |
|---|---|---|
|
22 (SSH) |
TCP |
For secure remote access |
VMware ESXi
To enable smooth agentless auditing on ESXi systems, the following ports must be open:
| Port Number | Protocol | Purpose |
|---|---|---|
|
80 |
TCP |
Communication via HTTP |
| 443 | TCP | Secure communication via HTTPS |
| 902 | TCP | ESXi recognition |
NAS (Network-Attached Storage) devices
To facilitate agentless auditing for NAS devices, make sure to keep the following port open:
| Port Number | Protocol | Purpose |
|---|---|---|
| 139 | TCP | NAS devices recognition |
SNMP (Simple Network Management Protocol)
Enabling agentless auditing using SNMP requires the following ports to be open:
| Port Number | Protocol | Purpose |
|---|---|---|
| 161 | UDP | Network monitoring and management |
| The following UDP port may be important in certain environments. It is advisable to consider opening it if required: | ||
| 162 | UDP | SNMP trap notifications. |
Printers
For effective agentless auditing of printers, ensure that the following port is accessible:
| Port Number | Protocol | Purpose |
|---|---|---|
| 9100 | TCP | Printer recognition, particularly printer discovery |
Network scanning
The following ports are used by the network scanning process.
This process detects and identifies active devices on the network and collects only a limited set of data, including such basic attributes as device name, type, etc. For more information on scanning, refer to Network scanning and auditing.
| Port Number | Protocol | Purpose |
|---|---|---|
| 389 | TCP | Information retrieval from Active Directory through LDAP (Lightweight Directory Access Protocol) |
| 53 | UDP | DNS (Domain Name System) resolution |
| 137 | UDP | NetBIOS (Network Basic Input/Output System) name resolution and related services. |
| 138 | UDP | NetBIOS communication |
In addition, the following protocol may require attention on your firewall:
-
ICMPv4: ICMP (Internet Control Message Protocol) does not use ports directly but is essential for functions like ping. Ensure ICMPv4 is enabled for AlloyScan to operate optimally.