Port requirements for agentless audit in local networks
To perform an agentless audit using the Alloy Audit Service, specific TCP and UDP ports must be open within your local trusted network (domain or LAN). These ports enable communication between the audit service and target systems during the discovery and audit process.
TIP: You may consider using the agent-based method as a simpler and more reliable alternative, as audit agents collect data locally and require only outbound communication to AlloyScan. For details, see Using the Audit Agent and Audit methods.
This page outlines the required port settings for supported operating systems and network devices. The table below shows the contexts to which the port requirements listed on this page are applicable and which are not.
| Context | Apply | Notes / Exceptions |
|---|---|---|
|
Agentless audit within local network |
✅ Yes |
Port requirements on this page apply to communication between Alloy Audit Service and target systems. |
|
Agent-based audit |
❌ No |
Port requirements on this page do not apply. Data is collected by local agents via Internet. |
| Outbound communication to AlloyScan cloud service | ❌ No | Port requirements on this page do not apply. Only TCP 443 outbound is needed for data transmission. |
Windows
Agentless audit of Windows systems is performed using PowerShell Remoting over Windows Remote Management (WinRM).
All audit commands and data collection use TCP port 5985 (WinRM over HTTP).
For auditing to work, the following conditions must be met:
-
Valid administrative credentials must be provided. See Windows credentials for details.
-
TCP port 5985 must be reachable from the audit service host.
-
PowerShell Remoting must be enabled on the target machine, whether locally or remotely:
Scenario
Additional ports required
PowerShell Remoting is enabled locally on the target machine No additional ports beyond TCP 5985 are required. PowerShell Remoting is enabled remotely using administrative credentials Additional ports are required temporarily.
See Ports required only when enabling PowerShell Remoting remotely below.
If these conditions are met, no additional Windows ports are required for auditing and scanning. PowerShell Remoting alone is sufficient to:
-
Recognize the node as a Windows system
-
Retrieve the Device ID, which is required for proper node identification
-
Perform the audit
Domain environments
If domain credentials are used, the audited computers must be joined to the domain.
In domain environments, the following ports must be accessible on the Domain Controller:
| Port Number | Protocol | Purpose | Notes |
|---|---|---|---|
|
88 |
TCP |
Login and password verification for Kerberos authentication |
Without TCP 88, domain authentication will fail and auditing cannot proceed. |
| 389 | TCP | Information retrieval from Active Directory through LDAP (Lightweight Directory Access Protocol) | Without TCP 389, auditing can run, but information about the current user cannot be retrieved. |
These ports support authentication and directory queries.
Ports required only when enabling PowerShell Remoting remotely
If PowerShell Remoting is not enabled and must be enabled remotely, the process is:
-
Recognize the node as a Windows system
-
Enable PowerShell Remoting remotely
-
Perform the audit through TCP port 5985
The ports below are required only for steps 1 and 2.
| Ports required to recognize the node as Windows | ||
|---|---|---|
| 135 | TCP | RPC endpoint mapping |
| 139 | TCP | Windows recognition |
| 445 | TCP | SMB (Server Message Block) communication |
| NOTE: If these ports are blocked and PowerShell Remoting is not yet enabled, the system may fail to recognize the device as a Windows host. | ||
| Port required to enable PowerShell Remoting remotely | ||
| 135 | UDP | RPC (Remote Procedure Call) communication |
| Port required to detect a remote audit agent | ||
| 139 | UDP | Remote agent detection only |
In addition, the following service may require attention on your firewall:
-
RPC traffic (including WMI-related RPC): When PowerShell Remoting is not available, this service is used to:
-
Recognize the node as a Windows system
-
Retrieve the Device ID, which is required for proper node identification
-
Enable PowerShell Remoting remotely
-
Linux and macOS
When implementing agentless auditing for Linux or macOS systems within your secure network, make sure to have the following port available:
| Port Number | Protocol | Purpose |
|---|---|---|
|
22 (SSH) |
TCP |
For secure remote access |
In addition to the port requirement, valid administrative credentials must be provided. See Linux and macOS credentials for details.
VMware ESXi
To enable smooth agentless auditing on ESXi systems, the following ports must be open:
| Port Number | Protocol | Purpose |
|---|---|---|
|
80 |
TCP |
Communication via HTTP |
| 443 | TCP | Secure communication via HTTPS |
| 902 | TCP | ESXi recognition |
In addition to the port requirements, valid administrative credentials must be provided. See Hypervisor credentials for details.
NAS (Network-Attached Storage) devices
To facilitate agentless auditing for NAS devices, make sure to keep the following port open:
| Port Number | Protocol | Purpose |
|---|---|---|
| 139 | TCP | NAS devices recognition |
In addition to the port requirement, valid credentials must be provided. See SNMP credentials for details.
SNMP (Simple Network Management Protocol)
Enabling agentless auditing using SNMP requires the following port to be open:
| Port Number | Protocol | Purpose |
|---|---|---|
| 161 | UDP | Network monitoring and management |
In addition to the port requirement, valid credentials must be provided. See SNMP credentials for details.
Printers
Agentless auditing of printers relies primarily on SNMP.
For audit data collection, the following port must be open:
| Port Number | Protocol | Purpose |
|---|---|---|
| 161 | UDP | SNMP communication for printer audit data collection |
Without SNMP (UDP 161), printer audit data cannot be collected.
In addition, the following port may be required for printer recognition in certain environments:
| Port Number | Protocol | Purpose |
|---|---|---|
| 9100 | TCP | Printer recognition (device discovery in some cases) |
In addition to the port requirements, valid SNMP credentials must be provided. See SNMP credentials for details.
Network scanning
The network scanning process detects and identifies active devices on the network and collects a limited set of data, including such basic attributes as device name, type, etc. For more information on scanning, refer to Network scanning and auditing.
The following ports are used by the network scanning process:
| Port Number | Protocol | Purpose |
|---|---|---|
| 53 | UDP | DNS (Domain Name System) resolution |
| 137 | UDP | NetBIOS (Network Basic Input/Output System) name resolution and related services. |
| 138 | UDP | NetBIOS communication |
In addition, the following protocol may require attention on your firewall:
-
ICMPv4: ICMP (Internet Control Message Protocol) does not use ports directly but is essential for functions like ping. Ensure ICMPv4 is enabled for AlloyScan to operate optimally.