In this topic
Data Security module of the Security Manager (administrator client) Forcepoint DLP Endpoint client Forcepoint DLP Endpoint server Web Security module of the Security Manager Crawler agent (discovery and fingerprinting) Exchange server File server SharePoint server	Database server Forcepoint management server Supplemental Forcepoint DLP server Web Content Gateway Forcepoint Email Security Protector ICAP client Cloud agent Mobile agent FCI agent Analytics engine

Important  Forcepoint DLP agents and machines with a policy engine, such as a Forcepoint DLP Server or Content Gateway machine, must have direct connection to the Forcepoint management server. When deployed in a DMZ or behind a firewall, the relevant ports must be allowed.

Outbound
To	Port	Purpose
Data Security module	19448	User interface browsing
Data Security module	9443	User interface browsing
Data Security module	3389	Remote desktop
Protector	22	SSH

Outbound
To	Port	Purpose
Forcepoint DLP Server	443	Connect to endpoint server (secure connection, default)
Forcepoint DLP Server	80	Connect to endpoint server (unsecured connection, if enabled)

Outbound
To	Port	Purpose
Forcepoint management server	443	Retrieve fingerprints and natural language processing scripts
Forcepoint management server	17443	Incidents
Inbound
From	Port	Purpose
Forcepoint management server	443	Retrieve fingerprints and natural language processing scripts
Forcepoint DLP Endpoint Client	80, 443	Incidents
Supplemental Forcepoint DLP Server	17444	Retrieve fingerprints and natural language processing scripts

Outbound
To	Port	Purpose
Forcepoint management server	56992	Linking Service
Inbound
From	Port	Purpose
Security Manager, Forcepoint DLP Server, Protector, Web Content Gateway	56992	Linking Service

Outbound
To	Port	Purpose
Forcepoint management server	443	Secure communication
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines The range is needed for load balancing.
Internet	443	Salesforce fingerprinting
Inbound
From	Port	Purpose
Forcepoint management server	9797	Crawler listening The port is used only for the standalone crawler agent.

Inbound
From	Port	Purpose
Forcepoint DLP Server, Crawler Agent (Discovery and Fingerprinting)	80	Exchange discovery
Forcepoint DLP Server, Crawler Agent (Discovery and Fingerprinting)	443	Exchange discovery

Inbound
From	Port	Purpose
Crawler Agent (Discovery and Fingerprinting)	139	File sharing access
Crawler Agent (Discovery and Fingerprinting)	445	File sharing access

Inbound
From	Port	Purpose
Crawler Agent (Discovery and Fingerprinting)	80	File sharing access
Crawler Agent (Discovery and Fingerprinting)	443	File sharing access

Outbound
To	Port	Purpose
Crawler Agent (Discovery and Fingerprinting)	Varies	The port that allows connection to the database (according to database type)
Inbound
From	Port	Purpose
Crawler Agent (Discovery and Fingerprinting)	Varies	The port that allows connection to the database (according to database type)

Outbound
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security	17500-17515 and 17700-17715	Consecutive ports that allow communication with Forcepoint agents and machines. A range is necessary for load balancing. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed.
Inbound
From	Port	Purpose
Forcepoint DLP Endpoint	80	Configuration
Forcepoint DLP Server, Protector, Web Content Gateway	17443	Incidents This port should be left open. It is not configurable.
Security Manager	17447	Processing batch jobs such as scheduled tasks
Security Manager	17446	Translating messages into sender/receiver protocols
Crawler	17514	Enabling emailed reports for discovery tasks
Forcepoint DLP Server, Protector, Web Content Gateway	139	File sharing
Forcepoint DLP Server, Protector, Web Content Gateway	443	Secure communication
Forcepoint DLP Server, Protector, Web Content Gateway	445	File sharing
Forcepoint DLP Server, Protector, Web Content Gateway	8453	User repository
Forcepoint DLP Server, Protector, Web Content Gateway	8005	Tomcat server
Forcepoint DLP Server, Protector, Web Content Gateway, Forcepoint Email Security	17500-17515 and 17700-17715	Consecutive ports that allow communication with Forcepoint agents and machines. A range is necessary for load balancing. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed.
Forcepoint DLP Server, Protector, Web Content Gateway	9443	Access user interface This port should be left open. It is not configurable.
Forcepoint DLP Server, Protector, Web Content Gateway	19448	HTTP access to user interface This port should be left open. It is not configurable.

Outbound
To	Port	Purpose
Forcepoint management server	17443	Incidents
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Inbound
From	Port	Purpose
Forcepoint management server	8892	Syslog
Forcepoint management server	139	File sharing
Forcepoint management server	445	File sharing
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.

Outbound
To	Port	Purpose
Forcepoint management server	80	Fingerprint sync
Forcepoint management server	17443	Syslog, forensics, incidents, mobile status
Web protection components	56992	Linking Service
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.

Outbound
To	Port	Purpose
Forcepoint management server	17500-17515 and 17700-17715	Settings deployment, fingerprint repository A range is needed for load balancing. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed.
Forcepoint management server	17443	Syslog, forensics, incidents
Forcepoint management server	17444	Used to pull configuration settings
Forcepoint management server	80	Fingerprint repository sync
Forcepoint DLP Server	17500-17515 and 17700-17715	MGMTD A range is needed for load balancing. The second range is used when Web Content Gateway and Forcepoint Email Security are both installed.

Outbound
To	Port	Purpose
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Forcepoint management server	80	Fingerprint sync
Forcepoint management server	17443	Syslog, forensics, incidents, mobile status
Next hop MTA	25	SMTP (explicit MTA)
Forcepoint Web Security	56992	Linking Service
Other	UDP 123	Inbound/ outbound NTPD (available on the appliance yet disabled by default)
Inbound
From	Port	Purpose
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Anywhere (including Security Manager)	22	SSH access
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Explicit MTA	25	SMTP
Explicit MTA	10025	SMTP, mail analysis

Outbound
To	Port	Purpose
Cloud apps	443	Secure communication with cloud applications (OneDrive)
Forcepoint management server	17500-17515	Communication with all Forcepoint DLP components
Inbound
Cloud apps	8080, 443	Notifications from cloud applications (no sensitive data is passed on non-secure channels)
Forcepoint management server	17500-17515	Communication with all Forcepoint DLP components
Any service (including the cloud agent) that is not using logging on	22	Manage VM by SSH

Outbound
To	Port	Purpose
Protector	1344	Receiving ICAP traffic

Outbound
To	Port	Purpose
Forcepoint management server	17443	Syslog, forensics, incidents, mobile status
Forcepoint management server	80	Fingerprint sync
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Microsoft Exchange Server	80/443	ActiveSync
Forcepoint Web Security	56992	Linking Service
Other	UDP 123	Inbound/ outbound NTPD (available on the appliance yet disabled by default)
Inbound
From	Port	Purpose
Forcepoint management server	5820	Settings deployment
Mobile Devices	80/443	ActiveSync
Forcepoint management server	8892	Management
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Anywhere (including the Mobile agent)	22	SSH access
Forcepoint DLP Server	5443	Release quarantined messages

Outbound
To	Port	Purpose
Forcepoint management server	443	Secure communications
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Forcepoint DLP Server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Inbound
Microsoft FSRM	5985	Microsoft File Server Resource Manager (FSRM)

Outbound
To	Port	Purpose
Forcepoint management server	17443	Syslog, forensics, incidents, analytics engine status
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.
Forcepoint management server (local database) or remote SQL Server	1433	Database connection
Inbound
From	Port	Purpose
Forcepoint management server	17500-17515	Consecutive ports that allow communication with Forcepoint agents and machines. The range is needed for load balancing.