Deployment: Network Architecture and Ports

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode

Security Analytics Network Architecture

The following diagram illustrates the Security Analytics network architecture with ports used for communications in Security Analytics 10.5.


Security Analytics Host and Service Ports

In versions prior to Security Analytics 10.4, an administrator was able to use the native protocol for fast non-SSL communications like aggregation and REST API for SSL between Security Analytics and the hosts. Because all communications from Security Analytics moved from the REST API to the native Security Analytics Core ports, a second native Security Analytics Core port per host service was added so that an administrator can enable secure (SSL) network communications while still being able to use non-secure (HTTP and Security Analytics Core (native)) connectivity methods for communication between services on the same system. Administrators can toggle the ports on and off to support only SSL, only non-SSL, or both.

The following table lists the Security Analytics hosts and their respective service ports:

From HostTo HostTo Ports (Protocol)Comments
Any hostSecurity Analytics Server

80 (TCP)


All SA hosts receive RPM package updates from Yum repository located in SA Server over HTTP.  This is a two-way communication from any host to the Security Analytics server.

Any hostSecurity Analytics Server

8140 (TCP)


All communication from any host to the Security Analytics server (Puppet master) is over HTTPS.

Any hostSecurity Analytics Server

61614 (STOMP/TCP)


All communication from any host to the Security Analytics server (rabbitmq-server) is over Mcollective/STOMP.

Any hostSecurity Analytics Server123 (NTP)Network Time Protocol (NTP): NTP is a protocol designed to synchronize host machine clocks over a network.
Security Analytics ServerAny host5671 (AMQPS/TCP)


All communication from Security Analytics  server (rabbitmq-server) to any host is over RabbitMQ/AMQPS.

Security Analytics ServerLog Decoder

56002 (SSL / TCP)

50002 (non-SSL / TCP)
50102 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics ServerBroker56003 (SSL / TCP)50003 (non-SSL / TCP)
50103 (REST / TCP) - For Security Analytics 10.3 and earlier only
Security Analytics Server


Log Concentrator

56005 (SSL / TCP)50005 (non-SSL / TCP)
50105 (REST / TCP) - For Security Analytics 10.3 and earlier only
Security Analytics ServerPacket Decoder

Service: 56004 (SSL / TCP)

50004 (non-SSL / TCP)
50104 (REST / TCP)

Security Analytics ServerLog Collector (Local, Remote and Windows Legacy)56001 (SSL / TCP)

50001 (non-SSL / TCP)
50101 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics ServerArchiver56008 (SSL / TCP)50008 (non-SSL / TCP)
50108 (REST / TCP)
Security Analytics ServerESA

50030 (SSL / TCP)

27017 (SSL / TCP) (Default)

27017 is for one ESA host only.
Security Analytics Server
Malware (Malware- standalone and colocated on Security Analytics Server)60007 (TCP)60008 - RMI/JMX port on MA.
Security Analytics ServerReporting Engine (rsa-re)51113 (SSL / TCP) 
Security Analytics ServerIncident Management (rsa-im)

50040 (TCP)

Security Analytics Server (IPDB Extractor)IPDB



Security Analytics ServerIPDB Extractor56025 (SSL / TCP)50025 (non-SSL / TCP)
50125 (REST / TCP)
Security Analytics ServerWarehouse Connector (on Packet Decoder/Log Decoder)

56020 (SSL)

50020 (non-SSL)
50120 (REST)
Security Analytics ServerECAT


Security Analytics ServerHost Service (Log Decoder, Packet Decoder, Concentrator, Broker, Warehouse Connector, Archiver, )

56006 (SSL / TCP)

50006 (non-SSL / TCP)
50106 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics ServerWorkbench (Archiver)56007 (SSL / TCP)50007 (non-SSL / TCP)
50107 (REST / TCP)
Security Analytics Server

Audit Log Syslog Receiver

This can be a third-party syslog receiver or a Log  Decoder

514 (TCP / UDP)Required only if SA audit logs are sent to Log Decoder/third-party syslog receiver to be parsed.
ConcentratorPacket Decoder56004 
Log ConcentratorLog Decoder56002 
ArchiverLog Decoder56002 
ESA Concentrator / Log Concentrator56005 
Warehouse ConnectorWarehouseNFS (2049,111),
WebHDFS (50070)

In the Pull mode:

Log Collector (on Log Decoder)

Virtual Log Collector

Windows Legacy Collector


In the Push Mode:

Virtual Log Collector

Windows Legacy Collector

Log Collector (on Log Decoder)

enVision Local CollectorRemote Collector (VM)514 (TCP) 
enVision Local CollectorLog Decoder514 (TCP) 
ECATLog Decoder514 (TCP/UDP) 
ECATSA Server5671ECAT alerts are sent to SAIM on this port.
Security Analytics Server (RE alerts, ESA  and Business Context Live Feeds)Archer SecOps 1.1

Security Analytics Sever To RCF:514 (TCP)/ 5431 STCP
RCF to Archer Sec Ops : 80/ 443
Security Analytics Server to RCF:9090 HTTP / 8443 HTTPS (Business context live feeds)

Security Analytics Server

(IM alerts)

Archer SecOps 1.2

SAIM Integration Service to Security Analytics Server : 5671

SAIM Integration Service to Archer Sec Ops: 80/ 443

If you to use RCF to connect to Archer SecOps, you must ensure you have SecOps 1.1 Patch 1.

The RCF may be on a different Windows server after you upgrade from 32-bit system. The same ports as mentioned above may be opened. 

ESA (Alerts)

Archer SecOps 1.1514 (TCP) 
Security Analytics-Web BrowserSecurity Analytics Server UI443 (HTTPS) 
 ExternalAll hosts22 (TCP)

SSH provides shell access to the device, for emergency host management. On hosts with the LogCollector installed, ssh provides sftp and scp support for devices that upload log files for consumption by Security Analytics.

Note: In case of an upgrade, open firewall ports 8140 and 61614 from all non-Security Analytics Hosts to Security Analytics Server host so that the SA server can discover all your hosts and services.

You are here: Network Architecture and Ports