Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Deployment Guide: Network Architecture and Ports

Document created by RSA Information Design and Development Employee on Oct 17, 2017Last modified by RSA Information Design and Development Employee on Feb 11, 2021
Version 30Show Document
  • Comment0
  • View in full screen mode
 

Refer to the following diagrams and port tables to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.

See NetWitness Endpoint Architecture at the end of this topic for individual Endpoint Architectural diagrams.

NetWitness Platform Network Architecture Diagram

The following diagram illustrates the NetWitness Platform network architecture including all of its component products.

Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

NetWitness Network (Packets) Architecture Diagram with Ports

NetWitness Logs Architecture Diagram with Ports

Event Stream Analysis Network (Packets) Architecture Diagram with Ports

The following diagram illustrates the Event Stream Analysis network architecture with packet capture.

Event Stream Analysis (Logs) Architecture Diagram with Ports

The following diagram illustrates the Event Stream Analysis network architecture with log collection.

NetWitness Platform Firewall Requirements Summary

The following table lists all the ports that need to be open in your firewall by host.

Note: The "NW Server" host ports apply to both the Primary and Warm Standby NW Server. Synchronization between the Primary and Warm Stanby is done through TCP Port 22.

                                                                                                                                                                                                         

Source Host

Destination Host

Ports

NW ServerESA PrimaryTCP: 22, 80, 443, 5671, 7005
UDP:123
NW ServerESA

TCP: 22, 80, 443, 5671
UDP: 123

NW ServerNetwork Decoder

TCP: 22, 5671, 50004 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50106 (REST), 56004 (SSL), 56006 (SSL)
UDP: 123

NW ServerBroker

TCP: 5671, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST) 56003 (SSL), 56006 (SSL)
UDP: 123

NW ServerConcentrator (Network & Logs)

TCP: 22, 5671, 50005 (Non-SSL), 50006 (Non-SSL), 50105 (REST), 50106 (REST), 56005 (SSL), 56006 (SSL)

UDP: 123

NW ServerNetwork Hybrid

TCP: 22, 5671, 50004 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50105 (REST), 50106 (REST), 56004 (SSL), 56005 (SSL), 56006 (SSL)

UDP: 123

NW ServerLog Decoder

TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56006 (SSL)

UDP: 123

NW ServerLog Hybrid

TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL)

UDP: 123

NW ServerLog Hybrid - Retention

TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56006 (SSL)

UDP: 123

NW Server

Endpoint Log Hybrid

TCP: 22, 5671, 7050, 7054, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL), 56202 (Endpoint)

UDP: 123

NW ServerVLC

TCP: 22, 5671, 50001 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50106 (REST), 56001 (SSL), 56006 (SSL)

UDP: 123

NW ServerArchiver

TCP: 22, 514, 5671, 6514, 50006(Non-SSL), 50007 (Non-SSL), 50008 (Non-SSL), 50106 (REST), 50107 (REST), 50108 (REST), 56006 (SSL), 56007 (SSL), 56008 (SSL)

UDP: 123, 514

NW ServerMalware

TCP: 22, 5671, 5432, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST), 56003 (SSL), 56006 (SSL), 60007
UDP: 123

NW Server

UEBA

TCP: 22, 15671, 5671, 443
UDP: 123

ESA

NW Server

TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017

UDP: 123, 53

ESAActive DirectoryTCP: 389 (Non-SSL), 636 (SSL)

ESA

Archer

TCP: 80 (Non-SSL), 443 (SSL),

ESA SecondaryESA PrimaryTCP: 27017

ESA Primary or Secondary

Concentrator

TCP: 50005 (Non-SSL), 56005 (SSL)

Network DecoderNW Server

TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017,

UDP: 53, 123

Concentrator (Network & Logs)NW Server

TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017

UDP: 53, 123

Network HybridNW ServerTCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017)
UDP: 53, 123
Log DecoderNW Server

TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017

UDP: 53, 123

Log Hybrid

NW Server

TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017

UDP: 53, 123

Log Hybrid - RetentionNW ServerTCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017

UDP: 53, 123

VLC NW ServerTCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017
UDP: 53, 123
VLCLog CollectorTCP: 5671

Log Collector

VLC

TCP: 5671

Endpoint Log HybridNW Server

TCP: 53, 80, 443, 5671, 4505, 4506, 15671, 27017

UDP: 53, 123

Endpoint Log Hybrid

Log Decoder

TCP: 50202 (Non-SSL), 50102 (REST), 56202 (SSL)

UDP: 514

Endpoint AgentLog Decoder

TCP: 514, 6514

UDP: 514

Endpoint Agent

Endpoint Log Hybrid

TCP: 443

UDP: 444

UEBA

NW Server

TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017, 50003 (Broker-Non-SSL), 50103 (Broker/REST), 56003 (Broker/SSL)

UDP: 53, 123

UEBAConcentratorTCP: 50005 (Non-SSL), 50105 (REST), 56005 (SSL)

www connections

NW Servercloud.netwitness.com
cms.netwitness.com
download.rsasecurity.com
panacea.threatgrid.com
quantum.subscribenet.com
rsasecurity.subscribenet.com
smcupdate.emc.com		TCP: 80, 443

ESA (Primary & Secondary)

cloud.netwitness.com
cms.netwitness.com

download.rsasecurity.com

panacea.threatgrid.com

quantum.subscribenet.com

rsasecurity.subscribenet.com

smcupdate.emc.com

TCP: 80, 443

Malware

panacea.threatgrid.com
cloud.netwitness.com

TCP: 443

Comprehensive List of NetWitness Platform Host, Service, and iDRAC Ports

Note: For ports used in event collection through the NetWitness Logs, see the Log Collection Configuration Guide for RSA NetWitness Platform. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

This section contains the port specifications for the following hosts.

                                         
NW Server Host iDRAC Ports
Analyst UI Host Log Collector Host
Archiver Host Log Decoder Host
Broker Host Log Hybrid Host
Concentrator Host Log Hybrid - Retention
Endpoint Log Hybrid Host Malware Host

Endpoint Relay Server

Network Decoder Host
Event Stream Analysis Host

Network Hybrid Host

Health & Wellness Beta

UEBA Host

NW Server Host (Primary and Warm Standby NW Server Host)

Note: Primary or Secondary Server is a type of appliance, while Active or Standby refers to an appliance's state, whether active or standby.

                                                                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin Workstation NW ServerTCP 443, 80nginx - NetWitness UI

Admin Workstation

NW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationNW ServerTCP 22

SSH

Primary to Standby NW Server
synchronization port.

Admin WorkstationNW ServerTCP 22

SSH
Active to Standby NW Server
synchronization port.

NW Hosts

NW Server

TCP 53
UDP 53

DNS

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

NW HostsNW ServerTCP 4505, 4506 Salt Master Ports
NW HostsNW ServerTCP 443RSA Update Repository

NW Hosts

NW Server

TCP 5671

RabbitMQ-amqp

NW HostsNW ServerUDP 123 NTP

NW Hosts

NW ServerTCP 27017 MongoDB

NW Server

cloud.netwitness.com

TCP 443

Live

NW Server

cms.netwitness.comTCP 443

Live

NW Serversmcupdate.emc.comTCP 443

Live

NW Server

NFS Server

TCP 111, 2049,
UDP 111, 2049

iDRAC Installations

NW ServerNW HostsUDP 123 NTP

NW Server

NW Endpoint

TCP 443, 9443

For NW Endpoint 4.x integrations

NW Server

Active Directory

TCP 3268, TLS 3269

For NW User Authentication

Analyst UI Host

                                                         
Source HostDestination HostDestination PortsComments

Analyst UI

NW Server

TCP 7006

The Content Server is listening on this port.

Analyst UI

NW Server

TCP 7009

The Admin Server is listening on this port.

Analyst UI

NW Server

TCP 7012

The Integration Server is listening on this port.

Analyst UI

NW Server

TCP 7015

The Source Server is listening on this port.

Analyst UI

NW Server

TCP 7016

The License Server is listening on this port.

NW Hosts

Analyst UI

TCP 5671

RabbitMQ-amqp

Analyst UINW ServerUDP 123 NTP

Archiver Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationArchiverTCP 15671RabbitMQ Management UI
ArchiverLog DecoderTCP 50002 (Non-SSL), 56002 (SSL)Log Decoder Application Ports

Archiver

NW Server

TCP 15671

RabbitMQ Management UI

Archiver

NW Server

TCP 443

RSA Update Repository

Admin WorkstationArchiver TCP 22 SSH
NW ServerArchiver TCP 50008 (Non-SSL), 56008 (SSL), 50108 (REST) Archiver Application Ports
NW ServerArchiver TCP 56006 (SSL), 50106 (REST) NetWitness Appliance Ports
NW ServerArchiver TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerArchiverTCP 50007 (Non-SSL), 56007 (SSL), 50107 (REST) Workbench Application Ports

Archiver

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Broker Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationBroker TCP 15671 RabbitMQ Management UI
BrokerConcentratorTCP 50005 (Non-SSL), 56005 Concentrator Application Port

Broker

Archiver

TCP 50008 (Non-SSL), 56008 (SSL)

Archiver Application Ports

Broker

NW Server

TCP 15671

RabbitMQ Management UI

Broker

NW Server

TCP 443

RSA Update Repository

Admin WorkstationBroker TCP 22SSH
NW ServerBroker TCP 50003 (Non-SSL), 56003 (SSL), 50103 (REST) Broker Application Ports
NW ServerBroker TCP 56006 (SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerBroker TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
BrokerNW Server TCP 111 2049
UDP 111 2049		 iDRAC Installations

Endpoint Broker

NW Server

TCP 443

RSA Update Repository

Concentrator Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationConcentratorTCP 15671RabbitMQ Management UI
ConcentratorLog DecoderTCP 50002 (Non-SSL), 56002 (SSL)Log Decoder Application Port
ConcentratorNetwork DecoderTCP 56004, 50004 (Non-SSL)Network Application Port

Concentrator

NW Server

TCP 15671

RabbitMQ Management UI

Concentrator

NW Server

TCP 443

RSA Update Repository

Admin WorkstationConcentrator TCP 22 SSH
NW Server Concentrator TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) Concentrator Application Ports
MalwareConcentrator TCP TCP 50005 (Non-SSL), 56005 (SSL)Malware
NW Server Concentrator TCP 56006 (SSL), 50106 (REST) NetWitness Appliance Ports
NW Server Concentrator TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Concentrator

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Endpoint Log Hybrid

                                                                                             
Source HostDestination HostDestination Ports Comments
Endpoint Agent Endpoint Log Hybrid

TCP 443

UDP 444

NGINX HTTPS

NGINX UDP. If UDP port 444 is not acceptable in your environment, see How to Change UDP Port for Endpoint Log Hybrid.

Endpoint AgentLog Decoder or Virtual Log Collector

TCP 514 (Syslog)

UDP 514 (Syslog)

TLS 6514

Windows Log Collection

Endpoint Log HybridLog Decoder (External)

TCP 50102 (REST)

56202 (Protobuf SSL)

50202 (Protobuf)

To forward meta to an external Log Decoder

Endpoint Log Hybrid

NW Server

TCP 443

RSA Update Repository

NW Server Endpoint Log Hybrid TCP 7050UI web traffic

Endpoint Log Hybrid

NW Server

TCP 5671

Message Bus

Endpoint Log HybridNW ServerTCP 27017MongoDB
NW ServerEndpoint Log HybridTCP 7054UI web traffic

NW Server

NFS Server

TCP 111, 2049
UDP 111, 2049

iDRAC Installations

NW Server Endpoint Log HybridTCP 50001 (Non-SSL), 56001 (SSL), 50101(REST)Log Collector application ports
NW ServerEndpoint Log HybridTCP 50002 (Non-SSL), 56002 (SSL), 56202 (Endpoint), 50102 (REST)Log Decoder application ports
Admin WorkstationEndpoint Log HybridTCP 15671RabbitMQ Management UI
Endpoint Log HybridNW ServerTCP 15671RabbitMQ Management UI

Endpoint Relay Server

                           
Source Host

Destination Host

Destination Ports

Comments

Endpoint Agent Relay ServerTCP 443To forward host data to the Relay Server

Endpoint Log Hybrid

Relay Server

TCP 443

Pull host data from the Relay Server

Event Stream Analysis (ESA) Host

Note: The ports in this table are for the ESA Primary an ESA Secondary hosts. The Content Hub, Correlation and ESA Analytics services are co-located on the ESA Primary host. The Correlation and ESA Analytics services are co-located on the ESA Secondary host.

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationESA TCP 15671 RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 15671

RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 443

RSA Update Repository

Admin WorkstationESATCP 22 SSH
NW Server,
ESA Secondary		 ESA Primary TCP 27017MongoDB
NW Server ESA Primary TCP 7005 Context Hub Launch Port - (ESA Primary)
NW ServerESATCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
ESA Primary and Secondarycms.netwitness.comTCP 443Live

ESA Primary and Secondary

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

ESA Primary and Secondary

Active Directory

636 (SSL)/389 (Non-SSL)

 

NW Server

ESA

80 (HTTP)/ 443 (HTTPS)(REST)

 

ESA Primary

Archer

443 (SSL)/80 (Non-SSL)

 

ESA Primary ESA Primary TCP 7007 Launch Port

New Health and Wellness

                                                         
Source Host

Destination Host

Destination Ports

Comments

Admin Workstation

Standalone Health & Wellness Host

TCP 22

SSH

Admin WorkstationStandalone Health & Wellness HostTCP 5601Kibana UI

NW Hosts

Standalone Health & Wellness Host

TCP 9200

Elasticsearch REST API Port

NW ServerStandalone Health & Wellness HostTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

NW Server

Standalone Health & Wellness Host

TCP 15671

RabbitMQ Management UI

NW ServerStandalone Health & Wellness HostTCP 7018Metrics Server Launch Port

NW Server

Standalone Health & Wellness Host

TCP 7020

Node Infra Server Launch Port

iDRAC Ports

                                      
PortFunctionComments
22*SSH

Default, configurable port through which iDRAC listens for connections

443*HTTPDefault, configurable port through which iDRAC listens for connections
5900*Virtual Console keyboard and mouse redirection,
Virtual Media, Virtual Folders, and Remote File Share.

Default, configurable port through which iDRAC listens for connections

111, 2049TCP

NetWitness Platform hosts to NFS Server

111, 2049UDP NetWitness Platform hosts to NFS Server

Log Collector Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Collector TCP 15671 RabbitMQ Management UI

Log Collector

NW Server

TCP 15671

RabbitMQ Management UI

Log Collector

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog CollectorTCP 22SSH
Log Collector Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
Log Event Sources Log Collector TCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)" 		Log Collection Ports
Log Event Sources Log Collector

TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009

Log Collection FTP/S Ports
NW Server Log Collector

TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST)

Log Collector Application Ports
NW ServerLog Collector

TCP 56006 (SSL), 50106 (REST)

 NetWitness Appliance Ports
NW ServerLog Collector TCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Collector

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC installations

Log CollectorVirtual Log CollectorTCP 5671In Pull Mode

Virtual Log Collector

Log Collector

TCP 5671

In Push Mode

Log Decoder Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Decoder TCP 15671RabbitMQ Management UI

Log Decoder

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog Decoder TCP 22SSH
Log Decoder Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. 
Log Event SourcesLog Decoder TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) Log Collection P