Network Architecture and Ports

Document created by RSA Information Design and Development on Oct 17, 2017Last modified by David O'Malley on Apr 16, 2018
Version 9Show Document
  • Comment0
  • View in full screen mode
 

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Suite deployment to communicate with each other.

See NetWitness Endpoint Insights Architecture at the end of this topic for individual Endpoint Architectural diagrams.

NetWitness Suite Network Architecture Diagram

The following diagram illustrates the NetWitness Suite network architecture including all of its component products.

Note: NetWitness Suite core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

Comprehensive List of NetWitness Suite Host and Service Ports

Note: 1.) For ports used in event collection through the NetWitness Logs, see the "The Basics" in the RSA NetWitness Suite Log Collection Deployment Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents.

This section contains the port specifications for the following hosts.

                             
NW Server HostLog Collector Host
Archiver HostLog Decoder Host
Broker HostLog Hybrid Host
Concentrator HostMalware Host
Endpoint Hybrid/Endpoint Log Hybrid HostPacket Decoder Host
Event Stream Analysis HostPacket Hybrid Host

NW Server Host

                                                                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNW ServerTCP 443, 80nginx - NetWitness UI

Admin Workstation

NW ServerTCP 15671RabbitMQ Management UI

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

Admin WorkstationNW ServerTCP 22SSH
NW HostsNW ServerTCP 4505, 4506Salt Master Ports

NW Server

NW Server

TCP 50003, 50103, 56003

Broker Ports

NW ServerNW ServerTCP 5671RabbitMQ-amqp
NW ServerNW ServerUDP 50514Audit Ports
NW ServerNW ServerTCP 7000, 7003, 7009, 7010Launch Ports

NW Server

NW Server

TCP 50006, 50106, 56006

NetWitness Appliance Ports

NW HostsNW ServerUDP 123NTP

NW Hosts

NW ServerTCP 27017MongoDB

NW Server

NW ServerUDP 123NTP

NW Server

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

NW Server

NW Endpoint

TCP 443, 9443

For NW Endpoint 4.x integrations

Archiver Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationArchiverTCP 15671RabbitMQ Management UI
ArchiverNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationArchiverTCP 22SSH
NW ServerArchiverTCP 56008 (SSL), 50008 (Non-SSL), 50108 (REST)Archiver Application Ports
NW ServerArchiverTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerArchiverTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerArchiverTCP 514, 6514, 56007 (SSL), 50007 (Non-SSL), 50107 (REST), UDP 514Workbench Application Ports

Archiver

Archiver

UDP 50514Audit Data
ArchiverArchiverUDP 123NTP

Archiver

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Broker Host

                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationBrokerTCP 15671RabbitMQ Management UI
BrokerNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationBrokerTCP 22SSH
NW ServerBrokerTCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST)Broker Application Ports
NW ServerBrokerTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerBrokerTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Broker

BrokerUDP 50514Audit Data

Broker

BrokerUDP 123NTP
BrokerNW ServerTCP 111 2049
UDP 111 2049		iDRAC Installations

Concentrator Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationConcentratorTCP 15671RabbitMQ Management UI
ConcentratorNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationConcentratorTCP 22SSH
NW ServerConcentratorTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports
MalwareConcentratorTCP 56005 (SSL)Malware
NW ServerConcentratorTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerConcentratorTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Concentrator

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Concentrator

ConcentratorUDP 50514Audit Data

Concentrator

ConcentratorUDP 123NTP

Endpoint Hybrid or Endpoint Log Hybrid

                                                   
Source HostDestination HostDestination PortsComments
Endpoint 11.1 AgentEndpoint Hybrid or Endpoint Log Hybrid

TCP 443

NGINX HTTPS

Endpoint 11.1 AgentLog Decoder or Virtual Log Collector

TCP 514 (Syslog)

UDP 514 (Syslog)

TLS 6514

Windows Log Collection

Endpoint ServerLog Decoder (External)

TCP 50102, 56202, 50202

To forward meta to an external Log Decoder

NW ServerEndpoint Hybrid or Endpoint Log HybridTCP 7050UI web traffic

Endpoint Hybrid or Endpoint Log Hybrid

NW Server

TCP 5672

Message Bus

Endpoint ServerNW ServerTCP 27017MongoDB

 

Endpoint Hybrid or Endpoint Log Hybrid with NetWitness Endpoint 4.4

                           
Source HostDestination HostDestination PortsComments
NW Console Server (4.4.0.2 or later)Endpoint HybridTCP 443

NGINX HTTPS

Meta ServiceLog DecoderTCP 50102, 56202, 50202

NGINX HTTPS

To forward meta to a Log Decoder

Endpoint Hybrid or Endpoint Log Hybrid with NWE 4.4

Event Stream Analysis (ESA) Host

                                                                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationESATCP 15671RabbitMQ Management UI
ESANW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationESATCP 22SSH
NW Server,
ESA Secondary		ESA PrimaryTCP 27017MongoDB
NW ServerESA PrimaryTCP 7005Context Hub Launch Port - (ESA Primary)
NW ServerESATCP 50030 (SSL)ESA Application Port
NW ServerESATCP 50035 (SSL)ESA Application Port
NW ServerESATCP 50036 (SSL)ESA Application Port
NW ServerESATCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
ESAcms.netwitness.comTCP 443Live

ESA

NFS Server

TCP 111 2049
UDP 111 2049

NTP

ESA

Active Directory

636 (SSL)/389 (Non-SSL)

 

NW Server

ESA

80 (HTTP)/ 443 (HTTPS)(REST)

 

ESA Primary

Archer

443 (SSL)/80 (Non-SSL)

 

ESA PrimaryESA PrimaryTCP 7007Launch Port
ESA PrimaryESA PrimaryUDP 50514Audit Data

ESA Primary

ESA Primary

UDP 123NTP

Log Collector Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog CollectorTCP 15671RabbitMQ Management UI
Log CollectorNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationLog CollectorTCP 22SSH
Log CollectorLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents.
Log Event SourcesLog CollectorTCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)"		Log Collection Ports
Log Event SourcesLog Collector

TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009

Log Collection FTP/S Ports
NW ServerLog Collector

TCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)

Log Collector Application Ports
NW ServerLog Collector

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerLog CollectorTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Collector

Log CollectorUDP 50514Audit Data

Log Collector

Log CollectorUDP 123NTP

Log Collector

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC installations

Log Decoder Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog DecoderTCP 15671RabbitMQ Management UI
Log DecoderNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationLog DecoderTCP 22SSH
Log DecoderLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents. 
Log Event SourcesLog DecoderTCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)Log Collection Ports
Log Event SourcesLog DecoderTCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog DecoderTCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)Log Collector Application Ports
NW ServerLog DecoderTCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST)Log Decoder Application Ports

NW Server

Log Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog DecoderTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Decoder

Log DecoderUDP 50514Audit Data

Log Decoder

Log DecoderUDP 123NTP
Log DecoderLog CollectorTCP 6514 

Log Decoder

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Log Hybrid Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog HybridTCP 15671RabbitMQ Management UI
Log HybridNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationLog HybridTCP 22SSH
Log CollectorLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents. 
Log Event SourcesLog HybridTCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)Log Collection Ports
Log Event SourcesLog HybridTCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog HybridTCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)Log Collector Application Ports
NW ServerLog HybridTCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST)Log Decoder Application Ports
NW ServerLog HybridTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports

NW Server

Log Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog HybridTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Hybrid

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Malware Host

                                                                                       

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationMalwareTCP 15671RabbitMQ Management UI
MalwareNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationMalwareTCP 22SSH
NW ServerMalwareTCP 60007Malware Application Ports
NW ServerMalwareTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports

NW Server

MalwareTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerMalwareTCP 5432Postgresql
NW ServerMalwareTCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST)Broker Application Ports
Malwarepanacea.threatgrid.comTCP 443Threatgrid
Malwarecloud.netwitness.comTCP 443Community evaluation / Opswat

Malware

MalwareUDP 50514Audit Data

Malware

MalwareUDP 123NTP

Malware

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Packet Decoder Host

                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationPacket DecoderTCP 15671RabbitMQ Management UI
Packet DecoderNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationPacket DecoderTCP 22SSH
NW ServerPacket DecoderTCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST)Packet Decoder Application Ports

NW Server

Packet Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerPacket DecoderTCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Packet DecoderPacket DecoderUDP 50514Audit Data
Packet DecoderPacket DecoderUDP 123NTP

Packet Decoder

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Packet Hybrid Host

                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationPacket HybridTCP 15671RabbitMQ Management UI
Packet HybridNW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationPacket HybridTCP 22SSH
NW ServerPacket HybridTCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST)Packet Decoder Application Ports
NW ServerPacket HybridTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports

NW Server

Packet Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerPacket HybridTCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Packet Hybrid

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

 

NetWitness Endpoint Insights Architecture

The following diagrams illustrate the NetWitness Endpoint Insights network architecture.

NetWitness Endpoint Insights 11.1

NetWitness Endpoint Insights 11.1 with Log Decoder

NetWitness Endpoint 4.4 Integration with NetWitness Endpoint Insights 11.1

For more information on the services running on Endpoint Hybrid, see RSA NetWitness Endpoint Insights Configuration Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents.

 

 

Previous Topic:Deployment: The Basics
You are here

Table of Contents > Deployment: Network Architecture and Ports

Attachments

    Outcomes