Deployment: Network Architecture and Ports

Document created by RSA Information Design and Development on Oct 17, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 15Show Document
  • View in full screen mode
  

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.

See NetWitness Endpoint Insights Architecture at the end of this topic for individual Endpoint Architectural diagrams.

NetWitness Platform Network Architecture Diagram

The following diagram illustrates the NetWitness Platform network architecture including all of its component products.

Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

Comprehensive List of NetWitness Platform Host and Service Ports

Note: For ports used in event collection through the NetWitness Logs, see the "The Basics" in the RSA NetWitness Suite Log Collection Deployment Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

This section contains the port specifications for the following hosts.

                                 

NW Server Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin Workstation NW ServerTCP 443, 80nginx - NetWitness UI
NW HostsNW ServerTCP 443RSA Update Repository

Admin Workstation

NW ServerTCP 15671RabbitMQ Management UI

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

Admin WorkstationNW ServerTCP 22 SSH
NW HostsNW ServerTCP 4505, 4506 Salt Master Ports

NW Hosts

NW Server

TCP 5671

RabbitMQ-amqp

NW ServerNW ServerUDP 50514Audit Ports
NW HostsNW ServerUDP 123 NTP

NW Hosts

NW ServerTCP 27017 MongoDB

NW Server

NW Server UDP 123NTP

NW Server

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

NW Server

NW Endpoint

TCP 443, 9443

For NW Endpoint 4.x integrations

Archiver Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationArchiverTCP 15671RabbitMQ Management UI

Archiver

NW Server

TCP 15671

RabbitMQ Management UI

Archiver

NW Server

TCP 443

RSA Update Repository

Admin WorkstationArchiver TCP 22 SSH
NW ServerArchiver TCP 56008 (SSL), 50008 (Non-SSL), 50108 (REST) Archiver Application Ports
NW ServerArchiver TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST) NetWitness Appliance Ports
NW ServerArchiver TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerArchiverTCP 514, 6514, 56007 (SSL), 50007 (Non-SSL), 50107 (REST), UDP 514 Workbench Application Ports

Archiver

Archiver

UDP 50514Audit Data
ArchiverArchiver UDP 123NTP

Archiver

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Broker Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationBroker TCP 15671 RabbitMQ Management UI

Broker

NW Server

TCP 15671

RabbitMQ Management UI

Broker

NW Server

TCP 443

RSA Update Repository

Admin WorkstationBroker TCP 22SSH
NW ServerBroker TCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST) Broker Application Ports
NW ServerBroker TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerBroker TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Broker

BrokerUDP 50514Audit Data

Broker

Broker UDP 123NTP
BrokerNW Server TCP 111 2049
UDP 111 2049
iDRAC Installations

Concentrator Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationConcentratorTCP 15671RabbitMQ Management UI

Concentrator

NW Server

TCP 15671

RabbitMQ Management UI

Concentrator

NW Server

TCP 443

RSA Update Repository

Admin WorkstationConcentrator TCP 22 SSH
NW Server Concentrator TCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST) Concentrator Application Ports
MalwareConcentrator TCP 56005 (SSL)Malware
NW Server Concentrator TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST) NetWitness Appliance Ports
NW Server Concentrator TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Concentrator

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Concentrator

ConcentratorUDP 50514Audit Data

Concentrator

Concentrator UDP 123NTP

Endpoint Hybrid or Endpoint Log Hybrid

                                                         
Source HostDestination HostDestination Ports Comments
Endpoint 11.2 AgentEndpoint Hybrid or Endpoint Log Hybrid

TCP 443

NGINX HTTPS

Endpoint 11.2 AgentLog Decoder or Virtual Log Collector

TCP 514 (Syslog)

UDP 514 (Syslog)

TLS 6514

Windows Log Collection

Endpoint ServerLog Decoder (External)

TCP 50102, 56202, 50202

To forward meta to an external Log Decoder

Endpoint Server

NW Server

TCP 443

RSA Update Repository

NW ServerEndpoint Hybrid or Endpoint Log Hybrid TCP 7050UI web traffic

Endpoint Hybrid or Endpoint Log Hybrid

NW Server

TCP 5671

Message Bus

Endpoint Server NW ServerTCP 27017MongoDB

Endpoint Hybrid or Endpoint Log Hybrid with NetWitness Endpoint 4.4

                           
Source HostDestination HostDestination Ports Comments
NW Console Server (4.4.0.2 or later)Endpoint Hybrid TCP 443

NGINX HTTPS

Meta Service Log DecoderTCP 50102, 56202, 50202

NGINX HTTPS

To forward meta to a Log Decoder

Endpoint Hybrid or Endpoint Log Hybrid with NWE 4.4

Event Stream Analysis (ESA) Host

                                                                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationESA TCP 15671 RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 15671

RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 443

RSA Update Repository

Admin WorkstationESATCP 22 SSH
NW Server,
ESA Secondary
ESA Primary TCP 27017MongoDB
NW Server ESA Primary TCP 7005 Context Hub Launch Port - (ESA Primary)
NW Server ESA TCP 50030 (SSL) ESA Application Port
NW Server ESA TCP 50035 (SSL) ESA Application Port
NW Server ESATCP 50036 (SSL) ESA Application Port
NW ServerESATCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
ESA Primary and Secondarycms.netwitness.comTCP 443Live

ESA Primary and Secondary

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

ESA Primary and Secondary

Active Directory

636 (SSL)/389 (Non-SSL)

 

NW Server

ESA

80 (HTTP)/ 443 (HTTPS)(REST)

 

ESA Primary

Archer

443 (SSL)/80 (Non-SSL)

 

ESA Primary ESA Primary TCP 7007 Launch Port
ESA Primary ESA Primary UDP 50514 Audit Data

ESA Primary

ESA Primary

UDP 123NTP

Log Collector Host

                                                                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Collector TCP 15671 RabbitMQ Management UI

Log Collector

NW Server

TCP 15671

RabbitMQ Management UI

Log Collector

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog CollectorTCP 22SSH
Log Collector Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Log Event Sources Log Collector TCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)"
Log Collection Ports
Log Event Sources Log Collector

TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009

Log Collection FTP/S Ports
NW Server Log Collector

TCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)

Log Collector Application Ports
NW ServerLog Collector

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerLog Collector TCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Collector

Log CollectorUDP 50514Audit Data

Log Collector

Log Collector UDP 123NTP

Log Collector

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC installations

Log CollectorVirtual Log CollectorTCP 5671In Pull Mode

Virtual Log Collector

Log Collector

TCP 5671

In Push Mode

Log Decoder Host

                                                                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Decoder TCP 15671RabbitMQ Management UI

Log Decoder

NW Server

TCP 15671

RabbitMQ Management UI

Log Decoder

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog Decoder TCP 22SSH
Log Decoder Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. 
Log Event SourcesLog Decoder TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) Log Collection Ports
Log Event Sources Log Decoder TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog Decoder TCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST) Log Collector Application Ports
NW ServerLog Decoder TCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST) Log Decoder Application Ports

NW Server

Log Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog Decoder TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Log Decoder

Log Decoder UDP 50514Audit Data

Log Decoder

Log Decoder UDP 123NTP
Log DecoderLog CollectorTCP 6514 

Log Decoder

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Log Hybrid Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Hybrid TCP 15671RabbitMQ Management UI

Log Hybrid

NW Server

TCP 15671

RabbitMQ Management UI

Log Hybrid

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog Hybrid TCP 22SSH
Log Collector Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. 
Log Event SourcesLog Hybrid TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) Log Collection Ports
Log Event Sources Log Hybrid TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog Hybrid TCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST) Log Collector Application Ports
NW ServerLog Hybrid TCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST) Log Decoder Application Ports
NW ServerLog Hybrid TCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST) Concentrator Application Ports

NW Server

Log Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog Hybrid TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Log Hybrid

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Malware Host

                                                                                                   

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationMalware TCP 15671RabbitMQ Management UI

Malware

NW Server

TCP 15671

RabbitMQ Management UI

Malware

NW Server

TCP 443

RSA Update Repository

Admin WorkstationMalware TCP 22 SSH
NW ServerMalware TCP 60007 Malware Application Ports
NW ServerMalware TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST) NetWitness Appliance Ports

NW Server

Malware TCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerMalware TCP 5432 Postgresql
NW ServerMalware TCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST)Broker Application Ports
Malwarepanacea.threatgrid.comTCP 443Threatgrid
Malwarecloud.netwitness.com TCP 443Community evaluation / Opswat

Malware

MalwareUDP 50514Audit Data

Malware

Malware UDP 123NTP

Malware

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Network Decoder Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNetwork Decoder TCP 15671RabbitMQ Management UI

Network Decoder

NW Server

TCP 15671

RabbitMQ Management UI

Network Decoder

NW Server

TCP 443

RSA Update Repository

Admin WorkstationNetwork Decoder TCP 22SSH
NW ServerNetwork Decoder TCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST) Network Decoder Application Ports

NW Server

Network Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerNetwork Decoder TCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Network Decoder Network Decoder UDP 50514Audit Data
Network Decoder Network Decoder UDP 123NTP

Network Decoder

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Network Hybrid Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNetwork Hybrid TCP 15671RabbitMQ Management UI
Network Hybrid

NW Server

TCP 15671

RabbitMQ Management UI

Network Hybrid

NW Server

TCP 443

RSA Update Repository

Admin WorkstationNetwork Hybrid TCP 22SSH
NW ServerNetwork Hybrid TCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST) Network Decoder Application Ports
NW ServerNetwork Hybrid TCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST) Concentrator Application Ports

NW Server

Network Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerNetwork Hybrid TCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Network Hybrid

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

UEBA Host

                                                   

Source Host

Destination Host

Destination Ports

Comments

UEBA Server

NW Server

TCP 443

RSA Update Repository

UEBA ServerNW Server TCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST) Broker Application Ports
UEBA ServerNW Server TCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST) Concentrator Application Ports
Admin WorkstationUEBA Server443UEBA Monitoring
Admin WorkstationUEBA Server22SSH

UEBA Server

NW Server

15671

UEBA Alerts forwarding to Respond

 

NetWitness Endpoint Insights Architecture

The following diagrams illustrate the NetWitness Endpoint Insights network architecture.

NetWitness Endpoint Insights 11.2

NetWitness Endpoint Insights 11.2 with Log Decoder

NetWitness Endpoint 4.4 Integration with NetWitness Endpoint Insights 11.2

For more information on the services running on Endpoint Hybrid, see RSA NetWitness Endpoint Insights Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

 

Previous Topic:The Basics
You are here
Table of Contents > Network Architecture and Ports

Attachments

    Outcomes