Network Environment Requirements

Service

Protocol

Port

Outbound/Inbound

Function

Web console

TCP

8001

Inbound (to UserGate NGFW Web Console)

Access to the management web interface of a device.

CLI over SSH

TCP

2200

Inbound (to CLI over SSH)

Access to the UserGate command line interface (CLI) over SSH.

XML-RPC

TCP

4040

Inbound (to UserGate via API)

UserGate device management via API.

Remote assistance

TCP

22

Outbound (to technical support servers)

Remote access to technical support servers.

Access to servers:

  • 93.91.171.46;

  • 178.154.221.222;

  • ra.entensys.com.

NTP

UDP

123

Outbound (to a precision time server)/Inbound (from clients to the UserGate server, if it is used as a precision time server)

Time synchronization.

DNS

TCP/UDP

53

Inbound (from clients to the UserGate server, if it is acting as a DNS server)

The service that resolves domain names into IP addresses.

UDP

53

Outbound (to DNS servers)

UserGate server registration

TCP

443

Outbound (to the registration server)

UserGate product registration: access to reg2.usergate.com.

Update software and libraries

TCP

443

Outbound (to update servers)

Update software and library items: access to updates.usergate.com.

Replicate settings

TCP

4369

Inbound (from the first cluster node to the second and subsequent nodes)

This service is required for the configuration cluster to work.

Set up a control connection.

9000-9100

Inbound (receive configuration from the first cluster node)

Transmit information about cluster configuration changes (replicate settings).

Communication with UserGate Management Center

TCP

9712

Outbound (from UG NGFW to UGMC)

Initial communication and encryption key exchange with the UserGate Management Center server.

2022

Outbound (from UG NGFW to UGMC)

Build an SSH tunnel to exchange data using the received keys.

Communication with UserGate Log Analyzer

TCP

9713

Inbound (from LogAn to UG NGFW)

Initial communication and exchange of encryption keys with the UserGate Log Analyzer server.

2023

Inbound (from LogAn to UG NGFW)

Build an SSH tunnel to exchange data using the received keys.

TCP

For versions 6.1.х: 1269 (transmit data to LogAn 6.1.x), 22699 (transmit data to LogAn 7.x.x)

For versions 7.0.х: 22699 (transmit data to LogAn 6.1.x), 22711 (transmit data to LogAn 7.x.x using SSL)

Outbound (from UG NGFW to LogAn)

Transmit logs and telemetry to LogAn server.

Connection of endpoints with UserGate Client software installed (available starting from version 7.1.0)

TCP

4045

Inbound (from an endpoint to UG NGFW)

Connecting endpoints and receiving telemetry to check compliance.

LDAP

TCP

389, 636

Outbound (to LDAP connector)

Execute LDAP requests (389 for LDAP and 636 for LDAP over SSL).

Captive portal and block pages

TCP

80, 443, 8002

Inbound (from a client browser to UG NGFW)

Display a Captive portal authentication page and block pages.

8043

When the "HTTPS for auth page" option is activated.

Kerberos

TCP/UDP

88

Outbound (to a Kerberos authentication server)

Authenticate users via the Kerberos protocol.

NTLM

TCP

445

Outbound (to an NTLM authentication server)

Authenticate users via the NTLM protocol.

RADIUS

UDP

1812

Outbound (to a RADIUS authentication server)

User authentication via the RADIUS protocol.

TACACS+

TCP

49

Outbound (to a TACACS+ authentication server)

User authentication via the TACACS+ protocol.

Terminal service agent

UDP

1812, 1813

Inbound (from the agent to UG NGFW)

Access to the UserGate server required for the terminal agent to work.

Windows Authentication Agent

UDP

1812, 1813

Inbound (from the agent to UG NGFW)

Access to the UserGate server required for the authentication agent to work for Windows OS domain users.

Proxy agent

UDP

8090

Inbound (from the agent to UG NGFW)

Access to the UserGate server required for the proxy agent to provide Internet access to Windows OS users.

SNMP

UDP

161

Inbound (to UserGate)

Access to the UserGate server via SNMP.

SMTP

TCP

25

Outbound (to the mail server)

Send alerts to email.

ICAP

TCP

1344

Outbound (to ICAP servers)

Service to work with ICAP servers.

DHCP

UDP

67, 68

Outbound (requesting an address from UserGate to a DHCP server)/Inbound (UserGate acts as a DHCP server)

DHCP service.

BGP

TCP

179

Outbound (send information to neighbor BGP routers)/Inbound (receive information from neighbor BGP routers)

BGP dynamic routing service.

OSPF

89/OSPF

Outbound (send information to neighbor OSPF routers)/Inbound (receive information from neighbor OSPF routers)

OSPF dynamic routing service.

RIP

UDP

520

Outbound (distribute RIP routes to neighbor routers)/Inbound (receive RIP routes from neighbor routers)

RIP dynamic routing service.

FTP (logs export)

TCP

21

Outbound (to an FTP server)

Export logs to an FTP server.

SSH (logs export)

TCP

22

Outbound (to an SSH server)

Export logs to an SSH server.

Syslog (logs export)

TCP/UDP

514

Outbound (to the Syslog server)

Export logs to a Syslog server.