Info: What ports do I need open to successfully operate Venafi product?

Applies to:

All versions of Trust Protection Platform


Here is a list of ports that you need to successfully operate the Venafi environment.


More info:

For Trust Protection Platform 23.3 or higher

MQTT/Message Bus Service

  • Built-in MQTT Service (Uses Mesh Topography): Port 1883 for unencrypted or Port 8883 for TLS between all Venafi Servers
  • Using External Customer managed MQTT Service (Uses Hub and Spoke Topography):  Port 1883 for unencrypted or Port 8883 between Venafi Server and the corporate MQTT service


For ALL versions of Trust Protection Platform

For successful startup and login of the Venafi application these ports need to be open:

  • To login through the Web Console (Aperture and WebAdmin), you need  to open port 80 for HTTP and 443 for HTTPS.  
  • For successful discovery of certificates via any of Venafi agents you need port 443 open.
  • To connect to a MS SQL Database ( version 2008 or 2012) user 1433.
  • Active Directory connector port information can be found here
Operational port assignment: 
  • The port at which the Venafi agents check in with the Venafi server, using REST API, is 443.
  • To communicate to Microsoft Certificate Authority service, and IIS, we use the Microsoft Distributed Component Object mode DCOM, which uses port 135. 
  • Microsoft RPC ports must be open to the target system (135, 49152-65535/tcp by default, these can be constrained per Microsoft KB154596). 
    Note: TPP connection to Microsoft CA leverages both DCOM and Microsoft RPC.
  • SSH is frequently used to communicate to and manage applications via port 22.
  • SCP- used to send reports- uses SSH on port 22. 
  • FTP - used to send reports- uses port 21. 
  • SNMP and SMTP services are employed when needed, using port 161 and 25 respectively. 
NOTE: To login to Venafi you will need browse to the Venafi Server where the Web Console component is installed, such as:
  • https://<IP address of the host>/Aperture
Note on IIS7 or higher starting it's default web site:  

IIS 7 and higher starts its default web site before any other sites on the server, but IIS 6 started the default web site last. Consequently, due to the way IIS starts, you must disable the default web site or change its port assignment. Otherwise, when restarting IIS after installing Venafi Trust Protection Platform Certificate Manager product, the Venafi web server cannot start.

TIP: Finding out what port is being used for what:

You can  use one of the below commands to determine what ports are open.   The Certificate Manager service is called vplatform.exe and the loging service is called logservice.exe 

1: netstat - a  ( simple results sent to the command line screen output)

2: netstat -nabo > netstat.txt ( names the service running on the port, and outputs the output to a text file)

3: TCPVIEW, from sys internals, is also a good Windows tool to use to view ports that are active. It also allows you to sort by PID ( process) thereby enabling you to kill all connections from say, Vplatfom.exe, for example.


This information is a summary of what is found in the in the product documentation found at
Was this article helpful?
5 out of 6 found this helpful