Follow

Info: What ports do I need open to successfully operate Venafi product?

Applies to:

All versions of Venafi Director, TrustAuthority & TrustForce

Summary:

Here is a list of ports that you need to successfully operate the Venafi environment.

 

More info:

For successful startup and login of the Venafi application these ports need to be open:

  • To login through the Web based administration (WEBADMIN)  console, you need  either to open port 80 for HTTP, or 443 for HTTPS.  
  • For the Director (up to version 15.2) logging server, you need port 689 open.
  • For successful discovery of certificates via any of Venafi agents you need port 443 open.
  • To connect to a Oracle Database, use 1521.
  • To connect to a MS SQL Database ( version 2008 or 2012) user 1433.
  • Active Directory connector port information can be found here
 
Operational port assignment: 
  • The port at which the Venafi agents check in with the Venafi server, using REST API, is 443.
  • To communicate to Microsoft Certificate Authority service, and IIS, we use the Microsoft Distributed Component Object mode DCOM, which uses port 135. 
  • Microsoft RPC ports must be open to the target system (135, 49152-65535/tcp by default, these can be constrained per Microsoft KB154596). Note: IIS6 Driver leverages Microsoft RPC.
  • SSH is frequently used to communicate to and manage applications via port 22.
  • SCP- used to send reports- uses SSH on port 22. 
  • FTP - used to send reports- uses port 21. 
  • SNMP and SMTP services are employed when needed, using port 161 and 25 respectively. 
NOTE: To login to Venafi you will need run the Webadmin tool on the windows server where Venafi Websites are installed, or point your browser to this URL:
  • http://<IP address of the host>/VEDAdmin/Login.aspx.  
 
Note on IIS7 starting it's default web site:  

IIS 7 starts its default web site before any other sites on the server, but IIS 6 started the default web site last. Consequently, due to the way IIS 7 starts, you must disable the default web site or change its port assignment. Otherwise, when restarting IIS 7 after installing Venafi Trust Protection Platform Certificate Manager product, the Venafi web server cannot start.

TIP: Finding out what port is being used for what:

You can  use one of the below commands to determine what ports are open.   The Certificate Manager service is called vplatform.exe and the loging service is called logservice.exe 

1: netstat - a  ( simple results sent to the command line screen output)

2: netstat -nabo > netstat.txt ( names the service running on the port, and outputs the output to a text file)

3: TCPVIEW, from sys internals, is also a good Windows tool to use to view ports that are active. It also allows you to sort by PID ( process) thereby enabling you to kill all connections from say, Vplatfom.exe, for example.

 

 

This information is a summary of what is found in the in the product documentation found at https://docs.venafi.com/.
Was this article helpful?
5 out of 5 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk