Which firewall ports are used in Security Center 5.8?

Answer: There are many ports used Security Center. Because Security Center is a unified platform that integrates all of Genetec™ products, the list of ports is quite extensive. As a result, it is recommended to familiarize yourself with the ports used by the various core systems and modules of Security Center.

During the Security Center installation, you are given the option of allowing Security Center to create firewall rules for its applications. If you select this option, all Security Center applications are added as exceptions to the internal Windows firewall. However, you still must ensure that all the ports used by Security Center are open on your network.

IMPORTANT: Exposing Security Center to the Internet is strongly discouraged without hardening your system first. Before exposing your system, implement the advanced security level described in the Security Center Hardening Guide to help protect your system from Internet threats. Alternatively, use a trusted VPN for remote connections.

You can configure different port numbers than the ones that are used by default.

Firewall ports used by core applications in Security Center

For Security Center to work properly, you need to create firewall rules to allow proper communication between the various services.

The following table lists the default network ports used by core applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage
Directory	TCP 5500		Client connections
Client applications (Security Desk, Config Tool, SDK)		TCP 5500	Genetec™ Server/Directory communication
Client applications (Security Desk, Config Tool, SDK)		TCP 8012	Map download requests to Map Manager (HTTPS)
Client applications (Config Tool)		TCP 443	Communication with GTAP for Genetec™ Advantage validation and feedback (HTTPS)
Client applications (Security Desk, Config Tool)		TCP 443	Secured communication with the portal of the mobile credential provider (HTTPS)
All roles (new installation)	TCP 5500	TCP 5500	Genetec™ Server/Directory communication
	TCP 4502	TCP 4502	Genetec™ Server communication (backward compatibility with Security Center 5.3 and earlier)
	TCP 80	TCP 80	REST/Server Admin communication (HTTP)
	TCP 443	TCP 443	Secured REST/Server Admin communication (HTTPS)
All roles (upgraded from 5.3 and earlier)	TCP 4502	TCP 4502	If 4502 was the server port before the upgrade, then 4502 remains the server port after the upgrade, and 4503 is used for backward compatibility. If another port was used as server port before the upgrade, then that same port is kept as server port after the upgrade. 4502 is then used for backward compatibility, and 4503 is not necessary.
All roles (upgraded from 5.3 and earlier)	TCP 4503	TCP 4503
Intrusion Manager	TCP 3001	TCP 3001	Communication with Bosch intrusion panels
Map Manager	TCP 8012		Map download requests from client application (HTTPS)
Mobile Server	TCP 443		Communication from mobile clients.
Genetec™ Update Service (GUS)	TCP 4595	TCP 4595	Communication with other GUS servers
Genetec™ Update Service (GUS)	TCP 443	TCP 443	Communication with Azure and Genetec Inc. (HTTPS)
System Availability Monitor Agent (SAMA)	TCP 4592		Connection from Security Center servers
System Availability Monitor Agent (SAMA)		TCP 443	Connection to the Health Service in the Cloud (HTTPS)

Firewall ports used by AutoVu™ applications in Security Center

When AutoVu™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external AutoVu™ components.

The following table lists the default network ports used by AutoVu™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage
LPR Manager		UDP 5000	Fixed Sharp unit discovery
	TCP 8731		Fixed Sharp units and Genetec Patroller™ installations
	TCP 8787		Pay-by-Plate (plugin installed separately)
	TCP 8832		Updater service
	TCP 9001		LPM protocol listening port
		TCP 8001	Sharp control port (used for Live connections, not LPM protocol connections).
		TCP 2323	Sharp unit configuration (HTTP)
Flexreader™ (Sharp unit)	TCP 80		Video port (Security Center extension HTTP)
	TCP 443		Video port (Security Center extension HTTPS)
	TCP 2323		Extension configuration service (HTTP)
	TCP 4502-4534		Silverlight ports and image feed service (for Sharp models earlier than SharpV)
	TCP 4545		Control port (Mobile installation)
	UDP 5000		Discovery port
	TCP 8001		Control port (Fixed installation)
		TCP 21	FTP file upload
		TCP 8666	Communication with Updater Service
Portal Server (Sharp unit)	TCP 80		Communication port (HTTP)
Portal Server (Sharp unit)	TCP 443		Secure communication port (HTTPS)
Updater service (Sharp unit and in-vehicle computer)	TCP 8666		Communication with Flexreader™ (greetings only)
	TCP 8889	TCP 8899	Communication with Genetec Patroller™ Updater
		TCP 8832	Communication with LPR Manager
Genetec Patroller™ (in-vehicle computer)	TCP 4546		Communication with Time server
	TCP 8001		Communication with Simple Host
		UDP 5000	Sharp camera discovery
		TCP 8666	Communication with Updater Service (greetings only)
		TCP 8731	LPR Manager connection

Firewall ports used by Omnicast™ applications in Security Center

When Omnicast™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP video devices.

The following table lists the default network ports used by Omnicast™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage
Archiver	TCP 555¹		Live and playback stream requests
	TCP 605¹		Edge playback stream requests
	TCP 5602¹		Telnet console connection requests
	UDP 6000-6500		Audio from client applications
	UDP 15000–19999²		Live unicast streaming from IP cameras
	UDP 47806, 47807	UDP 47806, 47807	Live video and audio multicast streaming
	TCP & UDP		Vendor specific ports for events and IP camera discovery
		TCP 80	HTTP port
		TCP 443	HTTPS port
		TCP 554	RTSP port
Redirector	TCP 560, 960³		Live and playback stream requests
		TCP 554	Communication with Media Router (Security Center Federation™)
		TCP 555	Communication with Archiver
		TCP 558	Communication with Auxiliary Archiver
		TCP 560, 960³	Stream requests to other redirectors
		UDP 6000-6500	Media transmission to client applications
	UDP 8000–12000	UDP 8000–12000	Media transmission to other redirectors
	UDP 47806, 47807	UDP 47806, 47807	Live video and audio multicast streaming
	UDP 65246	UDP 65246	Live video multicast streaming (Security Center Federation™)
Auxiliary Archiver	TCP 558		Live and playback stream requests
	UDP 6000-6500		Unicast media streams
	UDP 47806, 47807		Live video and audio multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960³	Playback stream requests
Media Router	TCP 554		Live and playback stream requests
Media Router		TCP 554	Federated Media Router stream requests
Media Gateway	TCP 654		Live and playback stream requests
	TCP 80, 443		Incoming stream requests from mobile and web clients
	UDP 6000-6500		Live video unicast streams
	UDP 47806, 47807	UDP 51914	Live video and audio multicast streaming
		TCP 554, 560, 960³	Live and playback video requests
Media processing applications (Privacy Protector™ and Camera integrity monitor)	TCP 754		Live video requests
	UDP 7000-7500		Live video unicast streams
	UDP 47806		Live video multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960³	Live and playback video requests
Omnicast™ Federation™		TCP 5001-5002	Connection to remote Omnicast™ 4.x systems.
Client applications (Security Desk and Config Tool)	UDP 6000–6200		Unicast media streams
	UDP 47806, 47807		Live video and audio multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960³	Live and playback video and audio requests
Client application (Config Tool)		Vendor-specific TCP and UDP ports	Unit discovery with the Unit enrollment tool

¹ Applies to servers hosting one Archiver role. If multiple Archiver roles are hosted on the same server, each additional role uses the next free port.

² You can have multiple Archiver agents on the same server. Each Archiver agent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional Archiver agent on the same server adds 5000 to its starting UDP port number. For example, the first Archiver agent uses ports 15000-19999, the second one uses ports 20000-24999, the third one uses ports 25000-29999, and so on.

NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.

³ TCP port 960 applies to new installations of Security Center 5.8, and upgrades from Security Center 5.5 to 5.8. Systems upgraded from Security Center 5.6 and Security Center 5.7 will continue to use TCP port 5004.

Firewall ports used by Synergis™ applications in Security Center

When Synergis™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP access control devices.

The following table lists the default network ports used by Synergis™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage
Access Manager		UDP 2000	Synergis™ extension - discovery
		TCP 443	Secure communication with Synergis™ units and HID units (HTTPS)
	TCP 20	TCP 21	HID extension - FTP data and command¹
		TCP 22	HID extension - SSH¹
		TCP 23	HID extension - Telnet¹
		TCP 80	HID extension - HTTP communication
		TCP 4050/4433²	HID extension - VertX OPIN protocol
	TCP/UDP 4070	TCP/UDP 4070	HID extension - VertX discovery³
	TCP/UDP		Vendor-specific ports for events and discovery from IP access control device
Synergis™ Softwire (Synergis™ unit)	TCP 80	TCP 80	Communication port (HTTP)
	TCP 443	TCP 443	Secure communication port (HTTPS)
	TCP 443	TCP 443	AutoVu™ SharpV integration (HTTPS)
	UDP 2000	UDP 2000	Discovery and P2P communication
	UDP 137		NetBIOS Name Service (enabled by default)
	TCP 3389		RDP connection (disabled by default)
		TCP 9999	Assa Abloy Aperio IP
	TCP 2571	TCP 2571	Assa Abloy IP lock (R3 protocol)
		UDP 5353	Axis controller discovery (mDNS)
	TCP 3001	TCP 3001	Mercury or Honeywell communication
	TCP 1234	TCP 1234	Salto Sallis lock communication
HID VertX/Edge Legacy and EVO controllers	TCP 21		FTP command¹
	TCP 22		SSH port (EVO only)¹
	TCP 23		Telnet¹
	TCP 4050/4433²		VertX OPIN protocol
	UDP 4070	UDP 4070	VertX discovery

¹ Not required if HID units are configured with Secure mode.

² Legacy HID units or EVO units running a firmware version earlier than 3.7 use port 4050. HID EVO units running in secure mode with firmware 3.7 and later user port 4433.

³ The discovery port of an HID unit is fixed at 4070. After it is discovered, the unit is assigned to an Access Manager that uses the ports shown in the previous table to control it.

For more information about initial HID hardware setup, download the documentation from http://www.HIDglobal.com.