Which firewall ports are used in Security Center 5.9?

Answer: There are many ports used Security Center. Because Security Center is a unified platform that integrates all of Genetec™ products, the list of ports is quite extensive. As a result, it is recommended to familiarize yourself with the ports used by the various core systems and modules of Security Center.

During the Security Center installation, you are given the option of allowing Security Center to create firewall rules for its applications. If you select this option, all Security Center applications are added as exceptions to the internal Windows firewall. However, you still must ensure that all the ports used by Security Center are open on your network.

IMPORTANT: Exposing Security Center to the Internet is strongly discouraged without hardening your system first. Before exposing your system, implement the advanced security level described in the Security Center Hardening Guide to help protect your system from Internet threats. Alternatively, use a trusted VPN for remote connections.

You can configure different port numbers than the ones that are used by default.

Firewall ports used by core applications in Security Center

For Security Center to work properly, you need to create firewall rules to allow proper communication between the various services.

The following table lists the default network ports used by core applications in Security Center, and their associated executable files. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage	Executable
Directory	TCP 5500	TCP 5500	Client and server connections	GenetecServer.exe
Client applications (Security Desk, Config Tool, SDK)		TCP 5500	Genetec™ Server/Directory communication	SecurityDesk.exe ConfigTool.exe
Client applications (Security Desk, Config Tool, SDK)		TCP 8012	Map download requests to Map Manager (HTTPS)	GenetecMapManager.exe
Client applications (Config Tool)		TCP 443	Communication with GTAP for Genetec™ Advantage validation and feedback (HTTPS)	ConfigTool.exe
Client applications (Security Desk, Config Tool)		TCP 443	Authentication role communication/Secured communication with the portal of the mobile credential provider (HTTPS)	SecurityDesk.exe ConfigTool.exe
Wearable Camera Manager role		TCP 48830	Configurable in the UI	GenetecBwcManagerRole.exe
Wearable Camera Manager role		TCP 48831, 48832, 48833	Configurable in a config file	GenetecBwcAgentService.exe
All roles (new installation)	TCP 5500	TCP 5500	Genetec™ Server/Directory communication	GenetecServer.exe
	TCP 80	TCP 80	REST/Server Admin communication (HTTP)¹
	TCP 443	TCP 443	Secured REST/Server Admin/Authentication role communication (HTTPS)¹
		TCP 1433²	Outgoing connections to the SQL Database Engine hosted on another server.
All roles (upgraded from 5.3 or earlier)	TCP 4502	TCP 4502	Genetec™ Server/Directory communication If 4502 was the server port before an upgrade, then 4502 remains the server port after the upgrade.	GenetecServer.exe
Map Manager	TCP 8012		Requests for map download from client applications (HTTPS)¹	GenetecMapManager.exe
Mobile Server	TCP 443		Communication from mobile clients.	GenetecMobileRole.exe GenetecMobileAgent.exe
Mobile Server		TCP 9000-10000	Adding mobile devices to an Archiver for video streaming and storage.	GenetecMobileRole.exe GenetecMobileAgent.exe
Genetec™ Update Service (GUS)	TCP 4595	TCP 4595	Communication with other GUS servers¹	GenetecUpdateService.exe
Genetec™ Update Service (GUS)	TCP 443	TCP 443	Communication with Azure and Genetec Inc. (HTTPS)¹	GenetecUpdateService.exe
SQL Server	1433		Incoming connections to the SQL Database Engine from roles on other servers.	sqlservr.exe
System Availability Monitor Agent (SAMA)		TCP 4592	Legacy port for communication with Security Center servers¹	Genetec.HealthMonitor. Agent.exe
		TCP 443	Communication with Security Center servers¹
		TCP 443	Connection to the Health Service in the Cloud (HTTPS)¹
Unit Assistant	TCP 5500	TCP 5500	Communication with Archiver roles	GenetecUnitAssistant Role.exe

¹ These ports use Windows System components to handle HTTP requests. Microsoft components using http.sys require the following rule: dir="in" protocol="6" lport="<SPECIFY PORT USED HERE: CAN BE 80, 443, or CUSTOM>" binary="System".

² Applies to roles that must connect to a database on another server. This port is unnecessary if SQL Server is running on the same machine or the role does not have a database.

Firewall ports used by AutoVu™ applications in Security Center

When AutoVu™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external AutoVu™ components.

The following table lists the default network ports used by AutoVu™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage	Executable
ALPR Manager		UDP 5000	Fixed Sharp unit discovery	GenetecLicensePlate Manager.exe
	TCP 8731		Fixed Sharp units and Genetec Patroller™ installations
	TCP 8787		Pay-by-Plate (plugin installed separately)
	TCP 10001		LPM protocol listening port
		TCP 8001	Sharp control port (used for Live connections, not LPM protocol connections).
		TCP 2323	Sharp unit configuration (HTTP)
Flexreader™ (Sharp unit)	TCP 80		Video port (Security Center extension HTTP)	GenetecPlugin.exe
	TCP 443		Video port (Security Center extension HTTPS)
	TCP 2323		Extension configuration service (HTTP)
	TCP 4502-4534		Silverlight ports and image feed service (for Sharp models earlier than SharpV)
	TCP 4545		Control port (Mobile installation)
	UDP 5000		Discovery port
	TCP 8001		Control port (Fixed installation)
		TCP 21	FTP file upload
Portal Server (Sharp unit)	TCP 80		Communication port (HTTP)	GenetecPlugin.exe
Portal Server (Sharp unit)	TCP 443		Secure communication port (HTTPS)	GenetecPlugin.exe
Genetec Patroller™ (in-vehicle computer)	TCP 4546		Communication with Time server	Patroller.exe
	TCP 8001		Communication with Simple Host	Patroller.exe
		UDP 5000	Sharp camera discovery	Patroller.exe PatrollerConfigTool.exe
		TCP 8731	ALPR Manager connection	Patroller.exe

Firewall ports used by Omnicast™ applications in Security Center

When Omnicast™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP video devices.

The following table lists the default network ports used by Omnicast™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage	Executable
Archiver		TCP 554	Communication between the Archiver and the Media Router to announce content.	GenetecArchiverAgent32.exe
	TCP 555¹		Live and playback stream requests	GenetecArchiverAgent32.exe
	TCP 605¹		Edge playback stream requests	GenetecVideoUnit Control32.exe
	TCP 5500	TCP 5500	Communication between the primary Archiver and failover servers.	GenetecArchiver.exe GenetecArchiverAgent32.exe GenetecVideoUnit Control32.exe
	TCP 5602¹		Telnet console connection requests	GenetecArchiverAgent32.exe
	UDP 6000-6500		Audio from client applications	GenetecVideoUnit Control32.exe
	UDP 15000–19999²		Live unicast streaming from IP cameras	GenetecVideoUnit Control32.exe
	UDP 47806, 47807	UDP 47806, 47807	Live video and audio multicast streaming	GenetecArchiverAgent32.exe GenetecVideoUnit Control32.exe
	TCP & UDP	TCP Common ports include: TCP 80 - HTTP TCP 443 - HTTPS TCP 554 - RTSP TCP 322 - RTSPS	Vendor-specific ports for cameras	GenetecVideoUnit Control32.exe
Redirector	TCP 560, 960³		Live and playback stream requests	GenetecRedirector.exe
		TCP 554	Communication with Media Router (Security Center Federation™)
		TCP 555	Communication with Archiver
		TCP 558	Communication with Auxiliary Archiver
		TCP 560, 960³	Stream requests to other redirectors
		UDP 6000-6500	Media transmission to client applications
	UDP 8000–12000	UDP 8000–12000	Media transmission to other redirectors
	UDP 47806, 47807	UDP 47806, 47807	Live video and audio multicast streaming
	UDP 65246	UDP 65246	Live video multicast streaming (Security Center Federation™)
Auxiliary Archiver	TCP 558		Live and playback stream requests	GenetecAuxiliaryArchiver.exe
	UDP 6000-6500		Unicast media streams
	UDP 47806, 47807		Live video and audio multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960³	Playback stream requests
Media Router	TCP 554		Live and playback stream requests, and announce requests	GenetecMediaRouter.exe
Media Router		TCP 554	Federated Media Router stream requests	GenetecMediaRouter.exe
Media Gateway	TCP 654		Live and playback stream requests from RTSP clients	Genetec.MediaGateway.exe
	TCP 80, 443		Incoming stream requests from mobile and web clients
	TCP 5500	TCP 5500	Communication between the Media Gateway agents and the Media Gateway role.
	UDP 6000-6500		Live video unicast streams	Genetec.Media Component32.exe
	UDP 47806, 47807	UDP 51914	Live video and audio multicast streaming
		TCP 554, 560, 960³	Live and playback video requests
Omnicast™ Federation™		TCP 5001-5002	Connection to remote Omnicast™ 4.x systems.	GenetecOmnicast Federation32.exe
Security Center Federation™		TCP 5500	Connection to remote Security Center systems.	GenetecSecurityCenter Federation.exe
Client applications (Security Desk and Config Tool)	UDP 6000–6200		Unicast media streams	SecurityDesk.exe ConfigTool.exe Genetec.Media Component32.exe
	UDP 47806, 47807		Live video and audio multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960³	Live and playback video and audio requests
Client application (Config Tool)		Vendor-specific TCP and UDP ports	Unit discovery with the Unit enrollment tool	ConfigTool.exe Genetec.Media Component32.exe

¹ Applies to servers hosting one Archiver role. If multiple Archiver roles are hosted on the same server, each additional role uses the next free port.

² You can have multiple Archiver agents on the same server. Each Archiver agent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional Archiver agent on the same server adds 5000 to its starting UDP port number. For example, the first Archiver agent uses ports 15000-19999, the second one uses ports 20000-24999, the third one uses ports 25000-29999, and so on.

NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.

³ TCP port 960 applies to new installations of Security Center 5.8 and later. Note that in Security Center 5.6 and 5.7, TCP port 5004 was used instead of TCP port 960. Therefore, any system upgraded to 5.9 through 5.6 or 5.7 will continue to use TCP port 5004.

Firewall ports used by KiwiVision™ applications in Security Center

When KiwiVision™ modules are enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP video devices.

The following table lists the default network ports used by KiwiVision™ modules in Security Center and their associated executable files. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage	Executable
Ports for the KiwiVision™ Privacy Protector™ and KiwiVision™ Camera Integrity Monitor modules
Media processing applications (Privacy Protector™ and Camera Integrity Monitor)	TCP 754		Live video requests	Genetec.MediaProcessor.exe
	UDP 7000-7500		Live video unicast streams
	UDP 47806		Live video multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960¹	Live and playback video requests
Ports for the KiwiVision™ Security video analytics and KiwiVision™ People Counter modules
KiwiVision™ Manager		TCP 1433, 1434	Communication with KiwiVision™ Manager database	GenetecPlugin.exe
KiwiVision™ Analyzer	UDP 6000–6500		Live video unicast streams	GenetecPlugin.exe
	UDP 47806		Live video multicast streaming
	UDP 65246		Live video multicast streaming (Security Center Federation™)
		TCP 554, 560, 960¹	Live and playback video requests
		TCP 1433, 1434	Communication with KiwiVision™ Manager database

¹ TCP port 960 applies to new installations of Security Center 5.8 and later. Note that in Security Center 5.6 and 5.7, TCP port 5004 was used instead of TCP port 960. Therefore, any system upgraded to 5.9 through 5.6 or 5.7 will continue to use TCP port 5004.

Firewall ports used by Synergis™ applications in Security Center

When Synergis™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP access control devices.

The following table lists the default network ports used by Synergis™ applications in Security Center. To view the network diagram, click here.

Application	Inbound	Outbound	Port usage	Executable
Access Manager		UDP 2000	Synergis™ extension - discovery	GenetecAccessManager.exe
		TCP 443	Secure communication with Synergis™ units and HID units (HTTPS)
	TCP 20	TCP 21	HID extension - FTP data and command¹
		TCP 22	HID extension - SSH¹
		TCP 23	HID extension - Telnet¹
		TCP 80	HID extension - HTTP communication
		TCP 4050/4433²	HID extension - VertX OPIN protocol
	TCP/UDP 4070	TCP/UDP 4070	HID extension - VertX discovery³
	TCP/UDP		Vendor-specific ports for events and discovery from IP access control device
	UDP 514		Remote syslog server
Global Cardholder Synchronizer	TCP 4502	TCP 4502	Genetec™ Server communication	GenetecGlobal CardholderManagement.exe
	TCP 80	TCP 80	REST Server communication
		TCP 5500	Directory & federated Directory connection

¹ Not required if HID units are configured with Secure mode.

² Legacy HID units or EVO units running a firmware version earlier than 3.7 use port 4050. HID EVO units running in secure mode with firmware 3.7 and later user port 4433.

³ The discovery port of an HID unit is fixed at 4070. After it is discovered, the unit is assigned to an Access Manager that uses the ports shown in the previous table to control it.

For more information about initial HID hardware setup, download the documentation from http://www.HIDglobal.com.