Default ports used by Security Center 5.10 - Security Center 5.10

series
Security Center 5.10
revised_modified
2021-03-31

Default ports used by Security Center 5.10

Familiarize yourself with the default network ports that must be opened to allow proper communication between the core systems and modules of Security Center.

Information about firewalls

During the Security Center installation, you are given the option of allowing Security Center to create firewall rules for its applications. If you select this option, all Security Center applications are added as exceptions to the internal Windows firewall. However, you still must ensure that all the ports used by Security Center are open on your network.
IMPORTANT: Exposing Security Center to the Internet is strongly discouraged without hardening your system first. Before exposing your system, implement the advanced security level described in the Security Center Hardening Guide to help protect your system from Internet threats. Alternatively, use a trusted VPN for remote connections.

Ports used by core applications in Security Center

The following table lists the default network ports that must be opened to allow proper communication between the core applications and services in Security Center.

For a visual representation of the ports, see the Security Center Network Diagram - Platform.

Port usage Inbound port Outbound port Protocol Executable file
Directory
Client and server connections TCP 5500 TCP 5500 TLS 1.2 GenetecServer.exe
Config Tool
Genetec™ Server/Directory communication   TCP 5500 TLS 1.2 GenetecServer.exe
Map download requests to Map Manager   TCP 8012 HTTPS GenetecMapManager.exe
  • Authentication role communication
  • Secured communication with the portal of the mobile credential provider
  • Communication with GTAP for Genetec™ Advantage validation and feedback
  TCP 443 HTTPS

TLS 1.2

ConfigTool.exe
Security Desk
Genetec™ Server/Directory communication   TCP 5500 TLS 1.2 GenetecServer.exe
Map download requests to Map Manager   TCP 8012 HTTPS GenetecMapManager.exe
  • Authentication role communication
  • Secured communication with the portal of the mobile credential provider
  TCP 443 HTTPS

TLS 1.2

SecurityDesk.exe
SDK
Genetec™ Server/Directory communication   TCP 5500 TLS 1.2 GenetecServer.exe
Map download requests to Map Manager   TCP 8012 HTTPS GenetecMapManager.exe
All roles
Genetec™ Server/Directory communication
NOTE: Previously port 4502. If port 4502 was the server port before upgrading from 5.3 or earlier, 4502 remains the server port after the upgrade.
TCP 5500 TCP 5500 Genetec Inc. proprietary protocol GenetecServer.exe
REST/Server Admin communication1 TCP 80 TCP 80 HTTP GenetecInterface.exe
Secured REST/Server Admin/Authentication role communication1 TCP 443 TCP 443 HTTPS GenetecInterface.exe
Outgoing connections to the SQL Database Engine hosted on another server.

Only required for roles that must connect to a database on another server. Not required if SQL Server is running on the same machine or if the role has no database.

  TCP 1433 Microsoft Tabular Data Stream Protocol (TDS) Role-dependent
Outgoing connections to the SQL Server Browser service for SQL Server connection information.

Only required for roles that must connect to a named database instance on another server. Not required for roles configured to connect to their database using a specific port.

  UDP 1434 Microsoft SQL Server Resolution Protocol (SSRP) Role-dependent
Map Manager
Requests for map download from client applications1 TCP 8012   HTTPS GenetecMapManager.exe
Mobile Server
Communication from mobile clients TCP 443   HTTPS GenetecMobileRole.exe

GenetecMobileAgent.exe

Communication from Archiver for video streaming and storage TCP 9000-10000   HTTP GenetecMobileRole.exe

GenetecMobileAgent.exe

Record Caching Service
REST/Server Admin communication1 TCP 80 TCP 80 HTTP GenetecIngestion.exe
Secured REST/Server Admin/Authentication role communication1 TCP 443 TCP 443 HTTPS GenetecIngestion.exe
Unit Assistant
Communication with Archiver roles TCP 5500 TCP 5500 Genetec Inc. proprietary protocol GenetecUnitAssistant Role.exe
Wearable Camera Manager
Configurable in the UI   TCP 48830 Genetec Clearance™ protocol GenetecBwcManagerRole.exe
Configurable in a config file   TCP 48831, 48832, 48833 Genetec Clearance™ protocol GenetecBwcAgentService.exe
Web Server
Initial connection between server hosting Web Server role and browser used for Web Client
NOTE: Redirected to HTTPS port after initial connection.
TCP 80 TCP 80 HTTP GenetecWebClient.exe
  • Secured REST/Server Admin/Authentication role communication1
  • Connection between server hosting Web Server role and browser used for Web Client
TCP 443 TCP 443 HTTPS GenetecWebClient.exe
Video requests to Media Gateway   TCP 443 HTTPS GenetecWebClient.exe
Genetec™ Update Service (GUS)
Deprecated. Formerly used to access the GUS web page. Redirects to TCP 4595 in the latest GUS version1 TCP 4594   N/A GenetecUpdateService.exe
Secure communication with the GUS web page, and other GUS servers1 TCP 4595 TCP 4595 HTTPS GenetecUpdateService.exe
Communication with Azure and Genetec Inc.1 TCP 443 TCP 443 HTTPS GenetecUpdateService.exe
SQL Server
Incoming connections to the SQL Database Engine from roles on other servers TCP 1433   Microsoft Tabular Data Stream Protocol (TDS) sqlservr.exe
Incoming connections to the SQL Server Browser service for SQL Server connection information UDP 1434   Microsoft SQL Server Resolution Protocol (SSRP) sqlbrowser.exe
System Availability Monitor Agent (SAMA)
Legacy port for communication with Security Center servers1   TCP 4592 HTTP Genetec.HealthMonitor. Agent.exe
Communication with Security Center servers1   TCP 443 HTTPS Genetec.HealthMonitor. Agent.exe
Connection to the Health Service in the Cloud1   TCP 443 HTTPS Genetec.HealthMonitor. Agent.exe

1 These ports use Windows System components to handle HTTP requests. Microsoft components using http.sys require the following rule: dir="in" protocol="6" lport="<SPECIFY PORT USED HERE: CAN BE 80, 443, or CUSTOM>" binary="System".

Ports used by AutoVu™ applications in Security Center

The following tables lists the default network ports that must be opened to allow proper communication between Security Center and external AutoVu™ components when AutoVu™ is enabled in your system.

For a visual representation of the ports, see the Security Center Network Diagram - ALPR.

Port usage Inbound port Outbound port Protocol Executable file
ALPR Manager
Secure communication port for DataExporter   TCP 443 HTTPS GenetecLicensePlate Manager.exe
Fixed Sharp unit discovery   UDP 5000 N/A GenetecLicensePlate Manager.exe
Sharp control port (used for Live connections, not LPM protocol connections).   TCP 8001 HTTP GenetecLicensePlate Manager.exe
Genetec Patroller™ communication and fixed Sharp units (not used for LPM protocol connections) TCP 8731   HTTP GenetecLicensePlate Manager.exe
LPM protocol listening port TCP 10001   HTTPS GenetecLicensePlate Manager.exe
Communication with Pay-by-Plate Sync plugin   TCP 8787 HTTP GenetecLicensePlate Manager.exe
  TCP 8788 HTTPS GenetecLicensePlate Manager.exe
Sharp unit (Plate Reader and Portal Server)
Communication port (HTTP for SharpOS 12.7 and earlier) TCP 80   HTTP Sharp unit
Secure communication port for Web Portal, Sharp unit API, and MJPEG video streaming TCP 443   HTTPS Sharp unit
H.264 video streaming TCP 554

UDP 554

  RTSP Sharp unit
Silverlight ports and image feed service (for Sharp models earlier than SharpV) TCP 4502-4534   HTTP Sharp unit
Control port (Mobile installation) TCP 4545   HTTP Sharp unit
Discovery port UDP 5000   UDP Sharp unit
Control port (Fixed installation) TCP 8001   HTTP Sharp unit
Sharp read events   TCP 8731 HTTP Sharp unit
LPM protocol communication port   TCP 10001 HTTPS Sharp unit
FTP file upload. Only used when FTP extension is configured   TCP 21 FTP Sharp unit
Genetec Patroller™ (in-vehicle computer)
Communication with AutoVu™ cloud services   TCP 443 HTTPS Patroller.exe
Communication with mobile Sharp units TCP 4545 TCP 4545 HTTP Patroller.exe
Time synchronization service for Sharp units TCP 4546   SNTP Patroller.exe
Sharp camera discovery   UDP 5000 UDP Patroller.exe

PatrollerConfigTool.exe

Communication with Simple Host TCP 8001   HTTP Patroller.exe
Communication with Pay-by-Plate Sync plugin TCP 8787   HTTP Patroller.exe
ALPR Manager connection   TCP 8731 HTTP and message-level encryption Patroller.exe
Pay-by-Plate Sync
Communication with AutoVu™ Free-Flow and Genetec Patroller™ TCP 8787   HTTP GenetecPlugin.exe for Pay-by-Plate Sync
Secure communication with AutoVu™ Free-Flow TCP 8788   HTTPS GenetecPlugin.exe for Pay-by-Plate Sync

Ports used by Omnicast™ applications in Security Center

The following table lists the default network ports that must be opened to allow proper communication between Security Center and external IP video devices when Omnicast™ is enabled in your system.

For a visual representation of the ports, see the Security Center Network Diagram - Video.

Port usage Inbound port Outbound port Protocol Executable file
Archiver
Communication with Cloud storage   TCP 804, 4434 HTTPS

TLS 1.2

GenetecArchiverAgent32.exe
Communication between the Archiver and the Media Router to announce content   TCP 554 RTSP over TLS when secure communication enabled GenetecArchiverAgent32.exe
Live and playback stream requests TCP 5551   RTSP over TLS when secure communication enabled GenetecArchiverAgent32.exe
Edge playback stream requests TCP 6051   RTSP GenetecVideoUnit Control32.exe
Mobile device streaming through the Mobile Server   TCP 9000-10000 HTTP GenetecVideoUnit Control32.exe
Communication between the primary Archiver and failover servers TCP 5500 TCP 5500 TLS 1.2 GenetecArchiver.exe

GenetecArchiverAgent32.exe

GenetecVideoUnit Control32.exe

Telnet console connection requests TCP 56021   Telnet GenetecArchiverAgent32.exe
Audio from client applications UDP 6000-6500   RTP GenetecVideoUnit Control32.exe
Live unicast streaming from IP cameras UDP 15000–199992   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecVideoUnit Control32.exe
Live video and audio multicast streaming UDP 47806, 47807 UDP 47806, 47807 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecArchiverAgent32.exe

GenetecVideoUnit Control32.exe

Vendor-specific ports for cameras TCP & UDP TCP

Common ports include:

  • TCP 80
  • TCP 443
  • TCP 554
  • TCP 322
  • TCP 80: HTTP
  • TCP 443: HTTPS
  • TCP 554: RTSP
  • TCP 322: RTSP over TLS when secure communication enabled
GenetecVideoUnit Control32.exe
Redirector
Live and playback stream requests TCP 560   RTSP over TLS when secure communication enabled GenetecRedirector.exe
Communication with Media Router (Security Center Federation™)   TCP 554 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Communication with Archiver   TCP 555 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Communication with Auxiliary Archiver   TCP 558 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Cloud playback requests   TCP 5704 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Edge playback stream requests   TCP 605 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Communication with Privacy Protector™   TCP 754 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Stream requests to other redirectors   TCP 560 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Media transmission to client applications TCP 9603 UDP 6000-6500

TCP 9603

SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Media transmission to other redirectors UDP 8000–12000 UDP 8000–12000 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Live video and audio multicast streaming UDP 47806, 47807 UDP 47806, 47807 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Live video multicast streaming (Security Center Federation™) UDP 65246 UDP 65246 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Auxiliary Archiver
Live and playback stream requests TCP 558   RTSP over TLS when secure communication enabled GenetecAuxiliaryArchiver.exe
Unicast media streams UDP 6000-6500   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecAuxiliaryArchiver.exe
Live video and audio multicast streaming UDP 47806, 47807   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecAuxiliaryArchiver.exe
Live video multicast streaming (Security Center Federation™) UDP 65246   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecAuxiliaryArchiver.exe
Live stream requests   TCP 554, 555, 560 RTSP over TLS when secure communication enabled GenetecAuxiliaryArchiver.exe
Media transmission   TCP 9603 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecAuxiliaryArchiver.exe
Cloud Playback
Cloud playback requests TCP 570   RTSP over TLS when secure communication enabled GenetecCloudPlaybackRole.exe

GenetecCloudPlaybackAgent.exe

Communication with Cloud storage   TCP 80, 443 TLS 1.2 GenetecCloudPlaybackRole.exe

GenetecCloudPlaybackAgent.exe

Media Router
Live and playback stream requests, and announce requests TCP 554   RTSP over TLS when secure communication enabled GenetecMediaRouter.exe
Federated Media Router stream requests   TCP 554 RTSP over TLS when secure communication enabled GenetecMediaRouter.exe
Media Gateway
Live and playback stream requests from RTSP clients TCP 654   RTSP over TLS when secure communication enabled Genetec.MediaGateway.exe
Incoming stream requests from mobile and web clients TCP 80, 443  
  • TCP 80: HTTP
  • TCP 443: HTTPS
Genetec.MediaGateway.exe
Communication between the Media Gateway agents and the Media Gateway role TCP 5500 TCP 5500 TLS 1.2 Genetec.MediaGateway.exe
Live video unicast streams UDP 6000-6500   SRTP when using encryption in transit and at rest Genetec.Media Component32.exe
Live video and audio multicast streaming UDP 47806, 47807 UDP 51914 SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.Media Component32.exe
Live video multicast streaming (Security Center Federation™) UDP 65246   SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.Media Component32.exe
Live and playback video requests   TCP 554, 555, 558, 560, 605 RTSP over TLS when secure communication enabled Genetec.Media Component32.exe
Media transmission   TCP 9603 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecAuxiliaryArchiver.exe
Cloud playback requests   TCP 5704 RTSP over TLS when secure communication enabled Genetec.Media Component32.exe
Omnicast™ Federation™
Connection to remote Omnicast™ 4.x systems.   TCP 5001-5002 TCP GenetecOmnicast Federation32.exe
Security Center Federation™
Connection to remote Security Center systems   TCP 5500 TLS 1.2 GenetecSecurityCenter Federation.exe
Security Desk
Unicast media streams UDP 6000–6200   SRTP when using encryption in transit from Archiver or in transit and at rest SecurityDesk.exe

Genetec.Media Component32.exe

Live video and audio multicast streaming UDP 47806, 47807   SRTP when using encryption in transit from Archiver or in transit and at rest SecurityDesk.exe

Genetec.Media Component32.exe

Live video multicast streaming (Security Center Federation™) UDP 65246   SRTP when using encryption in transit from Archiver or in transit and at rest SecurityDesk.exe

Genetec.Media Component32.exe

Live and playback video and audio requests   TCP 554, 555, 558, 560, 605 RTSP over TLS when secure communication enabled SecurityDesk.exe

Genetec.Media Component32.exe

Media transmission   TCP 9603 SRTP when using encryption in transit from Archiver or in transit and at rest SecurityDesk.exe

Genetec.Media Component32.exe

Cloud playback requests   TCP 5704 RTSP over TLS when secure communication enabled SecurityDesk.exe

Genetec.Media Component32.exe

Config Tool
Unicast media streams UDP 6000–6200   SRTP when using encryption in transit from Archiver or in transit and at rest ConfigTool.exe

Genetec.Media Component32.exe

Live video and audio multicast streaming UDP 47806, 47807   SRTP when using encryption in transit from Archiver or in transit and at rest ConfigTool.exe

Genetec.Media Component32.exe

Live video multicast streaming (Security Center Federation™) UDP 65246   SRTP when using encryption in transit from Archiver or in transit and at rest ConfigTool.exe

Genetec.Media Component32.exe

Live video and audio requests   TCP 554, 555, 560 RTSP over TLS when secure communication enabled ConfigTool.exe

Genetec.Media Component32.exe

Media transmission   TCP 9603 SRTP when using encryption in transit from Archiver or in transit and at rest ConfigTool.exe

Genetec.Media Component32.exe

Unit discovery with the Unit enrollment tool   Vendor-specific TCP and UDP ports Vendor-specific ConfigTool.exe

Genetec.Media Component32.exe

Cloud storage reporting and configuration   TCP 804, 4434 HTTP ConfigTool.exe

1 Applies to servers hosting one Archiver role. If multiple Archiver roles are hosted on the same server, each additional role uses the next free port.

2 You can have multiple Archiver agents on the same server. Each Archiver agent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional Archiver agent on the same server adds 5000 to its starting UDP port number. For example, the first Archiver agent uses ports 15000-19999, the second one uses ports 20000-24999, the third one uses ports 25000-29999, and so on.
NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.

3 TCP port 960 applies to new installations of Security Center 5.8 and later. In Security Center 5.6 and 5.7, TCP port 5004 was used instead of TCP port 960. Therefore, any system upgraded to 5.10 through 5.6 or 5.7 continues to use TCP port 5004.

4 In the context of Cloud storage, ports TCP 80, 443, and 570 are only used when Cloud storage is enabled.

Ports used by KiwiVision™ modules in Security Center

The following tables list the default network ports that must be opened to allow proper communication between Security Center and external IP video devices when KiwiVision™ is enabled in your system.

For a visual representation of the ports, see the Security Center Network Diagram - KiwiVision™.

KiwiVision™ Privacy Protector™ and KiwiVision™ Camera Integrity Monitor modules

Port usage Inbound port Outbound port Protocol Executable file
Live video requests TCP 754   RTSP over TLS when using Secure communication Genetec.MediaProcessor.exe
Live video unicast streams UDP 7000-7500   SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.MediaProcessor.exe
Live video multicast streaming UDP 47806 UDP 47806 SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.MediaProcessor.exe
Live video multicast streaming (Security Center Federation™) UDP 65246 UDP 65246 SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.MediaProcessor.exe
Live video requests   TCP 554, 555, 560 RTSP over TLS when using Secure communication Genetec.MediaProcessor.exe
Media transmission   TCP 9601 SRTP when using encryption in transit from Archiver or in transit and at rest Genetec.MediaProcessor.exe

KiwiVision™ Security video analytics and KiwiVision™ People Counter modules

Port usage Inbound port Outbound port Protocol Executable file
KiwiVision™ Manager
Communication with KiwiVision™ Manager database   TCP 1433 Microsoft Tabular Data Stream Protocol (TDS) GenetecPlugin.exe
  UDP 1434 Microsoft SQL Server Resolution Protocol (SSRP) GenetecPlugin.exe
KiwiVision™ Analyzer
Live video unicast streams UDP 6000–6500   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecPlugin.exe
Live video multicast streaming UDP 47806 UDP 47806 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecPlugin.exe
Live video multicast streaming (Security Center Federation™) UDP 65246 UDP 65246 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecPlugin.exe
Live and playback video requests   TCP 554, 560, 9601 RTSP over TLS when using Secure communication GenetecPlugin.exe
Communication with KiwiVision™ Manager database   TCP 1433 Microsoft Tabular Data Stream Protocol (TDS) GenetecPlugin.exe
  UDP 1434 Microsoft SQL Server Resolution Protocol (SSRP) GenetecPlugin.exe

1 TCP port 960 applies to new installations of Security Center 5.8 and later. In Security Center 5.6 and 5.7, TCP port 5004 was used instead of TCP port 960. Therefore, any system upgraded to 5.10 through 5.6 or 5.7 continues to use TCP port 5004.

Ports used by Synergis™ applications in Security Center

The following table lists the default network ports that must be opened to allow proper communication between Security Center and external IP access control devices when Synergis™ is enabled in your system.

For a visual representation of the ports, see the Security Center Network Diagram - Access control.

Port usage Inbound port Outbound port Protocol Executable file
Access Manager
Synergis™ extension - discovery   UDP 2000 Genetec Inc. proprietary protocol GenetecAccessManager.exe
Secure communication with Synergis™ units and HID units   TCP 443 HTTPS

TLS 1.2

GenetecAccessManager.exe
HID extension - FTP data and command1 TCP 20 TCP 21 FTP GenetecAccessManager.exe
HID extension - SSH1   TCP 22 SSH GenetecAccessManager.exe
HID extension - Telnet1   TCP 23 Telnet GenetecAccessManager.exe
HID extension - HTTP communication   TCP 80 HTTP GenetecAccessManager.exe
HID extension - VertX OPIN protocol   TCP 4050/44332
  • TCP 4050: Proprietary
  • TCP 4433: HTTPS

    TLS 1.2

GenetecAccessManager.exe
HID extension - VertX discovery3 UDP 4070 UDP 4070 N/A GenetecAccessManager.exe
Remote syslog server UDP 514   N/A GenetecAccessManager.exe
Security Desk and Config Tool
Secured communication with the portal of the mobile credential provider

Client needs access to the following URLs:

https://api.origo.hidglobal.com

https://portal.origo.hidglobal.com/

  TCP 443 HTTPS

TLS 1.2

SecurityDesk.exe

ConfigTool.exe

Global Cardholder Synchronizer
Connection to sharing host   TCP 5500 TLS 1.2 GenetecGlobal CardholderManagement.exe
Mobile Credential Manager
Secured communication with the portal of the mobile credential provider

Mobile Credential Manager role needs access to the following URLs:

https://api.origo.hidglobal.com

https://portal.origo.hidglobal.com/

  TCP 443 HTTPS

TLS 1.2

GenetecMobileCredentialManager.exe

1 Not used if HID units are configured with Secure mode. As a best practice, enable secure mode on all HID units.

2 Legacy HID units or EVO units running a firmware version earlier than 3.7 use port 4050. HID EVO units running in secure mode with firmware 3.7 and later user port 4433.

3 The discovery port of an HID unit is fixed at 4070. After it is discovered, the unit is assigned to an Access Manager that uses the ports shown in the previous table to control it.

For more information about initial HID hardware setup, download the documentation from http://www.HIDglobal.com.