Which firewall ports are used in Security Center 5.8? - Security Center 5.8

series
Security Center 5.8
revised_modified
2019-11-29

Which firewall ports are used in Security Center 5.8?

Answer: There are many ports used Security Center. Because Security Center is a unified platform that integrates all of Genetec™ products, the list of ports is quite extensive. As a result, it is recommended to familiarize yourself with the ports used by the various core systems and modules of Security Center.

During the Security Center installation, you are given the option of allowing Security Center to create firewall rules for its applications. If you select this option, all Security Center applications are added as exceptions to the internal Windows firewall. However, you still must ensure that all the ports used by Security Center are open on your network.
IMPORTANT: Exposing Security Center to the Internet is strongly discouraged without hardening your system first. Before exposing your system, implement the advanced security level described in the Security Center Hardening Guide to help protect your system from Internet threats. Alternatively, use a trusted VPN for remote connections.
You can configure different port numbers than the ones that are used by default.

Firewall ports used by core applications in Security Center

For Security Center to work properly, you need to create firewall rules to allow proper communication between the various services.

The following table lists the default network ports used by core applications in Security Center. To view the network diagram, click here.

Application Inbound Outbound Port usage
Directory TCP 5500   Client connections
Client applications (Security Desk, Config Tool, SDK)   TCP 5500 Genetec™ Server/Directory communication
  TCP 8012 Map download requests to Map Manager (HTTPS)
Client applications (Config Tool)   TCP 443 Communication with GTAP for Genetec™ Advantage validation and feedback (HTTPS)
Client applications (Security Desk, Config Tool)   TCP 443 Secured communication with the portal of the mobile credential provider (HTTPS)
All roles (new installation) TCP 5500 TCP 5500 Genetec™ Server/Directory communication
TCP 4502 TCP 4502 Genetec™ Server communication (backward compatibility with Security Center 5.3 and earlier)
TCP 80 TCP 80 REST/Server Admin communication (HTTP)
TCP 443 TCP 443 Secured REST/Server Admin communication (HTTPS)
All roles (upgraded from 5.3 and earlier) TCP 4502 TCP 4502 If 4502 was the server port before the upgrade, then 4502 remains the server port after the upgrade, and 4503 is used for backward compatibility.

If another port was used as server port before the upgrade, then that same port is kept as server port after the upgrade. 4502 is then used for backward compatibility, and 4503 is not necessary.

TCP 4503 TCP 4503
Intrusion Manager TCP 3001 TCP 3001 Communication with Bosch intrusion panels
Map Manager TCP 8012   Map download requests from client application (HTTPS)
Mobile Server TCP 443   Communication from mobile clients.
Genetec™ Update Service (GUS) TCP 4595 TCP 4595 Communication with other GUS servers
TCP 443 TCP 443 Communication with Azure and Genetec Inc. (HTTPS)
System Availability Monitor Agent (SAMA) TCP 4592   Connection from Security Center servers
  TCP 443 Connection to the Health Service in the Cloud (HTTPS)

Firewall ports used by AutoVu™ applications in Security Center

When AutoVu™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external AutoVu™ components.

The following table lists the default network ports used by AutoVu™ applications in Security Center. To view the network diagram, click here.

Application Inbound Outbound Port usage
LPR Manager   UDP 5000 Fixed Sharp unit discovery
TCP 8731   Fixed Sharp units and Genetec Patroller™ installations
TCP 8787   Pay-by-Plate (plugin installed separately)
TCP 8832   Updater service
TCP 9001   LPM protocol listening port
  TCP 8001 Sharp control port (used for Live connections, not LPM protocol connections).
  TCP 2323 Sharp unit configuration (HTTP)
Flexreader™ (Sharp unit) TCP 80   Video port (Security Center extension HTTP)
TCP 443   Video port (Security Center extension HTTPS)
TCP 2323   Extension configuration service (HTTP)
TCP 4502-4534   Silverlight ports and image feed service (for Sharp models earlier than SharpV)
TCP 4545   Control port (Mobile installation)
UDP 5000   Discovery port
TCP 8001   Control port (Fixed installation)
  TCP 21 FTP file upload
  TCP 8666 Communication with Updater Service
Portal Server (Sharp unit) TCP 80   Communication port (HTTP)
TCP 443   Secure communication port (HTTPS)
Updater service (Sharp unit and in-vehicle computer) TCP 8666   Communication with Flexreader™ (greetings only)
TCP 8889 TCP 8899 Communication with Genetec Patroller™ Updater
  TCP 8832 Communication with LPR Manager
Genetec Patroller™ (in-vehicle computer) TCP 4546   Communication with Time server
TCP 8001   Communication with Simple Host
  UDP 5000 Sharp camera discovery
  TCP 8666 Communication with Updater Service (greetings only)
  TCP 8731 LPR Manager connection

Firewall ports used by Omnicast™ applications in Security Center

When Omnicast™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP video devices.

The following table lists the default network ports used by Omnicast™ applications in Security Center. To view the network diagram, click here.

Application Inbound Outbound Port usage
Archiver TCP 5551   Live and playback stream requests
TCP 6051   Edge playback stream requests
TCP 56021   Telnet console connection requests
UDP 6000-6500   Audio from client applications
UDP 15000–199992   Live unicast streaming from IP cameras
UDP 47806, 47807 UDP 47806, 47807 Live video and audio multicast streaming
TCP & UDP   Vendor specific ports for events and IP camera discovery
  TCP 80 HTTP port
  TCP 443 HTTPS port
  TCP 554 RTSP port
Redirector TCP 560, 9603   Live and playback stream requests
  TCP 554 Communication with Media Router (Security Center Federation™)
  TCP 555 Communication with Archiver
  TCP 558 Communication with Auxiliary Archiver
  TCP 560, 9603 Stream requests to other redirectors
  UDP 6000-6500 Media transmission to client applications
UDP 8000–12000 UDP 8000–12000 Media transmission to other redirectors
UDP 47806, 47807 UDP 47806, 47807 Live video and audio multicast streaming
UDP 65246 UDP 65246 Live video multicast streaming (Security Center Federation™)
Auxiliary Archiver TCP 558   Live and playback stream requests
UDP 6000-6500   Unicast media streams
UDP 47806, 47807   Live video and audio multicast streaming
UDP 65246   Live video multicast streaming (Security Center Federation™)
  TCP 554, 560, 9603 Playback stream requests
Media Router TCP 554   Live and playback stream requests
  TCP 554 Federated Media Router stream requests
Media Gateway TCP 654   Live and playback stream requests
TCP 80, 443   Incoming stream requests from mobile and web clients
UDP 6000-6500   Live video unicast streams
UDP 47806, 47807 UDP 51914 Live video and audio multicast streaming
  TCP 554, 560, 9603 Live and playback video requests
Media processing applications (Privacy Protector™ and Camera integrity monitor) TCP 754   Live video requests
UDP 7000-7500   Live video unicast streams
UDP 47806   Live video multicast streaming
UDP 65246   Live video multicast streaming (Security Center Federation™)
  TCP 554, 560, 9603 Live and playback video requests
Omnicast™ Federation™   TCP 5001-5002 Connection to remote Omnicast™ 4.x systems.
Client applications (Security Desk and Config Tool) UDP 6000–6200   Unicast media streams
UDP 47806, 47807   Live video and audio multicast streaming
UDP 65246   Live video multicast streaming (Security Center Federation™)
  TCP 554, 560, 9603 Live and playback video and audio requests
Client application (Config Tool)   Vendor-specific TCP and UDP ports Unit discovery with the Unit enrollment tool

1 Applies to servers hosting one Archiver role. If multiple Archiver roles are hosted on the same server, each additional role uses the next free port.

2 You can have multiple Archiver agents on the same server. Each Archiver agent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional Archiver agent on the same server adds 5000 to its starting UDP port number. For example, the first Archiver agent uses ports 15000-19999, the second one uses ports 20000-24999, the third one uses ports 25000-29999, and so on.
NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.

3 TCP port 960 applies to new installations of Security Center 5.8, and upgrades from Security Center 5.5 to 5.8. Systems upgraded from Security Center 5.6 and Security Center 5.7 will continue to use TCP port 5004.

Firewall ports used by Synergis™ applications in Security Center

When Synergis™ is enabled in your system, you need to create additional firewall rules to allow proper communication between Security Center and external IP access control devices.

The following table lists the default network ports used by Synergis™ applications in Security Center. To view the network diagram, click here.

Application Inbound Outbound Port usage
Access Manager   UDP 2000 Synergis™ extension - discovery
  TCP 443 Secure communication with Synergis™ units and HID units (HTTPS)
TCP 20 TCP 21 HID extension - FTP data and command1
  TCP 22 HID extension - SSH1
  TCP 23 HID extension - Telnet1
  TCP 80 HID extension - HTTP communication
  TCP 4050/44332 HID extension - VertX OPIN protocol
TCP/UDP 4070 TCP/UDP 4070 HID extension - VertX discovery3
TCP/UDP   Vendor-specific ports for events and discovery from IP access control device
Synergis™ Softwire (Synergis™ unit) TCP 80 TCP 80 Communication port (HTTP)
TCP 443 TCP 443 Secure communication port (HTTPS)
AutoVu™ SharpV integration (HTTPS)
UDP 2000 UDP 2000 Discovery and P2P communication
UDP 137   NetBIOS Name Service (enabled by default)
TCP 3389   RDP connection (disabled by default)
  TCP 9999 Assa Abloy Aperio IP
TCP 2571 TCP 2571 Assa Abloy IP lock (R3 protocol)
  UDP 5353 Axis controller discovery (mDNS)
TCP 3001 TCP 3001 Mercury or Honeywell communication
TCP 1234 TCP 1234 Salto Sallis lock communication
HID VertX/Edge Legacy and EVO controllers TCP 21   FTP command1
TCP 22   SSH port (EVO only)1
TCP 23   Telnet1
TCP 4050/44332   VertX OPIN protocol
UDP 4070 UDP 4070 VertX discovery

1 Not required if HID units are configured with Secure mode.

2 Legacy HID units or EVO units running a firmware version earlier than 3.7 use port 4050. HID EVO units running in secure mode with firmware 3.7 and later user port 4433.

3 The discovery port of an HID unit is fixed at 4070. After it is discovered, the unit is assigned to an Access Manager that uses the ports shown in the previous table to control it.

For more information about initial HID hardware setup, download the documentation from http://www.HIDglobal.com.