Protocols and Ports Required
To ensure successful data collection and activity monitoring, Auditor has to communicate through firewall and requires some ports to be opened for inbound and outbound connections.
RECOMMENDED: Netwrix recommends reviewing your current port configuration after every re-installation or upgrade.
| If you use... | Do the following... |
|---|---|
| Windows Firewall | If you are running Windows Firewall on the computer where you will install Auditor Server, Auditor automatically opens ports 135, 9004, 9699, 9011, and one dynamic port for inbound connections during installation. For outbound rules, create or enable predefined Windows Firewall rules. Before installing Auditor, ensure that the Windows Firewall service is running. |
| Third-party Firewall | If you use a third-party firewall, you must create rules manually. |
Create Firewall rules manually
The following example applies to Windows Firewall and explains how to create a rule for inbound connection.
Step 1 – Start the Windows Firewall service.
Step 2 – Navigate to Start > Control Panel and select Windows Firewall.
Step 3 – In the Help Protect your computer with Windows Firewall page, click Advanced settings on the left.
Step 4 – In the Windows Firewall with Advanced Security dialog, select Inbound Rules on the left.
Step 5 – Click New Rule. In the New Inbound Rule wizard, complete the following steps:
- On the Rule Type step, select Port.
- On the Protocol and Ports step, select TCP or UDP. In the Specific local ports field specify the port number.
- On the Action step, select the Allow the connection action.
- On the Profile step, ensure that the rule applies to all profiles (Domain, Private, Public).
- On the Name step, specify the rule's name, for example Netwrix Auditor TCP port_number Access.
In most cases, this configuration is enough to ensure successful data collection and processing. If your organization policy requires you to provide a justification for each particular port, review the following for a full list of ports to open on the computer where you will install Auditor Server and on your target servers.
- Active Directory Ports
- AD FS Ports
- Microsoft Entra ID Ports
- Dell Data Storage Ports
- Exchange Ports
- Exchange Online Ports
- Group Policy Ports
- Integration API Ports
- Logon Activity Ports
- Nutanix Ports
- Oracle Database Ports
- Qumulo Ports
- SharePoint Ports
- SharePoint Online Ports
- SQL Server Ports
- Synology Ports
- Teams Ports
- User Activity Ports
- VMware Ports
- Windows File Server Ports
- Windows Server Ports
Netwrix Auditor Server
During installation, Netwrix Auditor automatically creates inbound Windows Firewall rules for the essential ports required for the product to function properly. If you use a third-party firewall, ensure to allow inbound connections to local ports on the target and outbound connections to remote ports on the source.
Tip for reading the table: For example, on the computer where Netwrix Auditor client is installed (source), allow outbound connections to remote 135 TCP port. On the computer where Netwrix Auditor Server resides (target), allow inbound connections to local 135 TCP port.
| Port | Protocol | Source | Target | Purpose |
|---|---|---|---|---|
| 135 | TCP | Computer where Netwrix Auditor client is installed | Netwrix Auditor Server | Netwrix Auditor remote client console |
| 9004 | TCP | Monitored computers | Netwrix Auditor Server | Network Traffic Compression Services responsible for user activity monitoring |
| 9011 | TCP | Computers where Netwrix Auditor for Windows Server Compression Services reside | Netwrix Auditor Server | Network traffic compression and interaction with hubs and services |
| 9699 | TCP | Script / query host | Netwrix Auditor Server | Netwrix Auditor Integration API |
| Dynamic: 49152 -65535 | TCP | Computers where Netwrix Auditor Server and Netwrix Auditor client are installed | Netwrix Auditor Server | Netwrix Auditor internal components interaction. Allow C:\Program Files (x86)\Netwrix Auditor\Audit Core\NwCoreSvc.exe to use the port. |
| For Managed Service Providers: 443 | TCP | Netwrix Auditor Server | Netwrix Partner Portal | Reporting on active MSP licenses |
| - 80 for http - 443 for https | TCP | SSRS | Netwrix Auditor Server | Reports. If your environment is configured differently, check with your DBA or review the SSRS settings through the Configuration Manager. |
In most environments, Auditor creates the rules automatically and you don't need to open more ports to ensure successful data collection.
In rare cases, for example if your security policies require you to provide a justification for opening each particular port, you might need a more detailed overview.