Critical System Protection

Hi,

I'm setting up SCSP for our client and I need to know what ports are being used. I've already checked the manual. Which port does it use for LiveUpdates?
There are also some ports that is found in the xml file that is not in the manual.

Thanks

Anyone?

Management console
Console.exe Communicates with the management
server using remote TCP ports 4443, 8006,
and 8081.


Management server
SISManager.exe Communicates with the management
console using local TCP ports 4443, 8006,
and 8081.

Communicates with the agents using local
TCP port 443.

Communicates with remote production SQL
servers using the remote TCP port that the
SQL server uses for the server instance.


Agent SISIPSService.exe
sisipsdaemon
Communicates with the management
server using local TCP port 2222, and
remote TCP port 443.

The management server uses UDP port 1434 to query the MS SQL Server
system and find the port used by the Symantec Critical System Protection
instance.

The bulk log transfer feature of the Symantec Critical System Protection
agent is implemented by the bulklogger.exe. If you have a host-based
firewall that allows specific programs to access the Internet, you must allow
bulklogger.exe as well as SISPISService.exe to access the Internet. The
bulklogger.exe program uses the same ports as SISIPSService.exe.

Liveupdate is same for Symantec Products so it uses the same ports and same web links as all the live update servers are akamaized.

References:
The Install guide description (page 43, 57 and 79), the doc doesn't clearly spell out which side starts the communication.

Keep in mind that many of these ports can be changed during installation as well.  For example, the management ports, the console port and the agent communication ports can all be modified during the installation of the product.

I agree, but for fear of forgetting the settings if ever a firewall appliance breaks. I guess most of us - my client included - use the default.
The next question would be the ports that Symantec LiveUpdate would allow assuming that there is no port re-routing being done.

It would be safe to assume that the clients side would be the one initiating the communication. It would be a terrible waste of Internet bandwidth and database for IP tables if all software made by every legitimate company broadcasts its update to every now and then. ;)

As I mentioned earlier all symantec products works on same liveupdate site and ports so
it is
<IdsHttpConnectionMsg2><liveupdate.symantecliveupdate.com><80><HTTP>

if that fails it goes to FTP on port 21
<IdsFtpConnectionAttempt><update.symantec.com>


URLs

hosts/0/url=http://liveupdate.symantecliveupdate.com:80
hosts/1/url=http://liveupdate.symantec.com:80
hosts/2/url=ftp://update.symantec.com/opt/content/onramp

Hi Vikram, this is one of those days when I feel the need to question everything. Like touching a park bench to see if the 'Wet Paint' sign really means what is written.
I did a test using a scanner and this is what I got:

1st host
22/tcp - ssh
80/tcp - http
[decided not to share]
443/tcp - ssl/http
445/tcp - ssh
9000/tcp - http
9001/tcp - ssl/http
9050/tcp - tor-socks?

2nd and 3rd host (one of these reerts to the other)
21/tcp - ftp
22/tcp - ssh
[decided not to share]
80/tcp - http
139/tcp - netbios-ssn
443/tcp - ssl/http
500/tcp - ssh
9000/tcp - http
9001/tcp - ssl/http
9050/tcp - tor-socks?
60443/tcp - unknown?

Hey Guys,

Which ports are used specifically for live update and does anyone know what ip addresses are used? I need to lock down an access list at a remote site.

Thanks,
Eric

Hi Eric,
for the ports, refer to Vikram's reply.
As for the IP, you can check and ping the liveupdate site of Symantec or just add the Symantec webiste to your firewall. Depending on your location - it would show the IP of the server nearest or fastest to you.