Default port numbers
By default, each component of the SafeLinx Server is configured to listen on certain ports. For each component, you can modify the port that the SafeLinx Server listens on.
The access manager component, which is installed on the same computer as the SafeLinx Server, communicates with the SafeLinx Administrator application to manage configuration changes. By default, the access manager listens on the following ports:
- 9555
- Communication between SafeLinx Administrator and access manager.
- 9559
- Communication between SafeLinx Administrator and access manager that uses TLS.
On Linux hosts, the access manager port number assignments are defined in the /etc/services file. If you want to modify the default access manager port assignments, edit the file to specify the new ports.
On Linux hosts, you must then refresh the configuration. To refresh the configuration on a Linux
host, use one of the following methods:
- Linux
- Type
.systemctl restart wgmgrd.socket
To support access to various resources, the SafeLinx Server listens on a number of other
default ports. To change the default ports for the SafeLinx Server, HTTP access services, mobile
access services, or messaging services, use the SafeLinx Administrator to edit the properties for those
resources. The following table lists the default ports and protocols for a range of Connection
Manager resources:
Port number and protocol | Component that uses the port | Direction | Comment |
---|---|---|---|
80 - TCP |
|
Internet side of SafeLinx Server from HTTP clients and SafeLinx Clients. Intranet side to HTTP application servers | Depends on location of HTTP proxy, web, or application server |
443 - TCP |
|
Internet side of SafeLinx Server from HTTP clients and SafeLinx Clients. Intranet side to HTTP application servers | Depends on location of HTTP proxy, web, or application server |
1645 or 1812 - UDP | RADIUS authentication messages | Bidirectional - intranet side of SafeLinx Server | Used with the device resolver or with third-party RADIUS authentication servers |
1646 or 1813 - UDP | RADIUS accounting messages | Bidirectional - Internet side of SafeLinx Server | Used with the device resolver or with third-party RADIUS authentication servers |
9557 - TCP | SafeLinx Server | No firewall implication | Used between the SafeLinx Server and the wg_monitor utility. |
14356 - TCP | SafeLinx Server | Depends on location of subordinate nodes. If the nodes are inside the DMZ, there is no firewall implication, otherwise it is the intranet side of SafeLinx Server | Subordinate node in a VPN cluster listens to receive incoming requests from a principal node - inactive by default |
8888 - TCP and UDP | Mobile access services | Bidirectional | Used between SafeLinx Client and SafeLinx Server to change client password.
Note: This port is only accessed through the VPN tunnel and does not need to be externalized by
firewalls. |
8889 - TCP and UDP | Mobile access services | Bidirectional - Internet and intranet side of SafeLinx Server, unless set to bind to an IP address on one side or the other | IP-based receive |
9551 - TCP | SafeLinx Server | Bidirectional | The SafeLinx Server listens for dynamic configuration requests by using the TCP protocol. |
9553 - TCP | SafeLinx Server | Bidirectional | The SafeLinx Server listens for dynamic configuration requests by using the TCP protocol. |
9610 - TCP | Mobile access services | Bidirectional | Listener for third-party RADIUS authentication requests from SafeLinx Clients |
13131 - TCP | Messaging services | Bidirectional - intranet side of SafeLinx Server | Send/receive port for messaging services API traffic |
13132 - TCP | Messaging services | Bidirectional - intranet side of SafeLinx Server | Secure send/receive port for messaging services API traffic |