Ports Used by Retain

  • 7019168
  • 21-Apr-2015
  • 07-Aug-2017

Environment


Retain 3.x

Situation


I use firewalls on my servers (required for security policies within my organization), so I need to know what ports Retain uses so that I can ensure that they are open.

Resolution


These ports are all listed in different areas within the Retain documentation, but this article compiles them into one single page.  We will break out everything by Retain component since various components can either be run on the same server or on different servers. 

NOTE:  Some modules require open ports on the Retain Server, the Retain Worker, and may even have their own Retain component (i.e., the Message Router for the Retain for Mobile module).  Thus, you should check each Retain component to see if your particular module has port specifications under those areas.

RETAIN SYSTEM

Retain Server

The Retain Server is the key component in the Retain system.  Other Retain processes communicate with the Server through port 48080 by default.  In fact, the Server is always listening on that port regardless of how other components might be configured to communicate with it (i.e., SSL port 443). 

48080 (TCP)

  • Requires incoming access if any Retain processes are running on a server external to the server hosting the Retain Server. 
  • Requires outgoing access if the Reporting & Monitoring Server component has been installed on a server external the server hosting the Retain Server. See also the Reporting & Monitoring component in this article.

48009 (TCP) 
The AJP (Apache JServ Protocol) port is used by for communication between the web server and Tomcat.  Since both should reside on the same server, there are no external port access requirements.

80 / 443 (TCP - HTTP / HTTPS)
Requires incoming access to reach the Server web interface.

25 (TCP)
Requires outgoing access so that the Retain Server can send email notifications on server errors, job statuses, and job errors.

10000 (TCP)
If using the standard Lucene indexer, which ships with Retain, then nothing needs to be done here; however, if using Exalead, then outgoing is required. See the "Indexer" component in this article as well. *See Note at the end.

Outgoing access to Database Management System (DBMS) port.  This depends on the database system you are using.  See the "Database Management Systems" section of this article (at the bottom).

Other ports will also need to be opened on the server hosting the Retain Server depending on the modules being used:

Blackberry
BES Web Services (SOAP) only supports the secure ports via TLS.  Retain will initiate contact with BES Web Services if you are syncing the Address Book with the BES.  Outgoing access is required for the Retain Server and incoming access for the BES server for the following ports:

  • BES 12:  18084 (TCP)
  • BES 10:  38443 (TCP)
  • BES 5:  443 (TCP)

Exchange

3268 or 3269 (TCP)
Requires outgoing access.  It uses these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory.  Port 3268 for non SSL and 3269 for SSL (recommended).

Google Apps Module

993 (TCP)
Requires outgoing access.  Retain connects to Google Apps via IMAP over SSL to download the Address Book.

GroupWise

7191 (TCP)
Requires outgoing access so that the Retain Server can download the Address Book.  This is the default SOAP port the GroupWise POAs use, but this is configurable and is dependent upon the POA agent setting in GroupWise.

Mobile

80 / 443 (TCP)
Requires both incoming and outgoing access so that the Retain Server and the Message Router can communicate device configuration information with each other.  See also the Retain Message Router component in this article as well as the Mobile subsection under Retain Worker.

 O365

443 (TCP)
Requires outgoing access. Retain uses SSL to connect with Office 365 in order to authenticate users logging in to Retain.

Retain Worker

The Retain Worker is the component that pulls the data from the messaging source, whether that be an email system, social media application, or mobile device.

48080 (TCP)
Requires outgoing access if on a server external to the Retain Server. 

80 or 443 (TCP HTTP or HTTPS)
Requires incoming access to reach the Worker web interface

Other ports will also need to be opened on the server hosting the Retain Worker depending on the modules being used; and, in some cases, on servers hosting the messaging system Retain will be archiving:
Blackberry

111/2049 (UDP / TCP) on the Blackberry Enterprise Server (BES) for NFS Server services.

CellTrust Secureline

111/2049 (UDP / TCP) on the CellTrust Secureline server for NFS Server services.

Exchange

  • 80 / 443 (TCP HTTP / HTTPS) on the Worker server.  Requires outgoing access. The autodiscover process will attempt https to the CAS server(s) for connecting to Exchange mailboxes.  If that fails, it will use port 80 as a last resort.  If Exchange / autodiscover / EWS are set up properly, only port 443 should be necessary.
  • 3268 or 3269 (TCP).  Requires outgoing access.  It uses one of these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory.  Port 3268 for non SSL and 3269 for SSL (recommended).
  • 53 (UPD).  Requires outgoing access.  It's the port used by DNS.  Retain will do DNS lookups during its autodiscover process.

Google Apps Module

443 (TCP)
Requires outgoing access for the Server (address book sync) and the Worker (it attempts to use the Gmail API for archiving; if that fails, it reverts to IMAP, thus the need for port 993 as described below).

993 (TCP).
Requires outgoing access for the Worker(s) only.  Under certain circumstances, the Worker may switch to using IMAP over SSL when requesting email from Gmail.

GroupWise

7191 (TCP)
Requires outgoing access.  This is the default SOAP port the GroupWise POAs use, but this is configurable and is dependent upon the POA agent setting in GroupWise.

Mobile

See also the Retain Message Router component in this article.

111/2049 (UDP / TCP) for NFS Server services

O365

443 (TCP)
Requires outgoing access.  Retain uses SSL to connect with Office 365 for archiving the mailboxes.

Social Media

80/443 (TCP)
Requires outgoing access to the Retain for Social Media proxy server appliance.  Retain will make an http connection and request the "bundles".  See also the Retain for Social Media (RSM) Proxy Server component in this article
Indexer

If using the standard Lucene indexer, which ships with Retain, then nothing needs to be done here; however, if using Exalead, it runs on a separate server: *See Note at the end.

10000 (TCP)
Requires incoming access on the Exalead server in order for Retain to communicate with it.

Retain Message Router

New to Retain v3.4, the Message Router is for customers of the Retain for Mobile module.  The Message Router connects with mobile devices to handle device configuration and SMS message log forwarding.  It typically would sit inside a DMZ.
 443 (TCP)
Requires both incoming from and outgoing access to the Internet as well as incoming from and outgoing access to the Retain Server.

111/2049 (UDP / TCP) for NFS Client services.

Retain Reporting & Monitoring Server

New to Retain v3.4, this process provides archive job and server reporting and monitoring services.  It is not installed by default unless specifically selected during the installation process.

48080 (TCP)
Requires both incoming and outgoing access if on a server external to the Retain Server.  80 / 443 (TCP)
Requires Incoming access to reach the R&M Server's web interface.

25 (TCP)
If running on a server external to the Retain Server, then it requires outgoing access.

Retain Stubbing Server
The Retain Stubbing Server is the component that  provides stubbing services to the Retain Server.  It is rarely used or installed by customers.  See the Administration and Users Guide for a listing of its advantages and disadvantages.

48080 (TCP)
Requires outgoing access if on a server external to the Retain Server.  80 / 443 (TCP)
Requires incoming access to reach the Stubbing Server web interface.

Retain for Social Media (RSM) Proxy Server
This is a VM appliance running as a proxy server for social media traffic going out to and coming in from the Internet.  It logs this traffic so that Retain can archive that data.

  • From RSM WAN IP to Untrusted, all TCP/UDP ports.
  • If the RSM WAN IP is a private IP, it needs be NATed to an appropriate routable IP address.  The LAN IP address does not need a corresponding inbound NAT rule.

DATABASE MANAGEMENT SYSTEMS

The following are the default ports these database management systems use, but they are configurable within those systems.  Requires incoming access for the database server and outgoing access on the Retain Server.

  • MySQL:  3306
  • MS SQL:   1433
  • Oracle:  1521
  • Postgres: 5432

*Note: Exalead will no longer be supported with Retain 4.0.  This article will be updated upon 4.0 release with the ports needed for the High Performance Indexer that will be replacing it for the external indexing.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 2524.