Environment
Retain 3.x
Situation
I use firewalls on my servers (required for security policies within my organization), so I need to know what ports Retain uses so that I can ensure that they are open.
Resolution
These ports are all listed in different areas within the Retain documentation, but this article compiles them into one single page. We will break out everything by Retain component since various components can either be run on the same server or on different servers.
NOTE: Some modules require open ports on the Retain Server, the Retain Worker, and may even have their own Retain component (i.e., the Message Router for the Retain for Mobile module). Thus, you should check each Retain component to see if your particular module has port specifications under those areas.
RETAIN SYSTEM
Retain Server
The Retain Server is the key component in the Retain system. Other Retain processes communicate with the Server through port 48080 by default. In fact, the Server is always listening on that port regardless of how other components might be configured to communicate with it (i.e., SSL port 443).
48080 (TCP)
- Requires incoming access if any Retain processes are running on a server external to the server hosting the Retain Server.
- Requires outgoing access if the Reporting & Monitoring Server component has been installed on a server external the server hosting the Retain Server. See also the Reporting & Monitoring component in this article.
48009 (TCP)
The AJP (Apache JServ Protocol) port is used by for communication between the web server and Tomcat. Since both should reside on the same server, there are no external port access requirements.
80 / 443 (TCP - HTTP / HTTPS)
Requires incoming access to reach the Server web interface.
25 (TCP)
Requires outgoing access so that the Retain Server can send email notifications on server errors, job statuses, and job errors.
10000 (TCP)
If using the standard Lucene indexer, which ships with Retain, then nothing needs to be done here; however, if using Exalead, then outgoing is required. See the "Indexer" component in this article as well. *See Note at the end.
Outgoing access to Database Management System (DBMS) port. This depends on the database system you are using. See the "Database Management Systems" section of this article (at the bottom).
Other ports will also need to be opened on the server hosting the Retain Server depending on the modules being used:
Blackberry
BES Web Services (SOAP) only supports the secure ports via TLS. Retain will initiate contact with BES Web Services if you are syncing the Address Book with the BES. Outgoing access is required for the Retain Server and incoming access for the BES server for the following ports:
- BES 12: 18084 (TCP)
- BES 10: 38443 (TCP)
- BES 5: 443 (TCP)
Exchange
3268 or 3269 (TCP)
Requires outgoing access. It uses these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory. Port 3268 for non SSL and 3269 for SSL (recommended).
Google Apps Module
993 (TCP)
Requires outgoing access. Retain connects to Google Apps via IMAP over SSL to download the Address Book.
GroupWise
7191 (TCP)
Requires outgoing access so that the Retain Server can download the Address Book. This is the default SOAP port the GroupWise POAs use, but this is configurable and is dependent upon the POA agent setting in GroupWise.
Mobile
80 / 443 (TCP)
Requires both incoming and outgoing access so that the Retain Server and the Message Router can communicate device configuration information with each other. See also the Retain Message Router component in this article as well as the Mobile subsection under Retain Worker.
O365
443 (TCP)
Requires outgoing access. Retain uses SSL to connect with Office 365 in order to authenticate users logging in to Retain.
Retain Worker
The Retain Worker is the component that pulls the data from the messaging source, whether that be an email system, social media application, or mobile device.
48080 (TCP)
Requires outgoing access if on a server external to the Retain Server.
80 or 443 (TCP HTTP or HTTPS)
Requires incoming access to reach the Worker web interface
Other ports will also need to be opened on the server hosting the Retain Worker depending on the modules being used; and, in some cases, on servers hosting the messaging system Retain will be archiving:
Blackberry
111/2049 (UDP / TCP) on the Blackberry Enterprise Server (BES) for NFS Server services.
- Requires incoming access if the Worker is not on the BES server so that it can retrieve the BES logs. Samba can be used, but NFS seems to be more reliable.
- Per this Internet post, you may need to consider other ports: http://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs. It is up to the customer to do this research in order to get NFS services to work properly.
CellTrust Secureline
111/2049 (UDP / TCP) on the CellTrust Secureline server for NFS Server services.
- Requires incoming access if the Worker is not on the CellTrust Secureline server so that it can retrieve the CSV logs. Samba can be used, but NFS seems to be more reliable.
- Per this Internet post, you may need to consider other ports: http://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs. It is up to the customer to do this research in order to get NFS services to work properly.
Exchange
- 80 / 443 (TCP HTTP / HTTPS) on the Worker server. Requires outgoing access. The autodiscover process will attempt https to the CAS server(s) for connecting to Exchange mailboxes. If that fails, it will use port 80 as a last resort. If Exchange / autodiscover / EWS are set up properly, only port 443 should be necessary.
- 3268 or 3269 (TCP). Requires outgoing access. It uses one of these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory. Port 3268 for non SSL and 3269 for SSL (recommended).
- 53 (UPD). Requires outgoing access. It's the port used by DNS. Retain will do DNS lookups during its autodiscover process.
Google Apps Module
443 (TCP)
Requires outgoing access for the Server (address book sync) and the Worker (it attempts to use the Gmail API for archiving; if that fails, it reverts to IMAP, thus the need for port 993 as described below).
993 (TCP).
Requires outgoing access for the Worker(s) only. Under certain circumstances, the Worker may switch to using IMAP over SSL when requesting email from Gmail.
GroupWise
7191 (TCP)
Requires outgoing access. This is the default SOAP port the GroupWise POAs use, but this is configurable and is dependent upon the POA agent setting in GroupWise.
Mobile
See also the Retain Message Router component in this article.
111/2049 (UDP / TCP) for NFS Server services
- Requires incoming access if the Worker is not on the Message Router server so that the Message Router can place the logs on the Worker's server. Samba can be used, but NFS seems to be more reliable.
- Per this Internet post, you may need to consider other ports: http://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs. It is up to the customer to do this research in order to get NFS services to work properly.
O365
443 (TCP)
Requires outgoing access. Retain uses SSL to connect with Office 365 for archiving the mailboxes.
Social Media
80/443 (TCP)
Requires outgoing access to the Retain for Social Media proxy server appliance. Retain will make an http connection and request the "bundles". See also the Retain for Social Media (RSM) Proxy Server component in this article
Indexer
If using the standard Lucene indexer, which ships with Retain, then nothing needs to be done here; however, if using Exalead, it runs on a separate server: *See Note at the end.
10000 (TCP)
Requires incoming access on the Exalead server in order for Retain to communicate with it.
Retain Message Router
New to Retain v3.4, the Message Router is for customers of the Retain for Mobile module. The Message Router connects with mobile devices to handle device configuration and SMS message log forwarding. It typically would sit inside a DMZ.
443 (TCP)
Requires both incoming from and outgoing access to the Internet as well as incoming from and outgoing access to the Retain Server.
111/2049 (UDP / TCP) for NFS Client services.
- Requires outgoing access if the Worker is not on the Message Router server so that it can place the logs on the Worker's server. Samba can be used, but NFS seems to be more reliable.
- Per this Internet post, you may need to consider other ports: http://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs. It is up to the customer to do this research in order to get NFS services to work properly.
Retain Reporting & Monitoring Server
New to Retain v3.4, this process provides archive job and server reporting and monitoring services. It is not installed by default unless specifically selected during the installation process.
48080 (TCP)
Requires both incoming and outgoing access if on a server external to the Retain Server. 80 / 443 (TCP)
Requires Incoming access to reach the R&M Server's web interface.
25 (TCP)
If running on a server external to the Retain Server, then it requires outgoing access.
Retain Stubbing Server
The Retain Stubbing Server is the component that provides stubbing services to the Retain Server. It is rarely used or installed by customers. See the Administration and Users Guide for a listing of its advantages and disadvantages.
48080 (TCP)
Requires outgoing access if on a server external to the Retain Server. 80 / 443 (TCP)
Requires incoming access to reach the Stubbing Server web interface.
Retain for Social Media (RSM) Proxy Server
This is a VM appliance running as a proxy server for social media traffic going out to and coming in from the Internet. It logs this traffic so that Retain can archive that data.
- From RSM WAN IP to Untrusted, all TCP/UDP ports.
- If the RSM WAN IP is a private IP, it needs be NATed to an appropriate routable IP address. The LAN IP address does not need a corresponding inbound NAT rule.
DATABASE MANAGEMENT SYSTEMS
The following are the default ports these database management systems use, but they are configurable within those systems. Requires incoming access for the database server and outgoing access on the Retain Server.
- MySQL: 3306
- MS SQL: 1433
- Oracle: 1521
- Postgres: 5432
*Note: Exalead will no longer be supported with Retain 4.0. This article will be updated upon 4.0 release with the ports needed for the High Performance Indexer that will be replacing it for the external indexing.