Configuring the firewall
SES Evolution 2.7.1 now uses the standard HTTPS port (443) between agents and agent handlers to facilitate deployment. You must prepare your new firewall configuration before installing SES Evolution 2.7.1.
Warning
You must maintain both the old and the new firewall configuration throughout the backoffice migration phase.
Only permanently delete the old firewall configuration once the migration is complete on all backoffice components: agent managers, backends, and administration consoles.
Updating the firewall configuration
SES Evolution version 2.7.1 brings the following changes to the communication ports:
-
Port 443 is now used for agent communication with agent handlers,
-
Port 8443 is now used by backends to communicate with administration consoles and agent handlers.
You should thus change your firewall rules using the table below. It details the ports used by components and the differences between SES Evolution versions 2.6 and 2.7.1. New features are shown in bold.
If you only have Windows Defender Firewall, some port changes are applied automatically by SES Evolution. For further information, see the Case of Windows Defender Firewall section.
| Component | Direction | Port 2.6 | Port 2.7 if backend and agent handler are installed on the same machine | Port 2.7 if backend and agent handler are installed on different machines | Purpose |
|---|---|---|---|---|---|
| Backend | incoming | TCP 443 | TCP 8443 | TCP 443 | Communication with the administration console and the agent handler. |
| incoming | TCP 10443 | TCP 10443 | TCP 10443 | Public API. | |
| outgoing | TCP 443 | TCP 443 | TCP 443 |
Access to the Stormshield public policy update server |
|
| outgoing |
TCP 1433 (SQL) TCP 1434 (SQL) UDP 1434 (SQL) |
TCP 1433 (SQL) TCP 1434 (SQL) UDP 1434 (SQL) |
TCP 1433 (SQL) TCP 1434 (SQL) UDP 1434 (SQL) |
Communication with the SQL Server database. These are the default ports, they can be modified when creating the instance. |
|
|
Administration console |
outgoing | TCP 443 | TCP 8443 | TCP 443 | Communication with the backend. |
| Agent handler | outgoing | TCP 443 | TCP 8443 | TCP 443 | Communication with the backend. |
| outgoing |
TCP 1468 UDP 514 TCP 5614 |
TCP 1468 UDP 514 TCP 5614 |
TCP 1468 UDP 514 TCP 5614 |
Communication with the Syslog server The ports used depend on the configuration of the agent handler groups in the administration console.
|
|
| incoming | TCP 17000 | TCP 17000 | TCP 17000 | Communication with agents whose version is lower than 2.7.1 over MSRPC. | |
| incoming | N/A | TCP 443 | TCP 443 | Communication with agents whose version is 2.7.1 or higher over HTTPS. | |
| Agent lower than 2.7.1 | outgoing | TCP 17000 | TCP 17000 | 17000 | Communication with agent handlers |
| Agent greater than or equal to 2.7.1 | outgoing | N/A | TCP 443 | TCP 443 | Communication with agent handlers |
Case of Windows Defender Firewall
When installing backoffice components, SES Evolution automatically creates Windows Defender Firewall rules, regardless of whether it is enabled or not.
The rules created for version 2.7.1 are as follows:
If backend and agent handler are installed on different machines
Incoming rules
-
On the machine hosting the agent handler:
-
Stormshield Endpoint Security Evolution Agent Handler (TCP-In) on port 17000 for communication with agents with a version lower than 2.7.1 via EsServer over MSRPC.
-
Stormshield Endpoint Security EvolutionAgent Handler (TCP-In) on port 443 for communication with agents with version 2.7.1 or higher via EsServer over HTTPS.
-
- On the machine hosting the backend:
Stormshield Endpoint Security EvolutionBackend (TCP-In) on port 443 for communication with consoles, and agent handlers as system users.
Stormshield Endpoint Security EvolutionPublic API (TCP-In) on port 10443 for communication with SIEM/SOAR as system user.
Outgoing rules
Installing SES Evolution does not create any outgoing Windows Defender Firewall rules.
If you filter outgoing connections, you must change your rules manually so that admin consoles and agent handlers can connect to backends on TCP port 8443.
If backend and agent handler are installed on the same machine
Incoming rules
-
On the machine hosting the agent handler:
-
Stormshield Endpoint Security Evolution Agent Handler (TCP-In) on port 17000 for communication with agents with a version lower than 2.7.1 via EsServer over MSRPC.
-
Stormshield Endpoint Security EvolutionAgent Handler (TCP-In) on port 443 for communication with agents with version 2.7.1 or higher via EsServer over HTTPS.
-
- On the machine hosting the backend:
Stormshield Endpoint Security EvolutionBackend (TCP-In) on port 8443 for communication with consoles, and agent handlers as system users.
Stormshield Endpoint Security EvolutionPublic API (TCP-In) on port 10443 for communication with SIEM/SOAR as system user.
Outgoing rules
Installing SES Evolution does not create any outgoing Windows Defender Firewall rules.
If you filter outgoing connections, you must change your rules manually so that admin consoles and agent handlers can connect to backends on TCP port 8443.