Configuring Ports
To ensure the functionality of the Sophos™ Email Appliance, configure your network to allow access on the ports listed below.
Some ports are required only for specific situations, such as when you enable directory services, or when the appliance is part of a cluster.
External Connections
These services are typically used for connections between your Email Appliance(s) and locations outside of your organization’s network.
| Port | Function | Service | Protocol | Connection |
|---|---|---|---|---|
| 22 | Remote assistance | SSH | TCP | [Required] Outbound from appliance to esa-ssh.sophos.com |
| 25 | Mail transfer | SMTP | TCP | [Required] Inbound/outbound between appliance and intranet/internet |
| 443 | Software downloads | HTTP | TCP | [Required] Outbound from appliance to internet |
| 123 | Network time synchronization | NTP | UDP | [Required] Outbound from appliance to NTP server (e.g. pool.ntp.org) |
| 443 | Registration | HTTPS | TCP | [Required] Outbound from appliance to esa-reg.sophos.com |
| 444 | Feedback | HTTP | TCP | Outbound from appliance to sophos.com |
| 10443/443 | SPX Secure Email Portal | HTTPS | TCP | Inbound from internet to appliance (selectable) |
| 32224 | Time-of-Click (ToC) Protection | HTTP | TCP | Inbound from internet to appliance |
| 443 | Sandstorm | HTTPS | TCP | Outbound from appliance to sandbox.sophos.com |
Internal Connections
These services are typically used for connections within your organization’s network and your Email Appliance(s), or between appliances themselves, if you have multiple appliances.
| Port | Function | Service | Protocol | Connection |
|---|---|---|---|---|
| 20, 21 | FTP backup | FTP | TCP | Outbound from appliance to FTP server |
| 24 | Clustering | SSH | TCP/UDP | Inbound/outbound between clustered appliances |
| 25 | Mail transfer | SMTP | TCP | [Required] Inbound/outbound between appliance and intranet |
| 53 | DNS services | DNS | UDP | Outbound from appliance to DNS server |
| 161 | SNMP monitoring | SNMP | TCP/UDP | Inbound from SNMP monitoring server(s) to appliance |
| 162 | SNMP traps | SNMP | TCP/UDP | Outbound from appliance to SNMP monitoring server(s) |
| 389, 3268, (636, 3269) | Directory services synchronization | LDAP(S) | TCP | Outbound from appliance to directory server |
| 443/10443 (redirect from 80) | Secure PDF Exchange | HTTPS | TCP | Inbound from intranet to appliance (selectable) |
| 5432 | Database functions | Encrypted SQL | TCP/UDP | Inbound/outbound between clustered appliances |
| 18080 | Administration user interface and clustered UI functions | HTTPS | TCP | [Required] Inbound/outbound between appliance and intranet |
| 8888 | Delay Queue | DB Sync | TCP | Inbound/outbound Delay Queue database sync between clustered appliances |