The following table describes expected KACE Systems Management Appliance (SMA) traffic (inbound, outbound, bidirectional) at the NIC. This is meant to describe internal network behavior. Any outbound ports that require access out to the internet are labeled as 'NAT' in the Direction column. Some unique configurations, such as allowing SMTP inbound directly to the SMA will require slight deviation and custom configuration outside the confines of this list. When in doubt, contact KACE Support for clarification.
Quest’s patching and updating process for KACE® System Management Appliances (SMA) includes several security features. For example, Quest’s transmissions of patch and update metadata for SMA are encrypted. Checksums are used to validate the integrity of SMA patch payloads. And, the directory where SMA patch payloads reside is permission-controlled to prevent user tampering.
As with any web-server based application, security best practices include limiting access to the KACE Systems Management Appliance (SMA) from the Internet. Careful consideration and review of the environment are necessary to ensure security.
It is strongly recommended to consider firewalls, encryption, port access, roles, antivirus, SSL, access control list, disaster recovery, and review Best Practices for Securing your SMA prior to configuring the SMA on the Internet. At a minimum, if the SMA is configured as internet/public facing, only port 443 (HTTPS) traffic should be allowed inbound through a firewall to the SMA for UI access and agent communication traffic.
Port | Purpose | Configuration Location | Optional / Required | Direction | Protocol |
---|---|---|---|---|---|
20/21 | FTP to Backup Share | Security Settings | Optional | Inbound | FTP |
22 | SSH for KACE Support Tether | Security Settings | Optional | Outbound/NAT | SSH |
25 | SMTP | Queue Configuration / Network Settings | Optional | Bidirectional | TCP |
80 | User/Admin/System UI (non-SSL); Agent/Replication Share Downloads (non-SSL) | Security Settings | Required for UI/Agent traffic if SSL not enabled; Strongly recommend using SSL instead; Still required outbound/NAT for SMA itself |
Inbound (non-SSL); Outbound/NAT (SMA requires HTTP for patch feed sync) | HTTP |
161 | SNMP Monitoring of SMA | Security Settings | Optional | Inbound | UDP |
199 | SNMP Read Access (SMUX) | Security Settings | Optional | Inbound | TCP |
443 | SSL User/Admin/System UI; Agent/Replication Share Downloads | Security Settings | Required if SSL is enabled |
Inbound (Agent/Replication Share Traffic); Outbound/NAT (several services, including patching, rely on the ability to download to the SMA from the internet via HTTPS) | HTTPS |
587 | SMTPS Outbound Mail Relay | Queue Configuration / Network Settings | Required for email sending via SMTPS |
Outbound; NAT (if using a cloud service) | TCP |
110/995 | POP3/SPOP Inbound Mail | Queue Configuration / Network Settings | Required for email retrieval via POP/SPOP |
Outbound; NAT (if using a cloud service) | TCP |
139/445 | Access to Samba Shares/SMB (Replication Shares, Agent Provisioning (non-WinRM method)) | Security Settings | Both Ports Required for Provisioning (non-WinRM) | Bidirectional | SMB |
389/636 | LDAP/LDAPS | LDAP Filters / LDAP Authentication | Optional |
Outbound; NAT (if using a cloud service) | LDAP |
3306 | Remote Read-Only Database Access (ODBC) | Security Settings | Optional | Inbound | TCP |
5985 | WinRM (HTTP/HTTPS) used for Agent Provisioning | Agent Provisioning | Optional | Outbound | HTTP/HTTPS |
52231 | Upgrade Status Page (temporary web server during upgrade) | Not Configurable | Optional | Inbound | HTTP/HTTPS |
Below are the URLs used to update SMA software updates, OVAL, SCAP, Dell warranty, and Dell updates. Please whitelist these in your firewall for ports 80 and 443 (HTTP/HTTPS):
Purpose | URL |
---|---|
Basic Functionality / UI Links |
service.kace.com servicecdn.kace.com www.kace.com quest.com |
KACE Tether | tether.kace.com |
KACE GO App Notifications | notify.kace.com |
Dell Updates Feed / Packages |
ftp.dell.com downloads.dell.com |
Dell Warranty |
*.dell.com *.us.dell.com |
Lenovo Warranty | SupportAPI.lenovo.com |
KACE Support chat | livehelpnow.net |
Office365 OAuth |
* Microsoft 365 GCC environment - * Microsoft 365 GCC High environment - |
Time sync | time.kace.com (if used as ntp server) Paris Observatory IERS Centers |
Remote Control |
*.splashtop.com Also see: Splashtop Cloud Secuity |
Below are the URLs used to update patch listings. Please whitelist these in your firewall for ports 80 and 443 (HTTP/HTTPS):
Publisher | URL(s) |
---|---|
KACE Patch Catalog | cdn01.catalog.kace.com |
KacePatch Binaries |
These binaries are distributed in a zip file from cdn01.catalog.kace.com. See Error: KacePatch version check failed (326055) for more information. The files inside the current Windows zip file are as follows: DismApi.dll dismcore.dll dismcoreps.dll dismprov.dll folderprovider.dll KacePatch.exe KUserAlert.exe KUserAlertLang_de-DE.dll KUserAlertLang_es-ES.dll KUserAlertLang_es-LA.dll KUserAlertLang_fr-FR.dll KUserAlertLang_it-IT.dll KUserAlertLang_ja-jp.dll KUserAlertLang_pt-BR.dll KUserAlertLang_zh-CN.dll KUserAlertLang_zh-TW.dll The files inside the current Mac zip file are as follows: KacePatch KUserAlert.app (this is a directory with many files inside) munki\install_munki_kace.sh munki\munkitools.pkg munki\uninstall_munki_kace.sh start-asus-ws.sh stop-asus-ws.sh |
Adobe Systems, Inc. |
ardownload.adobe.com armdl.adobe.com |
Altova, Inc. | cdn.sw.altova.com |
Atlassian Software Systems Ltd | s3.amazonaws.com |
Autodesk, Inc. |
download.autodesk.com knowledge.autodesk.com up.autodesk.com |
Canneverbe Limited | download.cdburnerxp.se |
Don HO | download.notepad-plus-plus.org |
EverNote Corporation | cdn1.evernote.com |
Foxit Software | cdn01.foxitsoftware.com |
GlavSoft LLC. | www.tightvnc.com |
inkscape.org | media.inkscape.org |
LIGHTNING UK! | download.imgburn.com |
Microsoft Corporation |
b1.download.windowsupdate.com dl.delivery.mp.microsoft.com download.microsoft.com download.windowsupdate.com endpoint920510.azureedge.net officecdn.microsoft.com officecdn-microsoft-com.akamaized.net |
Mozilla | ftp.mozilla.org |
Mysql | cdn.mysql.com |
Opera Software ASA | ftp.opera.com |
Piriform Ltd | download.ccleaner.com |
Python Software Foundation | www.python.org |
RealVNC Ltd. | www.realvnc.com |
Simon Tatham | the.earth.li |
The GIMP developer community | download.gimp.org |
VideoLAN Team | download.videolan.org |
VMWare, Inc. | download3.vmware.com |
win.rar GmbH | www.rarlab.com |
Wireshark Foundation |
ftp.uni-kl.de www.wireshark.org |
In some cases, load balancers, content filterers, or other network devices may block certain behaviors, make sure that extensions such as .exe, .msi are allowed, no download size restrictions, and other settings that may intervene and were covered on this article.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center