-
Title
Which network ports and URLs are required for the KACE SMA appliance to function? -
Description
The following table describes expected KACE Systems Management Appliance (SMA) traffic (inbound, outbound, bidirectional) at the NIC. This is meant to describe internal network behavior. Any outbound ports that require access out to the internet are labeled as 'NAT' in the Direction column. Some unique configurations, such as allowing SMTP inbound directly to the SMA will require slight deviation and custom configuration outside the confines of this list. When in doubt, contact KACE Support for clarification.
-
Resolution
Quest’s patching and updating process for KACE® System Management Appliances (SMA) includes several security features. For example, Quest’s transmissions of patch and update metadata for SMA are encrypted. Checksums are used to validate the integrity of SMA patch payloads. And, the directory where SMA patch payloads reside is permission-controlled to prevent user tampering.
As with any web-server based application, security best practices include limiting access to the KACE Systems Management Appliance (SMA) from the Internet. Careful consideration and review of the environment are necessary to ensure security.
It is strongly recommended to consider firewalls, encryption, port access, roles, antivirus, SSL, access control list, disaster recovery, and review Best Practices for Securing your SMA prior to configuring the SMA on the Internet. At a minimum, if the SMA is configured as internet/public facing, only port 443 (HTTPS) traffic should be allowed inbound through a firewall to the SMA for UI access and agent communication traffic.
Port Purpose Configuration Location Optional / Required Direction Protocol 20/21 FTP to Backup Share Security Settings Optional Inbound FTP 22 SSH for KACE Support Tether Security Settings Optional Outbound/NAT SSH 25 SMTP Queue Configuration / Network Settings Optional Bidirectional TCP 80 User/Admin/System UI (non-SSL); Agent/Replication Share Downloads (non-SSL) Security Settings Required for UI/Agent traffic if SSL not enabled; Strongly recommend using SSL instead; Still required outbound/NAT for SMA itself Inbound (non-SSL);
Outbound/NAT (SMA requires HTTP for patch feed sync)
HTTP 161 SNMP Monitoring of SMA Security Settings Optional Inbound UDP 199 SNMP Read Access (SMUX) Security Settings Optional Inbound TCP 443 SSL User/Admin/System UI; Agent/Replication Share Downloads Security Settings Required if SSL is enabled Inbound (Agent/Replication Share Traffic);
Outbound/NAT (several services, including patching, rely on the ability to download to the SMA from the internet via HTTPS)
HTTPS 587 SMTPS Outbound Mail Relay Queue Configuration / Network Settings Required for email sending via SMTPS Outbound;
NAT (if using a cloud service)
TCP 110/995 POP3/SPOP Inbound Mail Queue Configuration / Network Settings Required for email retrieval via POP/SPOP Outbound;
NAT (if using a cloud service)
TCP 139/445 Access to Samba Shares/SMB (Replication Shares, Agent Provisioning (non-WinRM method)) Security Settings Both Ports Required for Provisioning (non-WinRM) Bidirectional SMB 389/636 LDAP/LDAPS LDAP Filters / LDAP Authentication Optional Outbound;
NAT (if using a cloud service)
LDAP 3306 Remote Read-Only Database Access (ODBC) Security Settings Optional Inbound TCP 5985 WinRM (HTTP/HTTPS) used for Agent Provisioning Agent Provisioning Optional Outbound HTTP/HTTPS 52231 Upgrade Status Page (temporary web server during upgrade) Not Configurable Optional Inbound HTTP/HTTPS URLs Required for Proper SMA Functionality
Below are the URLs used to update SMA software updates, OVAL, SCAP, Dell warranty, and Dell updates. Please whitelist these in your firewall for ports 80 and 443 (HTTP/HTTPS):
Purpose URL Basic Functionality / UI Links service.kace.com
servicecdn.kace.com
www.kace.com
quest.com
KACE Tether tether.kace.com KACE GO App Notifications notify.kace.com Dell Updates Feed / Packages ftp.dell.com
downloads.dell.com
Dell Warranty *.dell.com
*.us.dell.com
Lenovo Warranty SupportAPI.lenovo.com KACE Support chat livehelpnow.net Office365 OAuth * Microsoft 365 GCC environment -
graph.microsoft.com* Microsoft 365 GCC High environment -
graph.microsoft.usTime sync time.kace.com (if used as ntp server)
https://hpiers.obspm.fr/
Remote Control *.splashtop.com
Also see: https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services
URLs Required for Patching Functionality
Below are the URLs used to update patch listings. Please whitelist these in your firewall for ports 80 and 443 (HTTP/HTTPS):
Publisher URL(s) KACE Patch Catalog cdn01.catalog.kace.com KacePatch Binaries These binaries are distributed in a zip file from cdn01.catalog.kace.com.
See Error: KacePatch version check failed (326055) for more information.
The files inside the current Windows zip file are as follows:
DismApi.dll
dismcore.dll
dismcoreps.dll
dismprov.dll
folderprovider.dll
KacePatch.exe
KUserAlert.exe
KUserAlertLang_de-DE.dll
KUserAlertLang_es-ES.dll
KUserAlertLang_es-LA.dll
KUserAlertLang_fr-FR.dll
KUserAlertLang_it-IT.dll
KUserAlertLang_ja-jp.dll
KUserAlertLang_pt-BR.dll
KUserAlertLang_zh-CN.dll
KUserAlertLang_zh-TW.dll
The files inside the current Mac zip file are as follows:
KacePatch
KUserAlert.app (this is a directory with many files inside)
munki\install_munki_kace.sh
munki\munkitools.pkg
munki\uninstall_munki_kace.sh
start-asus-ws.sh
stop-asus-ws.sh
Adobe Systems, Inc. ardownload.adobe.com
armdl.adobe.com
Altova, Inc. cdn.sw.altova.com Atlassian Software Systems Ltd s3.amazonaws.com Autodesk, Inc. download.autodesk.com
knowledge.autodesk.com
up.autodesk.com
Canneverbe Limited download.cdburnerxp.se Don HO download.notepad-plus-plus.org EverNote Corporation cdn1.evernote.com Foxit Software cdn01.foxitsoftware.com GlavSoft LLC. www.tightvnc.com inkscape.org media.inkscape.org LIGHTNING UK! download.imgburn.com Microsoft Corporation b1.download.windowsupdate.com
dl.delivery.mp.microsoft.com
download.microsoft.com
download.windowsupdate.com
endpoint920510.azureedge.net
officecdn.microsoft.com
officecdn-microsoft-com.akamaized.net
Mozilla ftp.mozilla.org Mysql cdn.mysql.com Opera Software ASA ftp.opera.com Piriform Ltd download.ccleaner.com Python Software Foundation www.python.org RealVNC Ltd. www.realvnc.com Simon Tatham the.earth.li The GIMP developer community download.gimp.org VideoLAN Team download.videolan.org VMWare, Inc. download3.vmware.com win.rar GmbH www.rarlab.com Wireshark Foundation ftp.uni-kl.de
www.wireshark.org
In some cases, load balancers, content filterers, or other network devices may block certain behaviors, make sure that extensions such as .exe, .msi are allowed, no download size restrictions, and other settings that may intervene and were covered on this article.