-
Title
SMA External Listening Port and Zones Explained -
Description
An external agent listening port has been added in SMA 11.0 to more securely allow customers to expose only agent traffic publicly. This feature is always on and not configurable. It allows customers to perform re-routing of agent traffic from port 443 on a public interface to port 52230 on the SMA. This article describes the feature in more detail and explains caveats.
For more details about properly securing an SMA deployment, see Best Practices for Securing your SMA.
-
Resolution
Key notes about the external agent port:
- Port 52230 is used as the external agent listening port on the SMA. It is always on and not configurable. If desired, this port can be blocked at the network level to avoid exposure. NOTE: The external agent listening port is expected to be made configurable in a future release.
- The SMA agent can only communicate via port 443. This means the network configuration required to properly forward traffic is transparent to the agents. This feature relies on third-party firewall configuration only.
- Since utilizing the external agent listening port requires redirecting port 443 traffic, this means the external listening port cannot be used alongside public UI access (port 80 should never be exposed publicly). If public UI access is required, this feature should not be used.
When the external listening port is utilized, agents are distinguishable in the user interface as External or Internal. This field can be used for searching and smart labels, and it can be displayed by adding the Zone column on the device inventory list page in the Administrative User Interface.
The following diagram illustrates agent traffic movement using the external listening port with a properly configured firewall:
