Default port numbers

By default, each component of the SafeLinx Server is configured to listen on certain ports. For each component, you can modify the port that the SafeLinx Server listens on.

The access manager component, which is installed on the same computer as the SafeLinx Server, communicates with the SafeLinx Administrator application to manage configuration changes. By default, the access manager listens on the following ports:

9555
Communication between SafeLinx Administrator and access manager.
9559
Communication between SafeLinx Administrator and access manager that uses TLS.

On Linux hosts, the access manager port number assignments are defined in the /etc/services file. If you want to modify the default access manager port assignments, edit the file to specify the new ports.

On Linux hosts, you must then refresh the configuration. To refresh the configuration on a Linux host, use one of the following methods:
Linux
Type systemctl restart wgmgrd.socket.
To support access to various resources, the SafeLinx Server listens on a number of other default ports. To change the default ports for the SafeLinx Server, HTTP access services, mobile access services, or messaging services, use the SafeLinx Administrator to edit the properties for those resources. The following table lists the default ports and protocols for a range of Connection Manager resources:
Table 1. Ports on which the SafeLinx Server listens

Ports on which the SafeLinx Server listens

Port number and protocol Component that uses the port Direction Comment
80 - TCP
  • HTTP access services
  • SafeLinx Clients (client-less model)
  • Mobile access services
Internet side of SafeLinx Server from HTTP clients and SafeLinx Clients. Intranet side to HTTP application servers Depends on location of HTTP proxy, web, or application server
443 - TCP
  • HTTP access services
  • SafeLinx Clients (client-less model)
  • Mobile access services
Internet side of SafeLinx Server from HTTP clients and SafeLinx Clients. Intranet side to HTTP application servers Depends on location of HTTP proxy, web, or application server
1645 or 1812 - UDP RADIUS authentication messages Bidirectional - intranet side of SafeLinx Server Used with the device resolver or with third-party RADIUS authentication servers
1646 or 1813 - UDP RADIUS accounting messages Bidirectional - Internet side of SafeLinx Server Used with the device resolver or with third-party RADIUS authentication servers
9557 - TCP SafeLinx Server No firewall implication Used between the SafeLinx Server and the wg_monitor utility.
14356 - TCP SafeLinx Server Depends on location of subordinate nodes. If the nodes are inside the DMZ, there is no firewall implication, otherwise it is the intranet side of SafeLinx Server Subordinate node in a VPN cluster listens to receive incoming requests from a principal node - inactive by default
8888 - TCP and UDP Mobile access services Bidirectional Used between SafeLinx Client and SafeLinx Server to change client password.
Note: This port is only accessed through the VPN tunnel and does not need to be externalized by firewalls.
8889 - TCP and UDP Mobile access services Bidirectional - Internet and intranet side of SafeLinx Server, unless set to bind to an IP address on one side or the other IP-based receive
9551 - TCP SafeLinx Server Bidirectional The SafeLinx Server listens for dynamic configuration requests by using the TCP protocol.
9553 - TCP SafeLinx Server Bidirectional The SafeLinx Server listens for dynamic configuration requests by using the TCP protocol.
9610 - TCP Mobile access services Bidirectional Listener for third-party RADIUS authentication requests from SafeLinx Clients
13131 - TCP Messaging services Bidirectional - intranet side of SafeLinx Server Send/receive port for messaging services API traffic
13132 - TCP Messaging services Bidirectional - intranet side of SafeLinx Server Secure send/receive port for messaging services API traffic