Every time a UTM feature is enabled, a port is opened on one or more addresses or interfaces. Sometimes, the port may be opened for more interfaces than the system administrator would wish. Unfortunately, UTM does not provide a simple way to understand which ports are open on which addresses or interfaces. This document is a compilation of how I believe UTM behaves. I am hoping that Sophos partners or other knowledgeable people will confirm or correct the information presented here, so that a complete and correct master list can be available to everyone.
Some UTM services listen on one or more IP Addresses. Examples are User Portal and Webserver Protection/WAF. Some UTM services listen to traffic as it arrives at one or more interfaces, intercepting traffic for certain destination ports, such as Transparent Web. If a particular service does not have a configuration option in WebAdmin, the administrator should assume that the service will be active everywhere – either all UTM Addresses for an address-dependent service, or all Interfaces for an interface-dependent service.
Many services also have an Allowed Networks list which filters incoming traffic based on source IP. Any packet with a source address outside the Allowed Networks list will be ignored by that service, and traffic which is not processed by other services will be processed by the Firewall Rules. In the absence of source address spoofing, an Allowed Networks list can have the effect of limiting incoming traffic to specific interfaces for purposes of that service. Firewall Rules have an option for spoof protection for packets that hit that layer.
The recommended way to globally block unwanted traffic is to use a DNAT rule to direct traffic to a dead-end destination. This KB article explains how to ensure that port 3400 is only available to known RED device IP Addresses.
Rule #2 in this how-to document is also helpful for configuring DNAT rules.
This is my compendium of UTM services and the ports that they use. Please reply with your feedback. Some of the information comes from the WebAdmin interface, some from the WebAdmin help, some from web searches to identify the industry-standard behavior that UTM implements, and some from conversations with Sophos Support. Perhaps someday, Sophos will provide a GUI tool to display and manipulate which ports are enabled on which entry points, so that the system administrator will not need to guess from a user-developed document like this one. I hope other users find this helpful.
An Interface Group object can be used to group multiple Interface Addresses into one object, and can probably be used anywhere that an Interface Address is requested. An Interface Group, or a Network Group of Interface and Additional Addresses, may be usable wherever a Target Address is requested. Consequently, in the table below I use the term "One Interface Object" to represent an Interface Address or Interface Group. Similarly, I use the term "One Address Object" to represent an Additional Address, Interface Address, Interface Group, or Network Group.
User Portal and SSL VPN documentation indicate that the default is "Any". I have not used this setting, so I am unclear whether this should be configured by leaving the address blank or by configuring the "Any" object into the GUI; most likely, either will work. I expect that "Any" will include both Additional Addresses and Interface Addresses. The documentation notes that using Any may create port conflicts with WAF. To avoid ambiguity, I suggest using an Interface Group or Network Group, instead of blank or Any, to choose a list of interfaces for those services.
Address-dependent services and Standard Mode proxies
Allowed Networks Filter
Cisco VPN Client
All Interface Addresses
Remote Access L2TP over IPSEC
Use Firewall Rules or DNAT
Remote Access PPTP
Remote Access SSL
One Interface Object
Site-To-Site Amazon VPC
One Interface Object (each)
SMTP (Authenticated Outbound)
Use DNAT to prevent specific source address from connecting to UTM on this port. Recommend disabling authenticated relay completely, as your mail server should be used for this purpose instead of UTM.
SMTP (Outbound Relay)
Use Trusted Relay list to limit which internal hosts can send through UTM. Use Firewall Rules to control whether internal hosts can bypass UTM to send mail.
SMTP (Inbound Relay)
Use DNAT to block non-MX addresses from receiving traffic
One Address Object
WAF Virtual Server
One TCP port or 80+443
One Address Object (each)
Configured on Site Path Routing object, with Access Control checkbox enabled.
Fake address 184.108.40.206
Wireless Access Point Management
Reserved to SUM
Interface Groups are a way of representing multiple interfaces with one object. In the list below, most services are not configurable to an interface. For the ones that are configurable, I don't think an Interface Group would make sense, but their use may be possible.
Interface-dependent services and Transparent Mode Proxies
Advanced Threat Protection
Source IP skip list
Public IP Destinations only
One Interface (each)
TCP/UDP Configured Port
IDENT Reverse Proxy
Intrusion Protection System
Internal network, less exceptions
I don't think this applies in Transparent Mode. If you enable authenticated relay, it probably behaves like the Standard Mode Proxy if you use a UTM destination address, and uses Firewall Rules if you use any other address. Not tested.
Use Transparent Mode Skiplist to exclude hosts from using SMTP Proxy to send mail, then use firewall rules to control block them from using port 25 at all. I do not think the Trusted Relay List applies for Transparent Mode, but needs to be tested.
Yes, less exclude list
Transparent SSO/NTLM Authentication
TCP 80, 443
TCP 1720 + secondary channel
Client & Server networks
Client & Gatekeeper networks
Web Filter Block/Warn Pages
DNS fw.passthru-notify.net or fw.passthrough-notify.net
Sophos Cloud-Dependent Services
All Public IP interface addresses
Correction#1 -- Edited the original post to indicate that Allowed Networks Filter for WAF is implemented using the Site Path Routing object.
Thanks for this, Doug!
The SSL VPN (S2S & RA share the same settings) can function either on one interface address or it can function on "Any" of them.
The S2S IPsec Connection can also be defined with an Interface Group, but only the active interface should have open ports (my guess).
Like the SSL VPN, the User Portal can be a single address or "Any" interface address.
The SUM GUI can indeed be reached on 4422, but SUM and UTM communicate on 4433.
Masquerading can be one interface address, the primary addresses of an Interface Group or the primary addresses of "Uplink Interfaces."
Intrusion Prevention protects all networks in 'Local Networks'.
Cheers - Bob
I mentioned port 4422 only because of a help page that says it is reserved for something related to UTM. Do we need to add an entry that 4433 is reserved as well? I don't have SUM so I have not read that documentation.
I have revised the original to integrate your helpful comments. Perhaps when this is stable it could be moved to the WiKi.
Yes, from the Help in 'UTM Manager' in WebAdmin: "Note – The communication between the gateway and SUM takes place on port 4433, whereas the Sophos UTM Manager can be accessed through a browser via the HTTPS protocol on port 4444 for the WebAdmin and on port 4422 for the Gateway Manager interface."
7/1/2018 - Edited the original draft to add detail about the SMTP proxy, both Standard and Transparent.