The following ports need to have TCP opened on the FW (UDP not necessary): 

  • 122 (outbound) for technical support tunnel
    The tunnel uses SSH on port 122 to, which currently resolves to
    Firewalls must be configured to allow outbound TCP port 122, at least from the appliance's IP address.
    No other special firewall rules, including rules to allow inbound traffic, are required.
  • 22 for ssh access 
  • 9102, 9103 for basic appliance communication (between agent and appliance) 
  • 9202 for Exchange 2007-2010 configuration (or if special configurations require an end machine to have two agents running on it) 
  • 443 for the Support Tab, and license and billing check ins
  • 80 and 443 for WebGUI Interface
  • 443 and 902 for VMware Backups
  • 2300 replication. 

Note:  Make sure you have a default gateway set up under System > Settings > Devices to ensure your appliance has connection outside of your network for the support tunnel/support tab updates.  (A good test is to try to ping to verify you have internet connectivity.  This is a DNS server on the internet and if it is unreachable, there is likely something on your routes on your network that needs to be adjusted.)  If there is no default gateway and you have to add one, a reboot will be required to allow the appliance to communicate over this gateway.  

This should not be needed for internal communication between the appliance and agents.