Port Usage

This topic is only applicable to Archer on-premises installations.

Configure your firewall rules and access control lists to expose only the ports and protocols necessary for operation of Archer.

The Job Engine and Configuration Service can run on multiple servers simultaneously. You should account for each server running those services when planning firewall rules. For each item, you can omit the rule if the source and destination components run on the same server.

Archer services and supporting services on the web server use specific ports to communicate with each other and with interfaces and applications external to Archer.

You can modify the ports used for the following:

  • SQL in SQL Server.
  • HTTPS in Microsoft IIS.
The following table lists ports used by Archer. Rows in bold text identify the minimum set of ports that must be open for the application to work. Brackets around items in the Destination column indicate supporting hosts and servers that communicate with Archer.

Purpose

Source

Destination

Protocol

Port
(Default)

Mandatory or Optional

Client Web
Connectivity

Platform Web UI

Web Server (IIS) or Load Balancer

HTTP(S)

80/TCP,
443/TCP

Mandatory

 

See Web Server Communication. The destination is a Load Balancer if the Platform is deployed with a web server cluster or farm. It is recommended that you rely only on HTTPS.

 

Platform Web API

Web Server (IIS) or Load Balancer

HTTP(S)

80/TCP,
443/TCP

Optional

 

See Web Server Communication. The destination is a Load Balancer if the Platform is deployed with a web server cluster or farm. It is recommended that you rely only on HTTPS. You can change the default port for use by your application.

RSS Feeds

Web Server (IIS) or Load Balancer

[Remote Host]

HTTP(S)

80/TCP,
443/TCP

Optional

Threat Feeds

Job Engine Service

[Remote Host]

HTTPS

443/TCP

Optional

 

See Web Server Communication. Only required if using Threat Management to pull in a threat intelligence feed from Symantec DeepSight, Verisign iDefense, or other supported feeds.

SQL Queries

Configuration Service, Job Engine Service, Queuing Service, Web Server (IIS)

[Database Server (SQL Server) running Archer database]

SQL

1433/TCP

Mandatory

 

See SQL Server Communication. You can change the default port for use by your application.

 

LDAP Synchronization Service

[Database Server (SQL Server) running Archer database]

SQL

1433/TCP

Optional

 

See SQL Server Communication. Only required if using LDAP synchronization.

 

Configuration Service, LDAP Synchronization Service, Job Engine Service, Queuing Service, Web Server (IIS)

[Database Server (SQL Server) running Archer database]

SQL

1434/UDP

Optional

 

If using a named instance, SQL Browser is also required.

Microsoft File Sharing

Job Engine Service, Web Server (IIS)

[File Server for document repository]

SMB/CIFS

445/TCP

Optional

 

Only required if the document repository is not contained on a single web server.

 

Web Server (IIS)

[File Server for company_files]

SMB/CIFS

445/TCP

Optional

 

Only required if the appearance files are not all contained in a single web server.

 

Queuing Service

[File Server for keyword indexes]

SMB/CIFS

445/TCP

Optional

 

Only required if the keyword search indexes are not all contained on a single web server.

LDAP Queries

LDAP Synchronization Service

[LDAP Server]

LDAP(S)

389/TCP
(LDAP),
636/TCP
(LDAPS over SSL),
3268/TCP
(LDAP),
3269/TCP
(LDAP to GC over SSL)

Optional

 

Only required if performing LDAP synchronization. You can change the default port for use by your application.

Note: If you have more than 1000 users, it is recommended that you use a Global Catalog (GC) connection.

Audit Logging

Web Server (IIS)

[Remote Host]

TCP/UDP

Varies

Optional

 

Only required if Audit Logging is enabled.

Email Notifications

Job Engine Service

[SMTP Server]

SMTP(S)

25/TCP
(SMTP),
465
(SMTPS)

Optional

 

Only required if using email notifications. You can change the default port for use by your application.

Mail Monitor

Job Engine Service

[POP3 or IMAP Server]

POP3(S),
IMAP(S)

110/TCP
(POP3),
995/TCP
(POP3S),
143
(IMAP),
993/TCP
(IMAPS)

Optional

 

Only required if leveraging Mail Monitor functionality.

Read Receipts

Job Engine Service

[POP3 or IMAP Server]

POP3,
IMAP

110/TCP
(POP3),
143
(IMAP)

Optional

 

Only required if leveraging Read Receipt functionality.

Configuration Data

All clients of the Configuration Service

Configuration Service REST API

 

13200/TCP

Mandatory

 

Required for communication between clients and the Configuration Service using REST API.

 

All clients of the Configuration Service

Configuration Service

WCF

13201/TCP

Mandatory

 

Required for communication between clients and the Configuration Service using WCF.

In a multiple server Archer deployment, the Configuration Data Retrieval ports do not need to be open between servers. Configure each server to have its Web Service communicate with the Configuration Service on the same server.

 

LDAP Synchronization Service

Configuration Service

WCF

13201/TCP

Optional

 

Only required if using LDAP synchronization.

 

Configuration Service

Web Server (IIS)

WCF

13202, 13300-13304/TCP

Mandatory

 

Required to push configuration data updates to the web servers.

In a multiple server Archer deployment, configure any Configuration Service to communicate with any Web Servers using the Configuration Data ports.

 

Configuration Service

Job Engine Service, Queuing Service

WCF

13305-13350/TCP

Mandatory

 

Required to push configuration data updates to Archer services.

In a multiple server Archer deployment, configure any Configuration Service to communicate with any destination service that runs on other servers, using the Configuration Data ports.

 

Configuration Service

LDAP Synchronization Service

WCF

13305-13350/TCP

Optional

 

Only required if using LDAP synchronization.

In a multiple server Archer deployment, configure any Configuration Service to communicate with the LDAP Synchronization Service on any server using the Configuration Data ports.

 

Configuration Service

Content API

WCF

13351-13355/TCP

Optional
 

Only required if using the Content API.

In a multiple server Archer deployment, configure any Configuration Service to communicate with the Content API on any server using the Configuration Data ports.

SSO Authentication

Web Server (IIS)

[Remote Host]

Varies

Varies

Optional

 

Only required if using SSO, in which case additional traffic may need to be allowed. The destinations, ports, and protocols would vary based on the SSO provider and your specific implementation. You can change the default port for use by your application.

Data Publication

Job Engine Service

[Remote Host]

Varies

Varies

Optional

 

Only required if using the Data Publication feature, in which data can be extracted and written to a relational database system. The destinations, ports, and protocols vary based on the destination system. You can change the default port for use by your application.

Client Web Connectivity

Web Server

Advanced Workflow REST URL or through a Load Balancer

HTTP(S)

Any unused port
(defaults: 8000 for HTTP and 8443 for HTTPS) 

Mandatory

 

Only required if using the Advanced Workflow feature.

You can change the default port for use by your application. Be sure that the support port number is available for use.

The web server communicates with the advanced workflow job troubleshooting page when records are enrolled.

The Advanced Workflow service requires dedicated port on the configured servers to communicate with Archer.

Client Web Connectivity

Services Server

Advanced Workflow REST URL or through a Load Balancer

HTTP(S)

Any unused port
(defaults: 8000 for HTTP and 8443 for HTTPS) 

Mandatory

 

Only required if using the Advanced Workflow feature.

You can change the default port for use by your application. Be sure that the support port number is available for use.

The services server communicates when a new record is enrolled in an advanced workflow.

The Advanced Workflow service requires dedicated port on the configured servers to communicate with Archer.

Other Data Feeds

Job Engine Service

[Remote Host(s)]

Varies

Varies

Optional

 

Only required if using Archer to pull data from other systems using transfer protocols, for example, FTP, SMB, and SQL. The destinations, ports, and protocols vary based on your implementation. You can change the default port for use by your application.