KB24280 - What ports are open on the PCS and PPS appliances?

This article provides information about the ports may be open on the PCS (Pulse Connect Secure) and PPS (Pulse Policy Secure) devices.

The network security team is looking to lock down the network as much as possible. When doing a scan on the PCS or PPS, ports more than 443 are noted as open.

The following ports may be open on the PCS and PPS devices (a '*' indicates this is an optional configuration; it is closed if the feature is not enabled):

• 22 DMI Inbound (R7.1 and earlier)*
• 830 DMI Inbound (R7.2 and later)*
• 25 SMTP (TCP)*
• 80 HTTP (TCP) <- this is open to provide a redirect (HTTP 302) to SSL
• 161 SNMP (UDP)
• 443 SSL (TCP)
• 465 Secure SMTP (TCP)*
• 500 IKEV2 (UDP) - Internet key exchange port*
• 514 Syslog (UDP)
• 830 DMI Inbound (TCP)*
• 993 IMAPS (TCP)*
• 995 Secure POP (TCP)*
• 1645 RADIUS authentication (UDP)*
• 1646 RADIUS accounting (UDP)*
• 1812 RADIUS authentication (UDP)*
• 1813 RADIUS accounting (UDP)*
• 3799 RADIUS COA (UDP)*
• 4500 ESP (UDP) - IKEV2 NATT (NAT Traversal)* (this port may be changed on the VPN Connection profile)
• 4803,4804 Cluster (UDP)*
• 4808,4809 Cluster (TCP) (Non-secure/Secure point to point server)*
• 4900-4911 Cluster (TCP)*
• 12000-12001 Cluster (UDP)*
• 5576 CBox (Pulse Secure Collaboration) series (TCP)*
• 5577 CBox (Pulse Secure Collaboration) meeting series secure channel (TCP)*
• 6576 IPC (TCP)
• 7101 IDP sensor (TCP)*
• 8009-8010 Session Data for Clustering (TCP) [Applicable to 8.2+ and above]*
• 11000-11099 PTP (TCP)*
• 11122 NACN (Network Address Change Notification) is used for communicating between the Pulse Access Control Service and an Infranet Enforcer (firewall)(TCP).*
• 11123 JUNOS connections (TCP)*
• 17425 Bookmark sync server feature (TCP)*
• 28000-28005 RADIUS Proxy (UDP)*
• 5432 (PostgreSQL) is used for Adaptive Authentication (TCP)