Which ports are needed to run Virus Scan / FPolicy through a firewall?
Applies to
- Data ONTAP 7 and earlier
Answer
| Warning: Consider the motivation in regards to the firewall under the following aspect: |
Per definition, the Vscan service needs to be part of the Backup Operator group. That makes the SCAN-host the only system that has unfiltered and unchecked access to ALL files stored on the attached filers. If you put your Vscan server behind a firewall due to a potential threat (e.g. a service sharing the same hardware/OS is connected to the Internet), you might consider splitting the Vscan host off to a separate system to prevent extensive damage after a security breach.
It is not recommended to run Vscan or FPolicy through a firewall as this might add additional latency to the service causing the client access to slow down.
For FPolicy or Vscan to function properly, the following ports need to be open on the firewall for Data ONTAP 7-Mode releases:
| Filer | Direction | Vscan / FPolicy Server |
| ANY | -> |
NETBIOS Name Service (TCP:137) NETBIOS Datagram Service (TCP:138) NETBIOS Session Service (TCP:139) SMB over IP (TCP:445) HTTP (TCP:80) HTTPS (TCP:443) |
|
NETBIOS Name Service (TCP:137) NETBIOS Datagram Service (TCP:138) NETBIOS Session Service (TCP:139) SMB over IP (TCP:445) HTTP (TCP:80) HTTPS (TCP:443) |
<- | ANY |
Additional ports may need to be opened from the filer to its Active Directory domain controller for the purpose of authenticating the Windows service account running the Vscan or FPolicy software.