PARTNERS

GravityZone (cloud) communication ports

GravityZone is a distributed solution, meaning that its components communicate with each other through the use of the local network or the Internet. Each component uses a series of ports to communicate with the others.

The following table provides information on the ports used by Bitdefender GravityZone (cloud console) components.

You need to have these ports open and exclude all addresses mentioned in this table from any gateway security solution or network packet inspection so that GravityZone functions flawlessly.

Note

It is recommended that you do not use solutions for inspecting or scanning the traffic between endpoints, relays, and Bitdefender servers, because they may change the checksum and therefore damage the downloads.

Component

Direction

Port

Source / Destination

Description

Web Console  (Control Center)

Inbound

80 (HTTP)

Any

Access to the Control Center web console, redirect to 443

443 (HTTPS)

Any

Access to the Control Center web console

Security Agent (BEST, BEST Legacy, Endpoint Security, Endpoint Security for Mac)

Outbound

80

upgrade.bitdefender.com

update.cloud.2d585.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository)

lv2.bitdefender.com

License validation

389 (LDAP)

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator)

636 (LDAPS)

3268

Domain Controller Global Catalog

3269

7074

Relay agent (if available)

Downloading installation packages in the deployment phase from the Relay agent

Communication messages received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob

Encrypted communication messages (when the Relay agent is used as a proxy)

443

cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader)

cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com

Link between the security agents and Communication Server

nimbus.bitdefender.net/elam/blob

Early Launch Anti-Malware (ELAM) cloud server

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

nimbus.bitdefender.net

Antimalware, antiphishing and content control scanning with Bitdefender Global Protective Network

Relay agent

Inbound

7074

Security agent

Communication messages (such as settings and events) received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob

Encrypted communication messages proxied from connected endpoints to Bitdefender Global Protective Network:

Outbound

80

upgrade.bitdefender.com

update.cloud.2d585.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository)

lv2.bitdefender.com

License validation

389

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator)

7074

Relay agent(*) (if available)

Downloading installation packages in the deployment phase from another Relay Agent

Communication messages received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network nimbus.bitdefender.net/elam/blob

Encrypted communication messages received from endpoints linked to the Relay agent

443

cloud.gravityzone.bitdefender.com

cloudgz.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader)

cloud-ecs.gravityzone.bitdefender.com

cloudgz-ecs.gravityzone.bitdefender.com

Link between the Relay agent and Communication Server

nimbus.bitdefender.net/elam/blob

Early Launch Anti-Malware (ELAM) cloud server, a component of Bitdefender Global Protective Network

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

nimbus.bitdefender.net

Antimalware, antiphishing, and content control scanning with Bitdefender Global Protective Network

download.bitdefender.com

Downloading installation packages before deployment from the GravityZone Cloud Control Center

Security Server (Multi-Platform)

Inbound

1344

Any

Used by Security for Storage protection layer for communication between NAS devices compliant with ICAP and Security Server

6379

Security Server

Allows traffic between Security Servers

7081

Any

Antimalware traffic scanning sent by the Security Agent

7083

Any

Antimalware traffic scanning sent by the Security Agent over SSL

Outbound

443

nimbus.bitdefender.net

Periodical verification of antimalware detections with Bitdefender Global Protective Network

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

*.cdn.bitdefender.net:443

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

cloud-ecs.gravityzone.bitdefender.com

cloudgz-ecs.gravityzone.bitdefender.com

Link between Security Server and Communication Server

download.bitdefender.com

Downloading updates

80

upgrade.bitdefender.com

Fallback for downloading updates from the Bitdefender Update Servers (the official repository)

download.bitdefender.com

Downloading installation kits

*.cdn.bitdefender.net:80

Downloading updates from the online Bitdefender Update Servers (the official repository)

443

Sandbox Analyzer Portal

Sandbox Analyzer

Both

Allows communication between the endpoint and the Sandbox Analyzer Portal. Handles file submission to sandbox-portal.gravityzone.bitdefender.com.

(*) Since the relay is an update server that needs to listen all the time on a port, Bitdefender provides a mechanism able to automatically open a random port on localhost (127.0.0.1), so that the update server can receive proper configuration details. The update server tries to open the 7075 port to listen on localhost. If 7075 port is unavailable, the update server will search for another port that is free (in the range of 1025 to 65535) and successfully bind to listen on localhost.

Port 7074 must be open for deployment through Bitdefender Endpoint Security Tools Relay to work.

For the GravityZone (on-premises) communication ports, refer to this section.