Proofpoint Product Family

Pre-Installation Requirements
This document summarizes the pre-installation requirements for Proofpoint appliance-based and virtual appliance-
based products. To easily integrate an appliance into your network, ensure the ports listed in each table are open for
the master and each agent (if you have a cluster of master and agents). IP addresses and other installation
requirements are listed where applicable.

Proofpoint Messaging Security Gateway™ and Proofpoint

Messaging Security Gateway™ Virtual Edition – Release 8.X
This section describes the hardware specifications, IP address requirements, and port requirements for the appliance
and virtual appliance.

Requirements
 A static IP address and hostname for each appliance.
 The IP addresses of at least two DNS servers. DNS servers must be accessible by each system in the
cluster: master and every agent.
 The hostname, MX record or IP address of the internal system that will receive filtered mail from the
appliance.
 The list of domains for which you receive email.

Hardware Specifications for the P-Series Appliance

P-380 P-670 P-870 P-870M

Form Factor: 1 U
Form Factor: 1 U Rack Form Factor: 1 U Rack Form Factor: 1 U Rack
Rack
Height: 42.8 mm Height: 42.8 mm Height: 42.8 mm
Height: 42.4 mm
Chassis Width: 482.4 mm Width: 482.4 mm Width: 482.4 mm
Width: 434.0 mm
Depth: 647.7 mm Depth: 701.3 mm Depth: 701.3 mm
Depth: 394.3 mm
Weight: 10.9 kg (max) Weight: 18.6 kg (max) Weight: 18.6 kg (max)
Weight: 10.1 kg
Dual 550 Watt Power Dual 550 Watt Power
Single 250 Watt Power Supplies (Energy Supplies (Energy Dual 550 Watt Power
Power Supply Auto switching Smart) Smart) Supplies Auto switching
100/240V Auto switching Auto switching 110/220V
110/220V 110/220V
Single 8-Core Intel Dual 6-Core Intel Xeon Dual 6-Core Intel Xeon
Intel(R) Xeon(R) CPU
Processors Xeon E5-2630 v3 2.4 E5-2640 E5-2640
E3-1220 v5, 3.0 GHz
GHz v3 2.6 GHz v3 2.6 GHz

Memory 16 GB 16 GB 32 GB 64 GB

RAID 1 Controller – Battery Backed RAID Battery Backed RAID Battery Backed RAID
RAID
PERC-H330 Controller - RAID 1 Controller - RAID 1 Controller - RAID 0 + 1

2 x 500 GB SATA
Disks 2 x 300 GB SAS Disks 2 x 300 GB SAS Disks 6 x 300GB SAS Disks
Disks

Network 2 x Gigabit BaseT 4 x Gigabit BaseT 4 x Gigabit BaseT 4 x Gigabit BaseT

1 of 3 Proofpoint Confidential and Proprietary © 2016 Revision G – November 2016

Virtual Appliance
Supported VMware ESX servers for the virtual appliance:
 ESXi 4.1 Update 3

 ESXi 5, ESXi 5.1, ESXi 5.1 Update 1, ESXi 5.5, ESXi 5.5 Update 2
See the Proofpoint Messaging Security Gateway Virtual Edition Installation Guide for system requirements and
download information.

Ports
Ensure the following ports are open for the master and each agent (if you have a cluster of master and agents).
Note: Please see https://support.proofpoint.com/article.cgi?article_id=132318 for information about the IP addresses
that need to be accessible from your Proofpoint master and agents.

Port Direction IP Addresses Explanation

25 (SMTP) Inbound and Outbound All Required to send and receive email.
53 Outbound All Required for DNS in all cases. Required
(UDP/TCP) for Proofpoint Dynamic Reputation if you
are using this feature.
443 (HTTPS) Outbound from master All Required for product upgrades and
Optional – for upgrades and updates. The IP addresses for
10020 updates. Proofpoint update servers will change
(HTTPS) as-needed in order to provide the most
Outbound from master reliable update service possible.
and all agents for
Proofpoint Encryption. Required for Proofpoint Encryption and
Inbound for Secure Secure Reader, if you have licensed this
Reader nodes. module.

Outbound from master To take advantage of the End User

to Secure Share Digest feature and Web Application, you
Services. will need to enable HTTP commands
and allow port 443 to access the server.

Optional - for backward compatibility,

you can choose port 10020 for these
purposes.

Required for Secure Share if you have

licensed Secure Share.

22 (SSH) Inbound 208.86.202.10 Required for Proofpoint support. (Access

10000 208.84.66.21 may be disabled when not in use.)
(HTTPS) 208.84.67.21

3306 (DB) Inbound Proofpoint agents to the Proofpoint Required for database synchronization
master, and if applicable, also the from agents to master.
Quarantine master.
10010 Required for message transfer from
(HTTPS) agents to master.
10000 Inbound All Internal IPs to the Proofpoint Required for web-based administrative
(HTTPS) master. access.
Every node in the cluster (filtering
agents, Quarantine node, Log node, Required for log consolidation and
Smart Search node) must have port configuration synchronization.
10000 open for communication to
the master.
10001 Inbound Proofpoint config master. Required for web-based administrative
(TCP) access when using SAML 2.0 for
federated authentication.

2 of 3 Proofpoint Confidential and Proprietary © 2016 Revision G – November 2016

 Port Direction IP Addresses Explanation
110 Outbound Internal POP3 downstream mail To set up a dedicated email address and POP3 account
(POP3) server (not on the appliance). on your existing mail system for the server to poll for end
user Digest commands.
If you choose to set up a POP3 mailbox, we recommend
calling it spamdigest or something similar. The POP3
username, password and server information will be
required during configuration.
1344 Inbound To the servers running the ICAP (Optional) Required to filter, block, and quarantine HTTP
(HTTP) - service from the HTTP proxy traffic and general web traffic and HTTP posts.
Optional servers.

161 Inbound SNMP management station to (Optional) Required to use Simple Network Management
UDP/TCP Proofpoint servers. Protocol (SNMP) to monitor and manage the appliance
(SNMPd) on your network. Inbound is required to have the
Proofpoint appliance listen for polling requests from your
162 Outbound Proofpoint servers to SNMP SNMP installation. Outbound is required to have the
UDP/TCP management station. Proofpoint appliance send traps to the SNMP monitoring
(SNMP) host.

389 Outbound Proofpoint master server to LDAP (Optional) Required for user import from LDAP or Active
(LDAP) server. Directory server.
636
(LDAPS)
123 (NTP) Outbound All Proofpoint servers to an internal Required for synchronization of system clocks.
NTP server or to
ntp.proofpoint.com.
10946 Inbound From the Config Master to the Required for searches, search results, and Smart
(TCP) Smart Search node. Search settings. Required only if Smart Search is
licensed.
10947 Inbound From the Log node to the Smart Required to transfer sendmail logs and filterd logs to
(TCP) Search node. If you do not have a Smart Search for indexing. Required only if Smart
Log node, it is from the Config Search is licensed.
Master to the Smart Search node.
If you do not have a dedicated
Smart Search node, but you do
have a Log node, this port is for
communication from the Config
Master to the Log node.
80 Inbound From RSS feed to Config Master. Required for RSS feed from Proofpoint.
(HTTP)

3 of 3 Proofpoint Confidential and Proprietary © 2016 Revision G – November 2016