Products  Solutions  Resources  Services  Support  Trials Partners  Communities   

Become a portal pro  Print  My Downloads (0)

  Support  Knowledge Base  KACE Asset Management Appliance

Which network ports and URLs are required for the KACE SMA appliance to function?
(4211365)
 Return
 Recommended Content
Did this article solve an issue for you? [Select Rating] Best Practices for Securing your SMA
(4209518)
Title How to make your System Management
Which network ports and URLs are required for the KACE SMA appliance to function? Appliance (SMA) publicly facing - SMA integrity
test (4311962)
SMA External Listening Port and Zones
Description Explained (4214233)
Network Ports needed for the KACE Systems
The following table describes expected KACE Systems Management Appliance (SMA) tra c (inbound, outbound, bidirectional) at the NIC. This is meant to Deployment Appliance (SDA) (4315017)
describe internal network behavior. Any outbound ports that require access out to the internet are labeled as 'NAT' in the Direction column. Some unique
con gurations, such as allowing SMTP inbound directly to the SMA will require slight deviation and custom con guration outside the con nes of this list. When in Product(s):
doubt, contact KACE Support for clari cation. KACE Asset Management Appliance
12.1, 12.0, 11.1
KACE Systems Management Appliance

Resolution 12.1, 12.0, 11.1

KACE as a Service
12.1, 12.0, 11.1

Quest’s patching and updating process for KACE® System Management Appliances (SMA) includes several security features.   For Topic(s):
example, Quest’s transmissions of patch and update metadata for SMA are encrypted. Checksums are used to validate the integrity of Con guration
SMA patch payloads.  And, the directory where SMA patch payloads reside is permission-controlled to prevent user tampering.
Article History:
As with any web-server based application, security best practices include limiting access to the KACE Systems Management Appliance Created on: 10/26/2022
(SMA) from the Internet. Careful consideration and review of the environment are necessary to ensure security. Last Update on: 10/26/2022
It is strongly recommended to consider rewalls, encryption, port access, roles, antivirus, SSL, access control list, disaster recovery, and
review Best Practices for Securing your SMA prior to con guring the SMA on the Internet.  At a minimum, if the SMA is con gured as
internet/public facing, only port 443 (HTTPS) tra c should be allowed inbound through a rewall to the SMA for UI access and agent
communication tra c. Search All Articles

Port Purpose Con guration Optional / Required Direction Protocol

Location

20/21 FTP to Backup Share Security Settings Optional Inbound FTP

22 SSH for KACE Support Tether Security Settings Optional Outbound/NAT SSH

25 SMTP Queue Optional Bidirectional TCP

Con guration /
Network Settings

80 User/Admin/System UI (non-SSL);
Agent/Replication Share
Downloads (non-SSL)
Security Settings Required for UI/Agent tra c if SSL not Inbound (non-SSL); HTTP
enabled; Strongly recommend using
Outbound/NAT (SMA requires HTTP
SSL instead; Still required
for patch feed sync)
outbound/NAT for SMA itself

161 SNMP Monitoring of SMA Security Settings Optional Inbound UDP

199 SNMP Read Access (SMUX) Security Settings Optional Inbound TCP

443 SSL User/Admin/System UI; Security Settings Required if SSL is enabled Inbound (Agent/Replication Share HTTPS
Agent/Replication Share Tra c);
Downloads
Outbound/NAT (several services,
including patching, rely on the ability
to download to the SMA from the
internet via HTTPS)

587 SMTPS Outbound Mail Relay Queue Required for email sending via SMTPS Outbound; TCP
Con guration /
NAT (if using a cloud service)
Network Settings

110/995 POP3/SPOP Inbound Mail Queue Required for email retrieval via Outbound; TCP
Con guration / POP/SPOP
NAT (if using a cloud service)
Network Settings

139/445 Access to Samba Shares/SMB Security Settings Both Ports Required for Provisioning Bidirectional SMB
(Replication Shares, Agent (non-WinRM)
Provisioning (non-WinRM
method))

389/636 LDAP/LDAPS LDAP Filters / LDAP Optional Outbound; LDAP

Authentication
NAT (if using a cloud service)

3306 Remote Read-Only Database Security Settings Optional Inbound TCP

Access (ODBC)

5985 WinRM (HTTP/HTTPS) used for Agent Provisioning Optional Outbound HTTP/HTTPS
Agent Provisioning

52231 Upgrade Status Page (temporary Not Con gurable Optional Inbound HTTP/HTTPS
web server during upgrade)

URLs Required for Proper SMA Functionality

Below are the URLs used to update SMA software updates, OVAL, SCAP, Dell warranty, and Dell updates. Please whitelist these in your rewall for ports 80 and 443
(HTTP/HTTPS):

Purpose URL

Basic Functionality / UI Links service.kace.com

servicecdn.kace.com
www.kace.com
quest.com

KACE Tether tether.kace.com

KACE GO App Noti cations notify.kace.com

Dell Updates Feed / Packages ftp.dell.com

downloads.dell.com

Dell Warranty *.dell.com

*.us.dell.com

Lenovo Warranty SupportAPI.lenovo.com

HP Warranty css.api.hp.com

KACE Support chat livehelpnow.net

URLs Required for Patching Functionality

Below are the URLs used to update patch listings. Please whitelist these in your rewall for ports 80 and 443 (HTTP/HTTPS):

Publisher URL(s)

KACE Patch Catalog cdn01.catalog.kace.com

KacePatch Binaries These binaries are distributed in a zip le from cdn01.catalog.kace.com.

See Error: KacePatch version check failed (326055) for more information.
The les inside the current Windows zip le are as follows:
DismApi.dll
dismcore.dll
dismcoreps.dll
dismprov.dll
folderprovider.dll
KacePatch.exe
KUserAlert.exe
KUserAlertLang_de-DE.dll
KUserAlertLang_es-ES.dll
KUserAlertLang_es-LA.dll
KUserAlertLang_fr-FR.dll
KUserAlertLang_it-IT.dll
KUserAlertLang_ja-jp.dll
KUserAlertLang_pt-BR.dll
KUserAlertLang_zh-CN.dll
KUserAlertLang_zh-TW.dll
The les inside the current Mac zip le are as follows:
KacePatch
KUserAlert.app (this is a directory with many les inside)
munki\install_munki_kace.sh
munki\munkitools.pkg
munki\uninstall_munki_kace.sh
start-asus-ws.sh
stop-asus-ws.sh

Adobe Systems, Inc. ardownload.adobe.com

armdl.adobe.com

Altova, Inc. cdn.sw.altova.com

Atlassian Software Systems Ltd s3.amazonaws.com

Autodesk, Inc. download.autodesk.com

knowledge.autodesk.com
up.autodesk.com

Canneverbe Limited download.cdburnerxp.se

Don HO download.notepad-plus-plus.org

EverNote Corporation cdn1.evernote.com

Foxit Software cdn01.foxitsoftware.com

GlavSoft LLC. www.tightvnc.com

inkscape.org media.inkscape.org

LIGHTNING UK! download.imgburn.com

Microsoft Corporation b1.download.windowsupdate.com

dl.delivery.mp.microsoft.com
download.microsoft.com
download.windowsupdate.com
endpoint920510.azureedge.net
o cecdn.microsoft.com
o cecdn-microsoft-com.akamaized.net

Mozilla ftp.mozilla.org

Opera Software ASA ftp.opera.com

Piriform Ltd download.ccleaner.com

Python Software Foundation www.python.org

RealVNC Ltd. www.realvnc.com

Simon Tatham the.earth.li

The GIMP developer community download.gimp.org

VideoLAN Team download.videolan.org

VMWare, Inc. download3.vmware.com

win.rar GmbH www.rarlab.com

Wireshark Foundation ftp.uni-kl.de

www.wireshark.org

Did this article solve an issue for you? [Select Rating] Request a KB Article

Leave a Comment

Send Comment Must select 1 to 5 star rating above in order to send comments

About Us Resources Related Social

Company Knowledge Base Rapid Recovery Licensing Portal Facebook United States 

Partners Download Software Renew Support Twitter English

Technical Documentation Licensing Assistance YouTube

Educational Services LinkedIn
Consulting Services

© 2022 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy