Skip to main content

Determining Which Network Ports Need to Be Open

Overview

This article describes the network ports required for Netwrix Change Tracker to function properly. Use this information when configuring firewall rules for new deployments or troubleshooting connectivity issues.

NOTE: For the most current port requirements and network architecture details, refer to the official documentation: Change Tracker 8.0 - Agent and Device Ports

Although agents can be configured to connect to Change Tracker using custom ports (e.g. HTTPS, port 8443), and these can be set in the agent's HubDetails.xml file, the following are the default and recommended ports for Change Tracker.

Instructions

Change Tracker Console

  • Port: 443 (HTTPS) or Custom
  • Direction: Inbound to Change Tracker Hub server
  • Protocol: HTTPS

HTTPS communication to the Change Tracker Console is by default on port 443. This can be adjusted within IIS if other ports are deemed more suitable for your environment.

Change Tracker Agents (Windows & Linux)

  • Port: 443 (HTTPS) or Custom
  • Direction: Outbound from agent to Change Tracker Hub
  • Protocol: HTTPS

HTTPS communication between Change Tracker and the agent is controlled by the agent's HUBURL, defined during installation. The HUBURL will resemble https://MY_CT_SERVER/api/. If custom HTTPS ports are in use, the HUBURL will need to include this, for example https://MY_CT_SERVER:PORT/api/.

Important: The agent always initiates the connection to the Hub server; communication is one-way.

Agentless Monitoring - Linux Systems

  • Port: 22 (SSH)
  • Direction: Outbound from Change Tracker Proxy Agent to monitored Linux systems
  • Protocol: TCP/SSH

The Change Tracker Proxy Agent initiates all communication to the monitored Linux systems. The proxy agent is typically collocated with Change Tracker but can be installed on a separate system if needed.

Agentless Monitoring - Windows Systems

  • Port: 445 (SMB)
  • Direction: Outbound from Change Tracker Proxy Agent to monitored Windows systems
  • Protocol: SMB

The Change Tracker Proxy Agent initiates all communication to the Remote Registry Service on the monitored Windows devices.

Network Devices (Routers, Switches, Firewalls)

SSH-Based Monitoring

  • Port: 22
  • Direction: Outbound from Change Tracker Proxy Agent to network devices
  • Protocol: TCP/SSH

Telnet-Based Monitoring (Legacy)

  • Port: 23
  • Direction: Outbound from Change Tracker Proxy Agent to network devices
  • Protocol: TCP/Telnet

NOTE: SSH (port 22) is recommended over Telnet (port 23) for security reasons.

Firewall Configuration Summary

For a typical Change Tracker deployment, ensure the following firewall rules are in place:

Inbound to Change Tracker Hub:

  • Port 443 (HTTPS) - for console access and agent communication

Outbound from Change Tracker Hub/Proxy Agent:

  • Port 22 (SSH) - for agentless Linux and network device monitoring
  • Port 23 (Telnet) - for legacy network device monitoring (if required)
  • Port 445 (SMB) - for agentless Windows monitoring

Outbound from Agents:

  • Port 443 (HTTPS) - to communicate with Change Tracker Hub