Skip to main content

Articles in this section

See more
Print

Planning and preparation: Required ports for Cayosoft Guardian

  • Updated

Required Ports for Cayosoft Guardian

Cayosoft Guardian service separated by a firewall from Active Directory

When the Cayosoft Guardian Service and Active Directory resources are separated by a firewall, the following ports must be opened:

System type Port Description Required when

Service, Domain Controller

TCP 389

LDAP (sealed)

Default. Not required if useLdaps = true.

Service, Domain Controller

TCP 3268

Global Catalog (sealed)

Default. Not required if useLdaps = true.

Service, Domain Controller

TCP 636

LDAPS (LDAP over TLS)

Required when useLdaps = true. Used as automatic fallback when port 389 is unreachable.

Service, Domain Controller

TCP 3269

Global Catalog over SSL (TLS)

Required when useLdaps = true. Used as automatic fallback when port 3268 is unreachable.

Service, Domain Controller

TCP 5985/5986

WinRM (Windows Remote Management)

Always required.

Service, Network file share

TCP 139/445

SMB

Always required.

Service

TCP 443

HTTPS connection

Always required.

NOTE: Each managed domain controller must be reachable on at least one of the LDAP port pairs — 389/3268 or 636/3269. If both pairs are blocked, Cayosoft Guardian cannot manage the DC. In default mode (useLdaps = false), Cayosoft Guardian tries 389 first and silently falls back to 636. In explicit LDAPS mode (useLdaps = true), only 636/3269 are used and no fallback occurs.

Cayosoft Guardian web portal

The following ports must be open to access the Cayosoft Guardian web portal:

System Type Port Description
Web portal TCP 80/443 HTTP/HTTPS connections

Cayosoft Guardian AD connector

The following ports must be open to access the Cayosoft Guardian AD connector:

System Type Port Description
Web portal TCP 80/443 HTTP/HTTPS connections

Cayosoft Guardian Forest Recovery Agent

The following ports must be open to access Forest Recovery Agent of Cayosoft Guardian:

System type Port Description Required when

Service, Agent

TCP 5985/5986

WinRM (Windows Remote Management)

Always required.

Service, Agent

TCP 443

HTTPS connection

Always required.

Network file share, Agent

TCP 139/445

SMB

Always required.

Agent, Domain Controller

TCP 389/3268

LDAP / Global Catalog (sealed)

Default Forest Recovery Agent configuration.

Agent, Domain Controller

TCP 636/3269

LDAPS / Global Catalog over SSL

Required when Forest Recovery Agent Use LDAPS is enabled, or used as automatic fallback when LDAP or Global Catalog ports are unreachable.

Microsoft Office 365 Verification/Authentication

For detailed information about Microsoft Office 365 ports and addresses, see Office 365 URLs and IP address ranges article.

Azure SQL Database

For consistent connectivity to SQL Database or dedicated SQL pools in Azure Synapse, allow network traffic to and from ALL Gateway IP addresses and Gateway IP address subnets for the region. Periodically, Microsoft retires Gateways using old hardware and migrates the traffic to new Gateways following the process outlined in Azure SQL Database traffic migration to newer Gateways.

Find the list of Gateway IP addresses and Gateway IP address subnets in Gateway IP addresses.

Ports and endpoints required for Cayosoft cloud services

If Cayosoft Guardian uses online licensing or automatic product updates, allow outbound HTTPS traffic to the required Cayosoft cloud service endpoints.

Required/Optional Service Endpoint Port Purpose
Required License Service api.telemetry.cayosoft.com TCP 443 Online license activation, validation, and subscription synchronization.
Optional Telemetry api.telemetry.cayosoft.com TCP 443 Optional telemetry data.
Optional Cayosoft Guardian Product update downloads


cayotelemetryprod.azurewebsites.net

cdn-cayotelemetryprod.azureedge.net

TCP 443 Download product update packages from Cayosoft cloud services.
Optional Cayosoft Guardian Threat Detection Product update downloads


cayotelemetryprod.azurewebsites.net

TCP 443 Download product update packages from Cayosoft cloud services.

Diagrams

Ports used by Cayosoft Guardian

  1. Cayosoft Guardian connects to a single domain controller to collect changes from a managed AD domain.
  2. Cayosoft Guardian connects to all domain controllers to collect additional data from a managed AD domain.
  3. Cayosoft Guardian connects to select an agent on domain controller to create backup or connects to a machine in a recovery site to recover this machine as a domain controller.
  4. Forest Recovery agent connects to all DCs in the environment using WinRM to collect information about every DC.
  5. Microsoft 365 URLs and IP address ranges: Microsoft 365 URLs and IP address ranges.
  6. Azure IP Ranges and Service Tags - Public Cloud: Azure IP Ranges and Service Tags – Public Cloud.

Ports used by AD connector

  1. Cayosoft AD connector collects changes from preferred domain controller from a managed AD domain.
  2. Cayosoft AD connector collects events from any domain controller from a managed AD domain.
  3. Cayosoft AD connector tasks and collected data are delivered to Cayosoft Guardian Server.
  4. Microsoft 365 URLs and IP address ranges: Microsoft 365 URLs and IP address ranges.
  5. Azure IP ranges and service tags - Public Cloud: Azure IP Ranges and Service Tags – Public Cloud.
  6. AWS IP address and port requirements - IP address and port requirements

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.