Retain utilizes many ports to facilitate communication between the different components and for communication with the different archived systems. By default, Retain will use the following ports for the following services:
The Retain Server is the key component in the Retain system. Other Retain processes communicate with the Server through port 48080 by default. The Server is always listening on that port regardless of how other components might be configured to communicate with it (i.e., SSL port 443).
48080 (TCP) Requires incoming access if any Retain processes are running on a server external to the server hosting the Retain Server.
The Server Requires outgoing access if the Reporting & Monitoring Server component has been installed on a server external the server hosting the Retain Server. See also the Reporting & Monitoring component in this article.
48009 (TCP) The AJP (Apache JServ Protocol) port is used by for communication between the web server and Tomcat. Since both should reside on the same server, there are no external port access requirements.
80 / 443 (TCP - HTTP / HTTPS) Requires incoming access to reach the Server web interface.
25 (TCP) Requires outgoing access so that the Retain Server can send email notifications on server errors, job statuses, and job errors. Outgoing access to Database Management System (DBMS) port. This depends on the database system you are using. See the “Database Management Systems” section of this page.
Other ports will also need to be opened on the server hosting the Retain Server depending on the modules being used.
The Retain Worker is the component that pulls the data from the messaging source, whether that be an email system, social media application, or mobile device.
48080 (TCP) Requires outgoing access if on a server external to the Retain Server.
80 or 443 (TCP HTTP or HTTPS) Requires incoming access to reach the Worker web interface
Other ports will also need to be opened on the server hosting the Retain Worker depending on the modules being used; and, in some cases, on servers hosting the messaging system Retain will be archiving.
The Message Router is for customers of the Retain for Mobile module. The Message Router connects with mobile devices to handle SMS message log forwarding, BBMP device configuration. It typically would sit inside a DMZ.
443 (TCP) Requires both incoming from and outgoing access to the Internet as well as incoming from and outgoing access to the Retain Server.
111/2049 (UDP / TCP) for NFS Client services. (Only required if not using REST) Requires outgoing access if the Worker is not on the Message Router server so that it can place the logs on the Worker's server. Samba can be used, but NFS seems to be more reliable.
Other ports may need to be considered for NFS to work properly.
It is up to the customer to do this research to get NFS services to work properly.
New to Retain v3.4, this process provides archive job and server reporting and monitoring services. It is not installed by default unless specifically selected during the installation process.
48080 (TCP) Requires both incoming and outgoing access if on a server external to the Retain Server.
80 / 443 (TCP) Requires Incoming access to reach the R&M Server's web interface.
25 (TCP) If running on a server external to the Retain Server, then it requires outgoing access.
The Retain Stubbing Server is the component that provides stubbing services to the Retain Server. It is rarely used or installed by customers. See the Administration and Users Guide for a listing of its advantages and disadvantages.
48080 (TCP) Requires outgoing access if on a server external to the Retain Server.
80 / 443 (TCP) Requires incoming access to reach the Stubbing Server web interface.
This is a VM appliance running as a proxy server for social media traffic going out to and coming in from the Internet. It logs this traffic so that Retain can archive that data. Port use will differ depending on network setup and Internet access policies.
If the RSM WAN IP is a private IP, it needs be NATed to an appropriate routable IP address. The LAN IP address does not need a corresponding inbound NAT rule.
The following are the default ports these database management systems use, but they are configurable within those systems. Requires incoming access for the database server and outgoing access on the Retain Server.
MySQL: 3306
MS SQL: 1433
Oracle: 1521
Postgres: 5432
BES Web Services (SOAP) only supports the secure ports via TLS. Retain will initiate contact with BES Web Services if you are syncing the Address Book with the BES. Outgoing access is required for the Retain Server and incoming access for the BES server for the following ports:
BES 12: 18084 (TCP)
BES 10: 38443 (TCP)
BES 5: 443 (TCP)
111/2049 (UDP / TCP) on the Blackberry Enterprise Server (BES) for NFS Server services.
The Blackberry module requires incoming access if the Worker is not on the BES server so that it can retrieve the BES logs. Samba can be used, but NFS seems to be more reliable.
Other ports may need to be considered for NFS to work properly.
It is up to the customer to do this research to get NFS services to work properly.
80 / 443 (TCP HTTP / HTTPS) on the Worker server. Requires outgoing access. The autodiscover process will attempt https to the CAS server(s) for connecting to Exchange mailboxes. If that fails, it will use port 80 as a last resort. If Exchange / autodiscover / EWS are set up properly, only port 443 should be necessary.
3268 or 3269 (TCP). Requires outgoing access. It uses one of these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory.
Port 3268 for plaintext and 3269 for SSL (recommended).
53 (UPD). Requires outgoing access. It's the port used by DNS. Retain will do DNS lookups during its autodiscover process.
443 (TCP) Requires outgoing access for the Server (address book sync) and the Worker (it attempts to use the Gmail API for archiving; if that fails, it reverts to IMAP, thus the need for port 993 as described below).
993 (TCP). Requires outgoing access for the Worker(s) only. Under certain circumstances, the Worker may switch to using IMAP over SSL when requesting email from Gmail.
7191 (TCP) Requires outgoing access so that the Retain Server can download the Address Book. This is the default SOAP port the GroupWise POAs use, but this is configurable and is dependent upon the POA agent setting in GroupWise.
80 / 443 (TCP) Requires both incoming and outgoing access so that the Retain Server and the Message Router can communicate device configuration information with each other. See also the Retain Message Router component in this article as well as the Mobile subsection under Retain Worker. See also the Retain Message Router component in this article.
111/2049 (UDP / TCP) for NFS Server services Requires incoming access if the Worker is not on the Message Router server so that the Message Router can place the logs on the Worker's server. Samba can be used, but NFS seems to be more reliable.
Other ports may need to be considered for NFS to work properly.
It is up to the customer to do this research to get NFS services to work properly.
443 (TCP) Requires outgoing access. Retain uses SSL to connect with Office 365 to authenticate users logging in to Retain.
80/443 (TCP) Requires outgoing access to the Retain for Social Media proxy server appliance. Retain will make an http connection and request the "bundles". See also the Retain for Social Media (RSM) Proxy Server component in this article
111/2049 (UDP / TCP) on the CellTrust Secureline server for NFS Server services.
Requires incoming access if the Worker is not on the CellTrust Secureline server so that it can retrieve the CSV logs. Samba can be used, but NFS seems to be more reliable.
Other ports may need to be considered for NFS to work properly.
It is up to the customer to do this research to get NFS services to work properly.