Kaseya Community

Outbound port 5721

  • I searched the forum but couldn't find a specific response, so...

    The agent uses an outbound port (5721 by default) to check in to the KServer. While it would be inappropriate to ask for detailed information on how it does it, I am curious as to how the agent is able to "talk" back and forth with the KServer through an outbound port.

    In other words, I can see that the agent sends a check-in request through the outbound port at the agent's local network. The KServer receives that request through the inbound port (5721 by default) at the local network of the KServer.

    Now, when the KServer responds to the request (or maybe initiate a remote control session, etc.), logically, wouldn't the KServer communicate back to the agent through the outbound port 5721 at the local network of the KServer? And then, doesn't the agent receive the response through the inbound port 5721 at the agent's local network?

    Or essentially, is the agent and KServer able to hold a back and forth conversation through that same "tunnel" that was created through outbound port 5721 (at the agent's network) and inbound port 5721 (at the KServer's network)?

    Again, not asking for the keys to the vault, but it would be good to have a good talk track when trying to explain to a customer who is paranoid about security how everthing can be done through a single outbound port on their network.

    Thanks!


    Legacy Forum Name: Outbound port 5721,
    Legacy Posted By Username: vplaza
  • Think of it this way......when you open a connection to a web server, it does not need to open a connection back to you to return the information you requested (web page, graphics, files, etc.). Once the connection is made, the communications can flow both ways.

    Also, btw.....it does not connect 5721 to 5721. Like with a web page (port 80) the client selects a random high port to connect to 5721 on the server....responses come back to this high numbered port.

    HTH

    Ken


    Legacy Forum Name: Agents,
    Legacy Posted By Username: karode
  • Interesting, I thought that for proper web function, you have BOTH port inbound and outbound port 80 open on your network.

    Also, one of the articles I read on the forum mentioned that for the agent to communicate properly, you have to have outbound port 5721 open at the agent network and inbound port 5721 open at the server network. So, the server responds with a different port number?


    Legacy Forum Name: Agents,
    Legacy Posted By Username: vplaza
  • Not trying to be preachy but you might want to look into a book on TCP/IP and or firewallsif this really interests you.

    Yes, you need 5721 open out from the client and in to the server because the server is listening on port 5721. You do not need anything open inbound on the client side as all further communication from the server to the client is considered part of an exisitng connection by your firewall.

    If you have port 80 (or any port for that matter) open inbound through your firewall to the entire network, you are asking for trouble


    Legacy Forum Name: Agents,
    Legacy Posted By Username: karode
  • Thanks.

    Legacy Forum Name: Agents,
    Legacy Posted By Username: vplaza
  • One thing I was keen to have was the secondary connection being to an ip address (rather than fqdn) on port 80.

    We've had a number of instances of customers with laptops in hotels or airports where only port 80/443 outbound (plus obviously things like DNS) were allowed.

    In this case, they couldn't VPN back to their office. However, if they'd had Kaseya (which they will now), they couldn't have got connected either.

    Unfortunately it seems the kserver service binds across all IP addresses on the server. We could maybe have gotten around this by putting the console access on HTTPS, but we have a couple of very small websites on this server which we can't easily move elsewhere.

    Hopefully Kaseya will come with a mechanism to specify which IP address the Kserver service should be allowed to bind to- then this becomes a useful backup access mechanism.

    gordon


    Legacy Forum Name: Agents,
    Legacy Posted By Username: gordonc
  • vplaza,

    Check out the netstat command line utility. It will show you established IP connectionswithsource and destination ports. It can also list listening or open ports. You can use this todetermine if a port is being used and what process isusing the port. Use netstat /? to get a summary of options.


    Legacy Forum Name: Agents,
    Legacy Posted By Username: connectex
  • connectex wrote:
    vplaza,

    Check out the netstat command line utility. It will show you established IP connectionswithsource and destination ports. It can also list listening or open ports. You can use this todetermine if a port is being used and what process isusing the port. Use netstat /? to get a summary of options.

    Thanks.

    Legacy Forum Name: Agents,
    Legacy Posted By Username: vplaza