Kaseya Community

kaseya deafult port 5721

  • Hi team,


    Need you urgently help,  we have one kaseya Customer have some queries about port 5721 which don't wish to open port 5721 due to concern about privacy.


    now how to conveyance customer best.

  • Hi Jaibir.  You've got a couple of choices, you can tell the customer that they need to open 5721 outbound only for your system to work.  You could change to another port, but you'd have to do the same for all your customers so not a good idea.

  • First you can tel them that Kaseya works with encrypted information (rotating 24 bit key). The firewall exception should only be to one or two dedicated servers on the internet. This sound like a customer who want to protect the internet against his system. Shouldn't it just be the other way round?

  • From the Kaseya Admin Guide page 19: http://help.kaseya.com/WebHelp/EN/VSA/6020000/EN_VSAguide62.pdf


    System Security

    We designed the system with comprehensive security throughout. Our design team brings over 50 years of experience designing secure systems for government and commercial applications. We applied this experience to uniquely combine ease of use with high security.

    The platform’s architecture is central to providing maximum security. The agent initiates all communications back to the server. Since the agent will not accept any inbound connections, it is virtually impossible for a third party application to attack the agent from the network. The system does not need any input ports opened on the managed machines. This lets the agent do its job in virtually any network configuration without introducing any susceptibility to inbound port probes or new network attacks.

    The VSA protects against man-in-the-middle attacks by encrypting all communications between the agent and server with AES 256 using a key that rolls every time the server tasks the agent. Typically at least once per day. Since there are no plain-text data packets passing over the network, there is nothing available for an attacker to exploit.

    Users access the VSA through a web interface after a secure logon process. The system never sends passwords over the network and never stores them in the database. Only each user knows his or her password. The client side combines the password with a random challenge, issued by the VSA server for each session, and hashes it with SHA-256. The server side tests this result to grant access or not. The unique random challenge protects against a man-in-the-middle attack sniffing the network, capturing the random bits, and using them later to access the VSA.

    The web site itself is protected by running the Hotfix Checker tool on the VSA server every day. The VSA sends alerts to the Master role user when new IIS patches are available. This helps you keep the VSA web server up to the latest patch level with a minimum of effort. Finally, for maximum web security, the VSA web pages fully support operating as an SSL web site.



    Hopefully this will calm some of your clients concerns.

    Agent communication is outbound on port 5721 by default. (so in reality you shouldn't have to open any port on the firewall as long as you allow all outbound communication or at least port 5721)

    One caveat I know to this is when the patch scan and updating the client machines will need access to Microsoft's update sites. (Communication initiated outbound)

    We allow all outbound communication on SonicWalls, we limit inbound open ports by required services, for example creating a rule to allow mail (port 25) to a specific IP address.

    [edited by: Patrick at 12:47 PM (GMT -8) on 3-7-2012] Errors
  • The Kaseya agent is an OUTBOUND connection only.  The agent never listens and is not exposed to any man in the middle attacks.

  • @Patrick Many good quality business class Firewall solutions does block random ports such as Kaseya's Port 5721. The best option for this is to only allow outbound port 5721 traffic to your Kaseya servers external IP as mentioned above.

    Another thing to consider is to only allow port 5721 traffic to your Kaseya server this means you will have to use VPN access or be in the office to access the Kaseya portal and it will break many Kaseya modules and feature but at least it will be secure.  

  • Jaibir, it sounds like your customer is concerned from a very high-level perspective and perhaps isn't looking at this from a technical aspect.

    Perhaps they need to be explained a little better how ports work, what they are used for, and why opening an outbound port in this event is not too much of an issue.

    They can specifically allow traffic to only your external IP address (which will further allay their fears) and additionally your servers will not 'send' traffic to the customer unless your kaseya agent on the server starts a connection dialogue.

    Can you perhaps find out a little more about exactly what their concern is and we will all try to help you a little more if needed?

  • @Jaibir.  If your client has security concerns, you can send them the following press release which hit the wire yesterday.

    Kaseya Earns Internationally Recognized Common Criteria Certification Achieving Stringent Government Security Standards