KSMM Network Ports

Network Troubleshooting Articles

Devices to KSMM/KSN

Sender Recipient Ports Description Port may be changed
(WAN/DMZ) Mobile Device with KES Agent (DMZ) NAgent +Gateway mode TCP13292, TCP13293 Mobile device connects to KSC via Gateway Yes - on KSC console
(WAN/DMZ) Mobile Device with KES Agent (DMZ/LAN) KSC TCP13292, TCP13293 Mobile device connects to KSC directly Yes - on KSC console
(DMZ/LAN) Device with KES Agent (DMZ/LAN) Activation Proxy-server on KSC klactprx TCP17000, TCP17100 License activation proxy for desktop devices (TCP17000) OR mobile devices (TCP17100) IF devices do not have internet connection Yes - on KSC console
(WAN/DMZ) iOS Device with Control Profile (DMZ) iOS MDM Server, kliosmdmservicesrv.exe TCP443 Sending data to iOS devices Yes - during iOS MDM Server installation
(WAN/DMZ) Browser on Device with KES Agent (DMZ) Corp Catalog, Apache Web Server TCP8071 User device downloads apps from Corp App Catalog component Yes - during installation
(WAN/DMZ/LAN) Desktop (Win/macOS/NIX) Device with KES Agent (WAN) KSN Cloud Proxy TCP13111, UDP15111 Access of controlled devices to Kaspersky Security Network (Cloud, optional) Yes - on KSC console
(WAN/DMZ) Desktop (Win/macOS/NIX) Device with KES Agent (DMZ) NAgent +Gateway mode TCP13000 Connection of NAgent from client desktop to NAgent Gateway proxy for data exchange with KSC Yes - on KSC console
(DMZ/LAN) Desktop (Win/macOS/NIX) Device with KES Agent (LAN) KSC TCP13000, UDP13000, TCP14000 Connection of NAgent from client desktop directly to KSC. UDP13000 needed for NAgent status update Yes - on KSC console
(WAN/DMZ) Desktop (Win/macOS/NIX) Device with KES Agent (DMZ) NAgent +Gateway mode TCP13295 PUSH-notifications to desktop machines Yes - on KSC console
(DMZ/LAN) Device with KES Agent (DMZ/LAN) KSC TCP8060(HTTP), TCP8061(HTTPS) Installation packets request and download directly from KSC (if Corp App Component is not available) Yes - on KSC console
(DMZ/LAN) OS Windows Device with KES Agent (DMZ/LAN) KSC Web Console - klsctunnel TCP19170 Remote desktop assist connection of tech support to user device Yes - on KSC console

KSMM to PUSH Cloud Services

Sender Recipient Ports Description Port may be changed
(DMZ/LAN) KSC Google Firebase Cloud Messaging (FCM) ASN15169 IP block: android.googleapis.com, play.google.com, android.clients.google.com, accounts.google.com, fonts.googleapis.com TCP5228, TCP5229, TCP5230 PUSH notifications for Android devices No
(DMZ) iOS MDM Server Apple Cloud APNs IP Block 17.0.0.0/8: gateway.push.apple.com, feedback.push.apple.com, mdmenrollment.apple.com, *.itunes.apple.com, *.mzstatic.com, *phobos.apple.com, *phobos.apple.com.edgesuite.net TCP2195, TCP2197 PUSH notifications for iOS No

KSMM to KSMM Components

Sender Recipient Ports Description Port may be changed?
(LAN) KSC (DMZ) NAgent +Gateway Mode TCP13000 Request to NAgent to establish tunnel session for connecting devices from WAN/DMZ Yes - in KSC Console
(DMZ) Corp App Catalog klakaut.exe (DMZ) NAgent +Gateway Mode TCP13000 Corp App Catalog connects via Gateway to KSC for data exchange with KSC Yes - during Corp App Catalog install
(DMZ) Subordinate KSC (LAN) Main KSC OR NAgent +Gateway Mode TCP13000 In cascade KSC Architecture, two KSC servers communicate between each other directly OR via NAgent Gateway Yes - in KSC Console
(LAN) MMC Admin Console (LAN) KSC TCP13291 Connection of remote MMC admin console to KSC Yes - in KSC Console
(DMZ/LAN) NAgent, NAgent +Gateway, KSC (DMZ/LAN) NAgent, NAgent +Gateway, KSC UDP15000 Installation packets, status update messages, NAgent discovery of other NAgents in broadcast domain Yes - in KSC Console
(LAN) Web Admin Console (New Web Console = NWC) (LAN) KSC TCP8080 Connection from browser to Web admin console https://ksc.local:8080 Yes - in KSC Web Console settings
(LAN) Third-party scripts, Web Admin Console (NWC) (LAN) KSC OpenAPI Interface TCP13299 KSC klserver component REST API port for OpenAPI commands Yes - in KSC Console

Subsections of KSMM Network Ports

Troubleshooting Ports

Network Agent + Connection Gateway

  • Network schema:
graph LR K[KSC] --> |TCP13000| A[NAgent +Distr Point & Gateway]; A <--> |TCP13292| M[Mobile Device]

Listening service: klnagent.exe, opens TCP13000

  • Check open port:
netstat -napo tcp | find "13000" # port must be LISTENING

  • Check gateway function: Use klnagchk.exe tool (see link above), you should see This device is a connection gateway in output text.

  • Check gateway port:

netstat -napo tcp | find "13292" # port must be LISTENING
  • Check gateway certificate:
openssl s_client -connect ksmm.lab.local:13292

You should see certificate data with correct Subject CN.

iOS MDM Server

  • Network schema:
graph LR I[iOS for MDM] <--> |TCP443| D[iOS Device]; I --> |TCP2197| A(((APNs Cloud, 17.0.0.0/8))) A --> D

Listening service: kliosmdmservicesrv2.exe, opens TCP443

  • Check open port:
netstat -napo tcp | find "443" # port must be LISTENING
  • Check iOS MDM certificate:
openssl s_client -connect ksmm.lab.local:443

Corporate Apps Portal

  • Network schema:
graph LR C[Corp Portal] --> |klakaut.exe TCP13291| K[KSC]; A[Admin] --> |TCP8070| C U[User] --> |TCP8071| C
  • Check open port:
tasklist | find "klakaut" # => PID
netstat -napo tcp | find "PID" # port must be ESTABLISHED