Ports, protocols, and firewall requirements

View the default and configurable firewall, port, and protocol requirements for Automation Anywhere deployment. View the default ports and protocols that are required to be allowed on customer's firewall for Automation Anywhere deployment. The default ports that are used for HTTP/HTTPS are configurable.

Add Automation Anywhere to the Windows Firewall exception list. Follow the steps as directed by Microsoft for your Windows version.
Allow communication from Automation Anywhere by adding it to the allowed list in firewall. Follow the steps in the firewall documentation of the operating system.
Configure the firewall rules and add the Control Room URLs to safe recipients list.
Configure the firewall rules to allow communication on the server or the firewall appliances that are configured in between, or add the Control Room URLs to the safe recipients list in firewall or end device browsers.

Refer to the following tables for lists of required ports and their use.

Control Room

Important: It is critical that communication between the Control Room servers is properly protected. The communication between Control Room servers contain security sensitive information. Therefore, in addition to allowing all the required communication directly between the Control Room cluster servers, you should block all the inbound traffic from hosts except for HTTP/HTTPS ports to communicate with the Control Room servers.


Protocol	Port	Usage	Clients
HTTP	80	HTTP	Web browsers
HTTPS	443	HTTPS and Web Socket	Web browsers
TCP/UDP	1234	ActiveMQ	Automation 360 Services
TCP	5672	Cluster Messaging	Automation 360 Services
TCP	47100 - 47200	Cluster Messaging and Caching	Automation 360 Services
TCP	47500 - 47598	Cluster Messaging and Caching	Automation 360 Services
HTTP	47599	Elasticsearch	Automation 360 Services
TCP	47600	Elasticsearch	Automation 360 Services
HTTP	4567	Control Room	Automation 360 Services
HTTP	4569 - 4571	Automation Co-Pilot for Business Users	Automation 360 Services
TCP	5800 - 5900	Automation Co-Pilot for Business Users	Automation 360 Services

Internal ports for localhost services

Note that the following internal ports are used for Automation 360 localhost services:


Port	Protocol
4567 - 4571	HTTPS REST
5678 - 5708	gRPC

Data center ports and protocols for Automation 360

Configure each of the data center components that are required for Control Room integration. In the image below, Control Room components are shown in orange and data center components provided by your organization are shown in blue.

Note: The arrows in the image indicates the combination of communicating hosts and does not indicate the direction of the establishing the connection.

Data center components labeled with port numbers for communications with Control Room

Default ports are listed for illustration purposes. Some ports can have alternative port numbers specified during Control Room installation. Some port numbers can be modified after Control Room installation. Active Directory ports are listed as an example of an enterprise identity management.

After the HTTP/HTTPS connection is established between the Control Room and Bot Agent, the communication will be bidirectional (inbound and outbound) using the WebSocket .

All three objects, the web browser, Bot Agent, and external applications communicate directly with the Control Room. A user logs into the Control Room through a browser, to do tasks, such as creating users, or bot related tasks, such as creating, deploying, and scheduling bots. Bot Agent establishes a connection with the Control Room on registration and keeps it alive in order to receive bot deployments from the Control Room. External applications talk to the Control Room directly through the Control Room APIs to perform tasks such as creating users or running bots.


Connection from	Connection to	Protocol	Port	Usage
Bot Agent	Load balancer or firewall, or both	HTTP and WebSocket	80 (TCP) Default	HTTP and WebSocket
Bot Agent	Load balancer or firewall, or both	HTTP and WebSocket	443 (TCP)	HTTP and WebSocket
Web Browser	Load balancer or firewall, or both	HTTP and WebSocket	80 (TCP)	HTTP and WebSocket
Web Browser	Load balancer or firewall, or both	HTTP and WebSocket	443 (TCP)	HTTP and WebSocket
Control Room services	Enterprise identity management (for example, Active Directory)	LDAP	389 (TCP)	User authentication
		LDAP SSL	636 (TCP)	User authentication
		LDAP global controller	3268 (TCP)	User authentication
		LDAP global controller SSL	3269 (TCP)	User authentication
		Kerberos	88 (TCP and UDP)	User authentication
Control Room services	File share with Microsoft Server Message Block (SMB)	SMB 2.0 or SMB 3.0	445 (TCP)	Repository file share access
Control Room services	Microsoft SQL database server	SQL	1433 (TCP) Configurable	Database access

Microsoft Azure supported data center elements


Data center object	Supported version	Configuration
Control Room operating system	Microsoft Windows Server 2012 and 2012 R2 Datacenter Microsoft Windows Server 2016 Standard and Datacenter Microsoft Windows Server 2019 Standard and Datacenter	IaaS
Identity management: Azure	Azure Active Directory	IDaaS Windows 2016 for IaaS
	Azure File Share with Server Message Block 2.0 and 3.0 (SMB) protocol	PaaS
	Azure Load Balancer (Not Application Gateway)	PaaS
	Azure SQL Database with single database (Microsoft SQL Azure (RTM) - 12.0.2000.8)	PaaS

Microsoft Azure security policy recommended ports


Data center object	Port	Protocol
Control Room	80 443	HTTP/HTTPS
LDAP	3268 3269	TCP (LDAPS - Secure TCP)
email SMTP	587	SMTP
SSH	22	TCP
RDP	3389	TCP

Google Cloud Platform security policy recommended ports


Data center object	Port	Protocol
Load balancer	80 443	HTTP HTTPS
Firewall	80 443 1433	HTTP HTTPS TCP
Microsoft SQL Server database	1433	TCP