This article lists the standard ports and protocols required for Therefore communication in both on-premises and Therefore Online environments, along with firewall rule recommendations.
Standard Windows Services Ports
Service | Port(s) | Protocol | Direction | Scope | Notes |
LDAP | 389 | TCP / UDP | Inbound & Outbound | Domain only | Used for Active Directory authentication |
DCOM (EPMAP) | 135, 137, 139 | TCP / UDP | Inbound & Outbound | Domain only | Required for Windows RPC and service control |
MS-SQL-S (SQL Server) | 1433 | TCP | Inbound (SQL Server) / Outbound (Clients) | Domain only | Required for database access |
MICROSOFT-DS (SMB) | 445 | TCP | Inbound & Outbound | Domain only | File and printer sharing, Windows services |
HTTP | 80 | TCP | Inbound (web servers) / Outbound (clients) | Domain & Internet | Used for web services and redirects |
HTTPS | 443 | TCP | Inbound (web servers) / Outbound (clients) | Domain & Internet | Secure communication |
Therefore On-Premises Specific Ports
Component | Port(s) | Protocol | Direction | Scope | Notes |
XML Service | 8000 (default) | TCP | Inbound (server) / Outbound (clients) | Domain only | Client–server communication |
MFP Manager – Web Service | 8372 | TCP | Inbound (server) / Outbound (MFP) | Domain only | Multifunction device communication |
MFP Manager – File Transfer | 8373 | TCP | Inbound (server) / Outbound (MFP) | Domain only | Document upload from devices |
Mobile Manager | 80 or 443 | TCP | Inbound (server) / Outbound (clients) | Domain & Internet (if mobile devices connect externally) | Mobile access |
Therefore Online Specific Ports
Component | Port(s) | Protocol | Direction | Scope | Notes |
XML Service | 443 | TCP | Outbound (client) | Internet (to Therefore Cloud) | HTTPS communication |
MFP Manager – Web Service | 443 | TCP | Outbound (MFP) | Internet | Same port as XML Service |
MFP Manager – File Transfer | 8091 | TCP | Outbound (MFP) | Internet | File upload to Therefore Cloud |
Firewall Rule Recommendations
- Domain scope only for internal services (LDAP, DCOM, SQL, SMB, XML Service, MFP Manager)
- Restrict to trusted subnets and servers
- Use “Domain profile” firewall rules where possible
- Internet scope only for HTTPS (443) and HTTP (80) where mobile or online services are required
- Restrict outbound access to official Therefore Online endpoints
- Inbound rules should be created only on servers hosting Therefore services (SQL, XML Service, MFP Manager, Mobile Manager)
- Clients typically only need outbound rules
- Outbound rules for clients and MFPs must allow access to the ports listed above (1433, 8000, 8372, 8373, 443, 8091)
- Harden security by:
- Blocking ports from public profiles unless strictly required
- Using IP whitelisting where possible for MFP devices and admin consoles
- Enforcing TLS for 443 communications
Summary
- Therefore services rely almost exclusively on TCP
- UDP is only used by standard Microsoft services (LDAP, DCOM/NetBIOS)
- Internal communication should be scoped to domain networks
- Internet access should be limited to HTTPS (443) and special file transfer ports for Therefore Online
Applied to Versions: All Versions
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article