Ports used on Security Gateway for SecureClient and Endpoint Connect
If Control Connections are enabled in SmartDashboard - Global Properties, then all of the following ports are opened automatically, except UDP 2746.
If Control Connections are disabled in SmartDashboard - Global Properties, then the following ports must be allowed explicitly in the rulebase.
UDP 259 - RDP (necessary only for MEP resolving and dynamic interface resolving)
TCP 264 - Topology download was used by SecureClient
TCP 443 - In Visitor Mode, all VPN traffic is tunneled through port 443
UDP 500 - IKE
TCP 500 - IKE over TCP
IP protocol 50 - ESP (the actual encrypted data; not necessary to allow this, if using UDP encapsulation)
UDP 2746 - UDP encapsulation (encapsulates IP protocol 50 ESP packets)
UDP 4500 - NAT-T port for industry standard UDP encapsulation
TCP 18231 - Policy Server login (seen on the network using SSL, if SecureClient/Endpoint Connect has an IP address in the VPN Domain; Not necessary to open this port, if SecureClient/Endpoint Connect is not in the VPN Domain).
Ports used through the VPN tunnel:
TCP 18231 - Policy Server login (will be encrypted, if SecureClient IP address is not in the VPN Domain)
UDP 18233 - SCV update
UDP 18234 - Tunnel Test
Note: Endpoint Connect client, by default, will use port 443 to negotiate the tunnel, even if Visitor Mode is not selected. Refer to sk158334 and sk159372 for more information.
sk52421 (Ports used by Check Point software).