Ports used on Security Gateway for SecureClient and Endpoint Connect
If Control Connections are enabled in SmartDashboard - Global Properties, then all of the following ports are opened automatically, except UDP 2746.
If Control Connections are disabled in SmartDashboard - Global Properties, then the following ports must be allowed explicitly in the rulebase.
UDP 259 - RDP (necessary only for MEP resolving and dynamic interface resolving)
TCP 264 - Topology download was used by SecureClient
TCP 443 - In Visitor Mode, all VPN traffic is tunneled through port 443
UDP 500 - IKE
TCP 500 - IKE over TCP
IP protocol 50 - ESP (the actual encrypted data; not necessary to allow this, if using UDP encapsulation)
UDP 2746 - UDP encapsulation (encapsulates IP protocol 50 ESP packets)
UDP 4500 - NAT-T port for industry standard UDP encapsulation
TCP 18231 - Policy Server login (seen on the network using SSL, if SecureClient/Endpoint Connect has an IP address in the VPN Domain; Not necessary to open this port, if SecureClient/Endpoint Connect is not in the VPN Domain).
Ports used through the VPN tunnel:
TCP 18231 - Policy Server login (will be encrypted, if SecureClient IP address is not in the VPN Domain)
UDP 18233 - SCV update
UDP 18234 - Tunnel Test
Endpoint Connect client, by default, will use port 443 to negotiate the tunnel, even if Visitor Mode is not selected.
sk52421 (Ports used by Check Point software).