Documentation forSolarWinds Service Desk

Scans

On this page

Introduction

Whether you choose to connect SolarWinds Service Desk (SWSD) via SCCM, router, vCenter, or use another connection method, the list below contains a default list of all ports that can be scanned. You can customize the list to suit your organizational needs.

Default Ports Scanned via Nmap

General Description
7 Ping, Echo Protocol
161 SNMP
162 SNMP
Servers/Service
20 File Transfer Protocol (FTP) data transfer
21 File Transfer Protocol (FTP) control (command)
26 Port used by RSFTP - a simple FTP-like protocol.
25 Simple Mail Transfer Protocol (SMTP), used for email routing between mail servers
37 Time Protocol[25]
53 Domain Name System (DNS)[34][10]
80 Hypertext Transfer Protocol (HTTP)[10][46][47][48]
106 Allows passwords to be changed on POP servers
110 Post Office Protocol, version 3 (POP3)[10][60][61]
119 Network News Transfer Protocol (NNTP),[10] retrieval of newsgroup messages[65][66]
389 Lightweight Directory Access Protocol (LDAP)[10]
465 Authenticated SMTP[10] over TLS/SSL (SMTPS)[86]
514 Syslog,[10] used for system logging
587 email message submission[10][89] (SMTP)
990 FTPS Protocol (control), FTP over TLS/SSL
995 Post Office Protocol 3 over TLS/SSL (POP3S)[10]
143-144 Internet Message Access Protocol (IMAP),[10] management of electronic mail messages on a server[70]
2049 Network File System (NFS)
2121 FTP Proxy
8008-8009 Alternative port for HTTP. See also ports 80 and 8080.
8080-8081 Alternative port for HTTP. See also ports 80 and 8008.
Host/Access
22 Secure Shell (SSH),[10] secure logins, file transfers (scp, sftp) and port forwarding
23 Telnet protocol—unencrypted text communications[10][23]
88 Kerberos[10][51][52] authentication system
111 Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)
513 rlogin
Microsoft
135 Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service,[67] used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM.
137 NetBIOS Name Service, used for name registration and resolution
138 NetBIOS Datagram Service
139 NetBIOS Session Service[68][69]
445 Microsoft-DS (Directory Services) SMB[10] file sharing
1688 Microsoft Key Management Service (KMS) for Windows Activation
3020 Common Internet File System (CIFS). See also port 445 for Server Message Block (SMB), a dialect of CIFS.
5061 Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT)
555 Web Services for Devices (WSDAPI) (only provided by Windows Vista, Windows 7 and Server 2008)
Printers
515 Line Printer Daemon (LPD),[10] print service
631 Common Unix Printing System (CUPS) administration console (extension to IPP)
Routing & Network
179 Border Gateway Protocol (BGP),[77] used to exchange routing and reachability information among autonomous systems (AS) on the internet
465 URL Rendezvous Directory for SSM (Cisco protocol)[importance?]
520 Routing Information Protocol (RIP)
646 Label Distribution Protocol (LDP), a routing protocol used in MPLS networks
711 Cisco Tag Distribution Protocol—being replaced by the MPLS Label Distribution Protocol
830 Netconf
1293 Internet Protocol Security (IPSec)
1701 Layer 2 Tunneling Protocol (L2TP)
1707 L2TP/IPsec, for establish an initial connection
1723 Point-to-Point Tunneling Protocol (PPTP)[10]
VoIP & Media
554 Real Time Streaming Protocol (RTSP)[10]
1720 H.323 call signaling
1755 Microsoft Media Services (MMS, ms-streaming)
2000-2001 Cisco Skinny
2427 Media Gateway Control Protocol (MGCP) media gateway
5060 Session Initiation Protocol (SIP)
5061 Session Initiation Protocol (SIP) over TLS
7070 Real Time Streaming Protocol (RTSP), used by QuickTime Streaming Server. TCP is used by default, UDP is used as an alternate.
DB
1521 Oracle SQL Net Listener
1433 Microsoft SQL Server database management system (MSSQL) server
1434 Microsoft SQL Server database management system (MSSQL) monitor
2483 Oracle database listening for insecure client connections to the listener, replaces port 1521
2484 Oracle database listening for SSL client connections to the listener
3306 MySQL database system
5432 PostgreSQL database system
8000 DynamoDB Local
Misc
9 Discard Protocol[12]
13 Daytime Protocol[16]
26 Port used by RSFTP - a simple FTP-like protocol.
79 Finger protocol[10][44][45]
81 TorPark onion routing[verification needed]
113 Ident, authentication service/identification protocol,[10][62] used by IRC servers to identify users
199 SNMP Unix Multiplexer (SMUX)[79]
427 Service Location Protocol (SLP)[10]
443 Hypertext Transfer Protocol over TLS/SSL (HTTPS)[10]
444 Simple Network Paging Protocol (SNPP), RFC 1568
543-544 klogin, Kerberos login
548 Apple Filing Protocol (AFP) over TCP[10]
873 rsync file synchronization protocol
993 Internet Message Access Protocol over TLS/SSL (IMAPS)[10]
1025-1029 Ports > 1024 are designated for dynamic allocation by Windows
1110 nfsd-status, Cluster status info
1900 Simple Service Discovery Protocol (SSDP),[10] discovery of UPnP devices
2717 PN REQUESTER
3000 In use by multiple applications
3128 Squid caching web proxy
3986 mapper-ws_ethd, MAPPER workstation server
4899 Radmin (Fama Tech) - remote administration of PCs
5000 UPnP—Windows network device interoperability
5009 Apple AirPort Admin Utility, AirPort Express Assistant, Xwis (TCP/UDP)
5051 ita-agent Symantec Intruder Alert
5101 Yahoo Messenger P2P Instant Messages
5190 AOL Instant Messenger protocol. The chat app is defunct as of 15 December 2017.
5631 pcANYWHEREdata, Symantec pcAnywhere (version 7.52 and later[219])[220] data
5666 NRPE (Nagios)
5800 VNC Remote Frame Buffer RFB protocol over HTTP
5900 Virtual Network Computing (VNC) Remote Frame Buffer RFB protocol
6000-6001 X11—used between an X client and server over the network
6646 McAfee Network Agent (unofficial)
8443 Apache Tomcat SSL
8888 HyperVM over HTTPS[citation needed]
9100 PDL Data Stream, used for printing to certain network printers
9999-10000 In use by multiple applications
32768 Red Hat, first ports typically used for outgoing connections by some Linux distros like Red Hat
49152-49157 Linux commonly used by applications that utilize a dynamic/random/configurable port

Next scheduled scan and run scan on demand

From the All Connections index page, when you select a connection you are routed to a screen that provides detailed information for that connection. In the top right corner, you can see the time and date of the next scheduled scan. From there, you can choose to run a scan on demand or activate and deactivate the scan via the status pill.

Last Scan Report

You can pull the Last Scan Report at any time to get a real time view of the current status of your infrastructure.

The report, displayed on the right pane, includes the Scanned Device per Type. To better understand the details provided, we have included the table below.

Status Description
Scanned Devices

Total scanned devices per Connection:

  • SCCM - Number of hosts in the database
  • Router - Based on the ARP table size
  • vCenter - Number of hosts in the database
  • Subnet - Subnet size
  • SolarWinds Platform nodes Discovery
  • AWS Cloud Discovery
  • Azure Cloud Discovery
  • Jamf Cloud Discovery
Devices Updated Any change in device information, when compared to the previous scan, leads to a database update.
New Devices Detected Any device that has responded to a ping request for the first time.
Responded Devices

Total number of devices recognized as active:

  • Subnet - Number of devices Nmap has identified as active
  • Router - Based on the ARP table size
  • SCCM - Number of hosts in the database
  • vCenter - Number of hosts in the database
Discarded Devices

An IP address alone is not a sufficient factor to uniquely identify an asset. Therefore, the discovery process will discard any asset that does not possess a unique identifier, such as a MAC address or serial number.

In cases where a MAC address is not detected by the scanner, there are multiple options to provide clarity:

  • Provide additional credentials such as WMI, SNMP, or other credential.
  • Locate the scanner on the same physical subnet.
  • Provide SNMP credential to the router to allow the import of the ARP Table.
Skipped Devices

Devices that have not been reported for one of the following reasons:

  • There is an agent installed on the host. The device is already recorded.
  • The device has already been detected, scanned, and reported on by another mechanism (for example, SCCM).

Intune

In addition to the table above, you are able to pull fields from your mobile devices via Intune, which is a part of Microsoft Endpoint Manager. Below is a list of data pulled:

  • Owner
  • Manufacturer
  • OS Version
  • Serial Number
  • IMEI Number
  • IP Address
  • Wi-Fi Mac
  • ICCID
  • App List

See Intune configuration for instructions on integrating Intune with SWSD.

Data collection via WMI

Windows Management Instrumentation (WMI) provides the ability to obtain management data from remote computers in an enterprise environment operating on Windows OS.  This is accomplished via remote WMI connections made through Distributed Component Object Model (DCOM).

If you want to use WMI, use User and Password on a subnet connection.

Address security measures

The security measures below must be addressed to ensure proper access to data.

  1. Ensure firewall allows WMI access.

  2. Disable UAC filter by following these steps:

    1. Navigate to Start.

    2. Type: firewall

    3. Select Allow a program through Windows Firewall.

    4. Select Change settings.

    5. Select Windows Management Instrumentation (WMI), and then click OK.

  3. If it is necessary to allow for a specific user:

    1. Run wmimgmt.msc.

    2. Right-click WMI Control (local).

    3. Select Properties > Security tab > click Security > Add.

    4. Type the name of the user into Enter the object names to select.

    5. Click Check names, and then click OK.

    6. Click Advanced.

    7. Double-click the specific user.

    8. For Applied to select This namespace and subnamespaces.

    9. Select both:

      • Remote Enable
      • Execute Methods
    10. Runnet localgroup "Distributed COM Users" USERNAME /add

    11. Replace USERNAME (For example IE11WIN10\IEUser)

Credentials for Discovery

SolarWinds recommends using credentials for your scanner connections. To obtain the most information, you must include credentials to allow the scanner access to the connected devices. 

Scanning without credentials

The amount of information gathered without the use of credentials is limited. The information gathered without credentials includes:

  • IP address
  • MAC address
  • Operating system
  • Host name
  • Open ports (services)

Scanning with credentials

By including credentials to allow the Discover Scanner access to connected devices, you can ensure that you collect the most information possible. The table below lists the credentials that require access to the scanned asset.

Credential Destination port
SNMP UDP port 161
SSH TCP port 22
WMI TCP port 135

The table below provides a detailed description of what is supported along with the network information you need to provide for maximum asset information.

Credential type Network information needed
SNMP Credentials V3

When you select V2, you must include the Name and Community string. 
SNMPv3 requires further details. With this selection you will provide a Name*, Description, Username*, Authentication Protocol, Authentication Key*, Privacy Protocol, and Privacy Key*.

SSH Credentials Key When you select this credential type you must provide Name*, Description, Username*, and SSH Private Key* to receive greater visibility into the subnet.
SSH Credentials (username and password) When you select this credential type you must provide Name*, Description, Username*, and Password*
* Reflects required fields

Although it is not mandatory, SolarWinds highly recommends providing a description so you can better understand your network.

Related topics