Network specifications and routes

The following overview shows the ports and protocols required to run TightGate-Pro on a network.

The internal firewall (packet filter or Layer3 switch) must be provided by the operator. The internal firewall required by PP 0040 ReCoBS also ensures these conditions in the event of a software error in TightGate-Pro (CC) Version 1.4 Client.


TightGate-Pro (CC) Version 1.4 Client Note: The PulseAudio daemon installed with TightGate-Pro (CC) Version 1.4 Client has a reduced feature set that includes only the necessary components. Potentially hazardous modules, such as a microphone controller, are not included. Remote configuration of the daemon is not possible. Furthermore, the audio deamon is only started together with the user session and is also terminated after the session has ended. These characteristics of the audio system, together with the addressed connection selectivity of the client, prevent the audio channel from being a potential vulnerability. The latter is to be regarded as part of the function-specific protocol between TightGate-Pro Server or TightGate-Pro (CC) Version 1.4 Server and the respective client, which is an important component of the dedicated ReCoB system.
In TightGate-Pro (CC) version 1.4 Server, audio support is disabled by default and can be turned on using the config > Settings > Audio Support configuration option.

TightGate-Pro or TightGate-Pro (CC) version 1.4 servers are designed to operate in a Demilitarized Zone (DMZ). It must be ensured that client computers in the internal network only connect to TightGate-Pro or TightGate-Pro (CC) Version 1.4 via the intended ports. Furthermore, direct Internet access must be prevented by suitable firewalls or packet filters, bypassing TightGate-Pro / TightGate-Pro (CC) Version 1.4.

Connection paths that are not absolutely necessary for the proper operation of TightGate-Pro are marked as "optional" and should be deactivated if the functionality implemented through this is not required.

For UDP connections, the corresponding UDP response packets in the opposite direction must also be released.

Sender Destination Protocol Port(s) Comment Optional
TightGate-ProInternetTCP80, 443 or specific proxy portAccess for HTTP(S) connections to the Internet. If an upstream proxy is used, the connection to the proxy has to be released.
TightGate-Pro, and
TCP22Access to the update servers of m-privacy GmbH
TightGate-ProInternetTCP1935Some media streams require direct Internet access to port 1935, because otherwise they cannot be played. This port is to be released at the firewall to the Internet for TightGate-Pro.
TightGate-ProspecificUDP123Requests to time server X
TightGate-ProspecificTCP + UDP53Requests to nameserver X
TightGate-ProspecificTCP25More shares required if email services are to be used via TightGate-Pro:
POP3: 110 - POP3/SSL: 995
IMAP4: 143 - IMAP4/SSL: 993
TightGate-ProspecificTCP + UDP88Communication with Active Directory X
Communication with Active Directory (LDAP / LDAPS)
Requests to determine the global catalog
TightGate-ProspecificTCP21, 22Direct access to server via FTP, SFTP/SSH X
TightGate-ProspecificTCP + UDP 514
Configurable ports for sending syslog messages to central syslog servers. (Syslog / RELP) X
3389, 1494, 80, 443
RDP- resp. CITRIX-Server In and out X
Sender Destination Protocol Port(s) Comment Optional
(Workstation PC)
TightGate-Pro TCP 5900 TLS-encrypted connection of the TightGate-Viewer to TightGate-Pro.
TightGate-Pro TCP 22 SFTP Encrypted connection to use the file transfer of TightGate-Pro.1) X
Sender Destination Protocol Port(s) Comment Optional
Internal DNS service TightGate-Pro cluster system UDP 53 These ports are only to be released if a TightGate-Pro cluster is used. X
TightGate-Pro UDP 161 SNMP requests X
NRPE Monitoring \\(NAGIOS) TightGate-Pro TCP + UDP 5666 Access from ZenTiV or other Nagios based monitoring systems X

Not available with TightGate-Pro (CC) version 1.4.