This article outlines the required ports and provides methods for verifying that Teramind servers and hosts are reachable through your firewall and network configuration.
Note: If testing connectivity within a VPN environment, ensure the VPN is active during the testing process to simulate real-world conditions.
Required Ports and Protocols
Teramind requires the following ports to be accessible through your firewall for the Agent and Master Server to communicate effectively.
Port(s) | Protocol | Purpose | Deployment Notes |
443 | TCP | Used by the Agent to connect to the Master Server. Handles pings, command delivery (troubleshooting, updates), and WebSocket traffic for video recording (async/offline). | Standard for all deployments. Can also be used for the Management Interface. |
80 | TCP | Standard HTTP port for Agent deployment and updates. | Ensure this is open if encountering issues with your self-generated SSL certificate. |
10000 | Proprietary (TLS) | Communication of monitoring configuration and non-video monitoring data between the Agent and Master Server. | On-Premises only (single-node setup). Ports can be assigned separately from the server's settings. |
10000-11000 | TCP | Agent connection to App Server Nodes. | On-Premises only (multi-node setup). |
1000-65535 | UDP | Transmitting audio recording data from the Agent to the Server. | Required if audio recording is enabled. |
OCR Ports: 443, 5432, 9200, 42001, 50051 | Varies | Required for Optical Character Recognition (OCR). Check IPs/ports on the Server settings screen. | On-Premises only. Must be open among Master, OCR database, and OCR mining nodes. |
5985 / 5986 | TCP | Default WinRM ports used when remotely deploying the Agent. 5985 for HTTP, 5986 for HTTPS. | On-Premises only. |
6379 | TCP | Used by Redis on the Master Node. | Required for application nodes to reach the Master Node. |
Other Ports: 389, 465, 111, 2049, etc. | Varies | Ports for integration services: such as LDAP 389 for Active Directory, TCP 465 for SMTP (emails), and TCP 111, 2049 if you are using the NFS service. | Some of these ports are configurable from their respective settings screens on the Dashboard. |
Locating Server Addresses and Ports
Before testing, locate the specific server IPs or hostnames required for your deployment.
Cloud Deployment
The server address and port information is available in the My Account screen, under the Server & Port section:
On-Premise Deployment
Server and port configurations can be viewed and configured on the Dashboard:
Configurations > Settings > Server: To view IPs assigned to various nodes (e.g., OCR, BI) and set management interface ports.
Configurations > Settings > Active Directory: For LDAP hosts/IPs/ports.
Configurations > Settings > SMTP: For SMTP email server and port.
Connectivity Testing Methods
Use one of the following methods to check port reachability from the endpoint (Agent machine) to the Teramind server. If the tests fail, consider troubleshooting steps such as verifying proxy settings, ensuring VPN configurations allow required ports, and excluding Teramind traffic from SSL inspection.
Note: If testing connectivity within a VPN environment, make sure the VPN is active during the testing process to simulate real-world network conditions.
Using the Telnet Client
The Telnet Client must be installed on your Windows machine before use.
In case you never used a Telnet Client before, there are many articles online that shows you how to install and use it.
Cloud Deployments
telnet www.teramind.co 443
telnet rt.teramind.co 443
telnet <serverIP> <port>
For VPN testing, you may use the specific IPs or server names provided in your Teramind account, such as 129.159.72.2 or 141.147.53.206.
The server address and port information is available in the My Account screen, under the Server & Port section:
On-Premise Deployment
telnet <serverIP or hostname> 443
telnet <serverIP or hostname> 10000
Additionally, if you are deploying within a VPN setup, ensure key servers such as 141.147.53.206 and ports like 12316 are reachable to confirm functionality.
You can find your <serverIP or hostname> from the Configurations > Settings > Security screen:
In both cases, if you see a message like the one below, it means service is not running, port is closed by your firewall or there're some networking issues:
telnet: Unable to connect to remote host: Connection refused
Using the Windows PowerShell
This is the recommended method for modern Windows systems. Find more information on Microsoft PowerShell Documentation.
The syntax for PowerShell is:
Test-NetConnection -Computername <serverIP or hostname> -Port <port>
For example:
Test-NetConnection -ComputerName www.acme.com -Port 443
Check the Telnet Client section above to find out where you can find the <serverIP or hostname> and <port>.
When a service is running and a port is open you'll see something like:
>Test-NetConnection -ComputerName www.acme.com -Port 443
ComputerName : www.acme.com
RemoteAddress : 92.122.110.37
RemotePort : 443
InterfaceAlias : Ethernet
SourceAddress : 192.168.0.180
TcpTestSucceeded : True
And when service isn't running or port is closed, you will see a warning message like this:
>Test-NetConnection -ComputerName www.acme.com -Port 10000
WARNING: TCP connect to (92.122.110.37 : 10000) failed
ComputerName : www.acme.com
RemoteAddress : 92.122.110.37
RemotePort : 10000
InterfaceAlias : Ethernet<
SourceAddress : 192.168.0.180
PingSucceeded : True
PingReplyDetails (RTT) : 14 ms
TcpTestSucceeded : False
PowerShell is a task automation and configuration management framework from Microsoft. You can find more information about it on Microsoft PowerShell Documentation.
Using the Curl tool
Use curl to test connectivity for web-based services. The --insecure flag can be used if you are troubleshooting SSL certificate issues.
You can use the following syntax for Curl:
curl --insecure https://<serverIP or hostname>:<port> -verbose
For example:
curl --insecure https:85/195/72/201:15984 -verbose
If the connection is successful, the command will return something like the following result:
MacOS
Using Netcat
For Unix-like operating systems, the nc (Netcat) utility is highly effective for port checking.
The syntax for Netcat is:
nc -zv <serverIP or hostname> <port>
For example:
nc -zv 192.168.1.100 10000
Using Other Clients
You can also use Telnet or something like nmap.
Troubleshooting Connectivity Issues with the Teramind Agent
Website/Application Loading Issues
Why Websites May Fail to Load
The Teramind Agent uses an SSL certificate to inspect web traffic, enabling it to monitor activity on webpages. In rare cases, this SSL injection can interfere with how certain websites establish secure connections, causing them not to load.
Troubleshooting Steps
Verify whether the issue occurs only when the Teramind Agent is enabled.
If the problem persists, consider temporarily disabling SSL inspection for the affected websites. You can use the Don't monitor web traffic for these IPs option under the Advanced monitoring settings to disable SSL inspection for IPs/domains.
Contact your network administrator to ensure that the SSL injection process is not conflicting with the website's security protocols.
Agent Connection/Disconnection Problems
Why the Agent May Not Report to the Server
If the Teramind agent is running but not reporting to the server, it may be due to network blocking, proxy settings, or SSL inspection issues. Common error messages in the Agent Connectivity Log include the following:
Router query result: NetworkError … port: 0Auth failed, code: CLIENT_AUTH_NETWORK_ERROR
Check out this article to learn how to collect the Agent logs.
Troubleshooting Steps
1. Check Network Ports
Ensure the following ports are open end-to-end:
Port 443: Used for the initial connection to the router/service discovery.
Port 10000: Used for the connection to the Application Server.
2. Test Connectivity
Use a tool like telnet to test reachability from the endpoint:
telnet [SERVER_HOSTNAME] 443telnet [SERVER_HOSTNAME] 10000
Replace [SERVER_HOSTNAME] with your Teramind router / app server hostname (e.g. acme.teramind.co, 10.52.33.1, etc).
If the screen goes blank (connected), it means the ports are reachable. If you get a “Could not open connection”, it means the traffic is blocked or misrouted.
3. Inspect Proxy Settings
A. Temporarily Disable System Proxy
Windows: Settings → Network & Internet → Proxy → turn “Use a proxy server” Off (and optionally “Automatically detect settings” Off), then retest the Agent.
macOS: System Settings (or System Preferences) → Network → select active network → Details/Advanced → Proxies → uncheck all enabled proxies (HTTP/HTTPS/SOCKS, etc.), click OK and Apply, then retest the Agent.
If the Agent connects without the system proxy, then either the proxy itself is blocking traffic/WebSockets, or the Agent needs explicit proxy configuration (see below).
B. Configure Teramind Agent proxy
You can set HTTP / SOCKS proxies with custom installation/configuration parameters:
4. Check VPN Configuration
If using a VPN, ensure that routes/IPs and ports 443 and 10000 are allowed over the tunnel.
5. Exclude Teramind Traffic from SSL Inspection / DNS Filtering
If you have SSL inspection or DNS filtering (e.g., firewall, proxy, web gateway), add Teramind domains and IPs to the bypass / allow list. For Cloud deployments, this will be something like acme.teramind.co. For On‑Premises/Private Cloud deployments, it will be the IP/hostname of your Teramind router and app server.
Also exclude Teramind from SSL/TLS inspection specifically, so that the gateway does not break or MITM the TLS handshake between Agent and server.
6. Verify the Agent Configuration
A. Check the Agent Configuration File
Check in particular:
Instance: For Cloud deployment, this should be the first part of your instance’s URL. E.g., if your instance URL is
https://acme.teramind.co, the instance isacme. For On‑premises/Private Cloud deployments, this should beonsiteor a custom instance you set by the-iinstallation parameter orinstanceconfiguration file parameter.Router: For Cloud deployments, this should be
rt.teramind.co. For On‑Premises/Private Cloud deployments, this is the value you set by the-rinstallation parameter orrouterconfiguration file parameter.
Correct any wrong values, save the file, then restart the Agent service (next step).
For more information, check out the Agent Installation/Configuration sections in System > Download Agent.
B. Restart the Agent Service
Restart the Agent service for any changes to take effect.