Port 2475: ACE Server — The gatekeeper behind RSA SecurID

What This Port Does

Port 2475 is assigned by IANA to two related services:

• ace-server (TCP and UDP) — the RSA ACE Server authentication service
• ace-svr-prop (TCP) — ACE Server Propagation, used to replicate authentication data between servers

Both belong to RSA Security's ACE/Server product, the backend of the RSA SecurID two-factor authentication system.¹

What ACE Server Is

ACE stands for Access Control Engine. It's the server-side component that validates SecurID authentication requests.

The SecurID system works like this: a user carries a hardware token — a small fob, a software app, or a card — that displays a six-digit code refreshed every 60 seconds. To log in, the user enters their PIN plus the current code. The ACE Server receives that combination, checks it against the expected value (derived from the token's unique seed), and returns an accept or deny.

What made this system notable was the math. Each token is initialized with a unique 128-bit secret seed. The code displayed at any moment is computed from that seed plus the current time. The server knows the seed. An attacker intercepting your code gets a number that expires before they can type it anywhere useful.²

RSA ACE/Server was eventually renamed RSA Authentication Manager. It remained one of the most widely deployed enterprise authentication products for decades.

Port Landscape

The port most commonly associated with SecurID in firewall documentation is UDP 5500 — that's the port clients use to send authentication requests to the ACE Server.³ Port 2475 covers a different layer: the server-to-server communication for propagation, and the primary service registration itself.

If you see traffic on port 2475 in an enterprise environment, it's likely authentication infrastructure — either a legacy RSA deployment or something that chose to use this IANA-assigned slot.

The 2011 Breach

RSA SecurID's most famous moment was its own compromise. In March 2011, attackers breached RSA Security and stole the database of token seed values — the secret numbers that make every token in the world work.⁴

The practical consequence: an attacker who knew your stolen seed and intercepted your current code could impersonate you before the token cycled. Months later, those stolen seeds were used in an attack against Lockheed Martin. The authentication system built to protect corporate networks had its foundation quietly removed.

RSA eventually replaced tokens for affected customers. It remains one of the more instructive cases of supply-chain security failure — not the client, not the network, but the trust anchor itself.

Checking What's on This Port

If port 2475 shows activity on a system you manage:

Linux/macOS:

# Show what process is listening on port 2475
sudo ss -tlnp | grep 2475
# or
sudo lsof -i :2475

Windows:

netstat -ano | findstr :2475

Then cross-reference the process ID against Task Manager or tasklist to identify what's running.

In most modern environments, you won't see anything on 2475. RSA Authentication Manager has moved to different communication patterns, and newer deployments use RADIUS (port 1812) or REST APIs rather than the native ACE protocol.