Port 2449: RATL — A Unisys Protocol Almost No One Has Heard Of

What Port 2449 Is

Port 2449 sits in the registered ports range — 1024 through 49151. IANA officially assigns these ports to specific services upon application, and port 2449 has a name: RATL, a protocol registered by Unisys.

Despite the official registration, most port scanners and databases list 2449 as unassigned. That's not inaccurate — it's just that RATL is so narrowly deployed that it registers as silence to the broader Internet.

What RATL Is

RATL is a communication protocol used by Unisys AB Suite (Agile Business Suite), an enterprise platform for running applications originally built for Unisys ClearPath mainframes. In their architecture, client software connects to a Remote Access Server using RATL over TCP/IP on port 2449. The protocol wraps application transaction messages, allowing GUI-based clients to communicate with mainframe-hosted business applications.

It can also run over MSMQ (Microsoft Message Queuing) when TCP/IP isn't the preferred transport.

If you encounter port 2449 in a network scan, you're almost certainly looking at a Unisys AB Suite deployment — or nothing at all.

What the Registered Ports Range Means

Ports 1024–49151 are the middle tier of the port number space. Below 1024 are the well-known ports — HTTP, HTTPS, SSH, DNS — the infrastructure everyone uses. Above 49151 are ephemeral ports, assigned temporarily by operating systems for outbound connections.

The registered range is the messy middle. IANA takes applications and assigns ports to services, from widely deployed protocols (like MySQL on 3306) to niche enterprise software like RATL. The registry has over 9,000 entries. Most of them are obscure. Many registered services were never widely deployed or quietly fell out of use, leaving their assigned numbers as empty reservations.

Port 2449 is honest about what it is: a reservation made for software that most of the Internet will never run.

How to Check What's Listening on Port 2449

If you see port 2449 open on a host and want to know what's actually there:

On Linux/macOS:

# Show what process is listening on port 2449
ss -tlnp | grep 2449

# Or with lsof
lsof -i :2449

On Windows:

netstat -ano | findstr :2449

Then cross-reference the process ID with Task Manager or tasklist to identify the application.

With nmap:

nmap -sV -p 2449 <target>

The -sV flag attempts service version detection, which can identify what's actually running even if it doesn't match the IANA registration.

Security Considerations

An open port 2449 on a machine that isn't running Unisys AB Suite is worth investigating. Unrecognized open ports can indicate:

• Software you didn't intentionally install
• A misconfigured service bound to the wrong port
• Malware using an obscure port to avoid detection

The RATL registration itself carries no known vulnerabilities — but "this port is registered to enterprise mainframe software" is not a reason to trust unexpected traffic on it.