Port 2252: NJENET-SSL — Encrypted Mainframe Job Entry

Port 2252 is registered with IANA under the name njenet-ssl: NJE (Network Job Entry) using SSL encryption. ¹

It's obscure by any measure. You won't encounter it on web servers, developer machines, or home routers. But in the data centers of large banks, insurance companies, and government agencies, this port is still in use — quietly carrying batch jobs between IBM mainframes.

What NJE Is

Network Job Entry (NJE) is IBM's protocol for submitting and routing batch jobs across a network of mainframe systems. If you have a payroll job that runs at midnight, a reports job that kicks off every morning, or a billing cycle that churns through millions of records — these are batch jobs. NJE is how mainframes pass that work between nodes. ²

The protocol dates to the 1970s and 80s, born in an era when "networking" meant point-to-point connections between IBM systems running JES2 or JES3 (Job Entry Subsystems). It worked then. It still works now. The mainframes that process your mortgage payment, insurance claim, or tax refund are very likely running some descendant of NJE.

Port 175 vs. Port 2252

NJE over TCP/IP originally operated on port 175. That's the plaintext version — jobs, output, and control traffic flowing unencrypted across the wire.

Port 2252 is what happens when you add SSL. Same protocol, same purpose, wrapped in encryption. IBM added TLS support through its AT-TLS (Application Transparent Transport Layer Security) framework, allowing existing NJE traffic to be encrypted without rewriting the protocol itself. ³

Port 175 is still listed and still used in closed environments. Port 2252 exists for environments where the network can't be fully trusted — or where compliance says it can't be.

Who Actually Uses This

NJE and port 2252 live in the world of IBM z/OS mainframes. If your organization runs JES2 or JES3 for batch processing, and if those mainframes communicate with other mainframes across a network, and if that communication is encrypted, port 2252 may be involved.

This is a small world. There are perhaps a few thousand organizations globally that still operate mainframe batch networks at this scale. But those organizations tend to be large ones, and the work that flows through port 2252 tends to matter.

What You'll See in the Wild

Port 2252 shows up in security scans occasionally, typically as an unexpected open port on systems that aren't obviously mainframe-adjacent. This can happen when:

• A mainframe gateway is exposed on a network segment that gets scanned
• A misconfigured server opens the port without running the service
• A security researcher is probing registered port ranges

The SANS Internet Storm Center tracks modest scanning activity on this port, with no notable exploit history. ⁴

How to Check What's Using This Port

On Linux or macOS:

ss -tlnp | grep 2252
# or
lsof -i :2252

On Windows:

netstat -ano | findstr :2252

With nmap:

nmap -p 2252 -sV <target>

If you see something listening on port 2252 on a system that isn't a mainframe or mainframe gateway, it's worth investigating. It's an unusual port for non-IBM environments.

Why Unassigned-Looking Ports Matter

Port 2252 is technically registered with IANA, but it's registered to something so specialized that most tools and databases treat it as unassigned. This is more common than you'd expect.

The registered port range (1024-49151) contains thousands of assignments, ranging from globally recognized protocols to single-vendor systems that never achieved wide adoption. NJE falls closer to the latter — a critical protocol for a specific ecosystem, invisible to everyone outside it.

When a port shows up in your environment and doesn't immediately resolve to something familiar, checking the IANA registry directly is worth the 30 seconds. The assignment is often there, even when the documentation isn't obvious.