1. Ports
  2. Port 271

Port 271: PT-TLS — The Security Checkpoint

Port 271 carries PT-TLS (Posture Transport Protocol over TLS), the protocol that asks "Is your computer safe?" before letting you connect to the network.

What PT-TLS Does

PT-TLS is the transport layer for Network Endpoint Assessment (NEA), a framework that checks whether your computer meets an organization's security requirements before granting network access.1

When you connect to a corporate network, PT-TLS carries the conversation:

  • Is your antivirus software running and up-to-date?
  • Have you installed the latest security patches?
  • Is your firewall enabled?
  • Does your configuration match our security policy?

The protocol wraps this entire security posture check inside a TLS-encrypted tunnel on TCP port 271, protecting the assessment itself from tampering.2

The Problem It Solves

By the mid-2000s, network security teams faced a terrifying realization: the biggest threats weren't always hackers breaking in from outside. Sometimes they were already-infected laptops, contractor devices, or forgotten machines connecting from inside the network perimeter.

Traditional firewalls couldn't help. They blocked external threats but trusted everything already inside. Organizations needed a way to inspect every device—employee laptop, contractor tablet, guest phone—before granting network access.

This need led to Network Access Control (NAC), and NEA was the IETF's answer to standardizing how these checks happen.3

The Convergence

Network Endpoint Assessment emerged from one of the rare moments when competitors actually cooperated.

In the early 2000s, multiple incompatible approaches existed:

  • The Trusted Computing Group (TCG) developed Trusted Network Connect (TNC) in 2004
  • Microsoft built Network Access Protection (NAP) for Windows
  • Cisco created Network Admission Control (Cisco NAC)

In May 2007, something unusual happened: Microsoft and TCG merged their efforts into compatible standards. Microsoft made NAP compliant with TNC, even turning over its internal Statement of Health (SoH) protocol format to the TCG.4

The IETF formed the NEA working group to create open standards that would work across all implementations. The result was a three-layer architecture:

  • PA (Posture Attribute): The actual security checks
  • PB (Posture Broker): Aggregates results from multiple checkers
  • PT (Posture Transport): Carries everything across the network

PT-TLS is one implementation of that transport layer, published as RFC 6876 in February 2013.5

How It Works

When your device requests network access:

  1. TLS Handshake: Your device and the NEA server establish an encrypted connection on port 271
  2. Posture Collection: Software on your device (the Posture Collector) gathers security information—patch levels, running services, configuration details
  3. Transport: PT-TLS carries this posture data to the server inside TLS-encrypted messages
  4. Validation: The server's Posture Validators check your configuration against security policies
  5. Decision: Based on the assessment, the network grants full access, restricted access, or quarantines your device for remediation

The protocol uses TLV (Type-Length-Value) encoding to efficiently represent data, particularly important for battery-constrained mobile devices.6

Why TLS?

Wrapping the entire posture assessment in TLS isn't just about confidentiality. It prevents an attacker from:

  • Intercepting your device's security status and learning its vulnerabilities
  • Tampering with assessment results to make an infected machine appear clean
  • Impersonating the assessment server to trick your device

The security of the security check matters.

When It Runs

PT-TLS can be initiated by either the client or the server:

  • Client-initiated: A device that wants to prove it's secure can start a PT-TLS session and request assessment
  • Server-initiated: The network can trigger reassessment at any time while a device is connected

This flexibility means your security posture isn't just checked once at login. A corporate network might reassess every device hourly, checking for newly-installed patches or emerging threats.

The Reality

Network Endpoint Assessment represents something genuinely important: the recognition that trust isn't binary. Your laptop isn't either "trusted" or "untrusted"—it has a security posture that changes over time and should be continuously verified.

Port 271 carries that verification. Every PT-TLS session is a machine proving it's healthy enough to participate in the network.

Security Considerations

PT-TLS itself is secure when properly implemented:

  • All communication is encrypted via TLS
  • Both client and server should verify certificates
  • The protocol includes versioning to prevent downgrade attacks

The greater security question is: what happens when an assessment fails? Organizations must balance security (isolating non-compliant devices) with usability (not blocking employees from working).

Checking Port 271

To see if anything is listening on port 271:

# On Linux/Mac
sudo lsof -i :271
netstat -an | grep 271

# On Windows
netstat -an | findstr :271

# Test connection
telnet hostname 271

If you see port 271 open, you're likely dealing with a corporate network running Network Endpoint Assessment infrastructure.

Related Ports

  • Port 443 (HTTPS): PT-TLS often runs inside HTTPS tunnels in practice
  • Port 1812/1813 (RADIUS): Traditional authentication, often used alongside NEA
  • Port 3799 (RADIUS over TLS): Similar security-focused RADIUS transport

Frequently Asked Questions

Previous

Port 279: Unassigned — A Gap in the System Ports

Next

Port 253: Reserved — A Boundary Held Back

Was this page helpful?

😔
🤨
😃