Port 2767: UADTC — The Mainframe Bridge Almost Nobody Uses

What Port 2767 Is

Port 2767 is registered with IANA under the name uadtc — the UniAccess Distributed Transaction Coordinator. It operates on both TCP and UDP.

IANA registration means this port is officially spoken for. It is not unassigned. It just belongs to something almost no one has heard of.¹

What UADTC Does

UniAccess is a software product that connects Unisys OS 2200 mainframes to modern computing environments. The Distributed Transaction Coordinator component (UADTC) acts as a gateway between Microsoft's Distributed Transaction Coordinator (MS DTC) and the Unisys system.

In plain terms: it lets a Windows application say "update both this SQL Server database and that mainframe resource in a single atomic transaction." If anything fails, everything rolls back. UADTC is the translator that makes the Unisys side understand what the Windows side is asking for.²

This is deeply specialized infrastructure. It runs in enterprises that have Unisys OS 2200 hardware — government agencies, large banks, insurers — and need those legacy systems to participate in modern distributed transaction workflows. The list of organizations running this is short. The list of network engineers who have encountered it is shorter.

What Range This Port Is In

Port 2767 falls in the registered ports range (1024–49151). This range is where IANA records assignments for specific services and applications — as opposed to the well-known ports (0–1023), which are reserved for foundational protocols like HTTP, DNS, and SSH.

Registered ports do not require elevated privileges to open on most operating systems, and IANA registration does not mean a port is widely used. It means someone filed the paperwork. Thousands of registered ports belong to software that only a handful of organizations ever deploy.

What to Do If You See It

If port 2767 appears on a system you're investigating, you almost certainly don't have Unisys mainframe software running. Check what's actually listening:

On Linux or macOS:

ss -tlnp | grep 2767
# or
lsof -i :2767

On Windows:

netstat -ano | findstr :2767
# Then look up the PID:
Get-Process -Id <PID>

If something unexpected is listening on 2767, treat it like any unrecognized open port: identify the process, verify its legitimacy, and close it if you can't account for it.

Why This Matters

The registered port space is a map of software history. It contains protocols for hardware that no longer ships, services from companies that no longer exist, and niche enterprise tools that solve real problems for a small number of organizations. Port 2767 is all three at once.

Most of these ports sit quiet on most systems, most of the time. The fact that a port is registered doesn't mean it's active. The fact that it looks unfamiliar doesn't mean it's malicious. The fact that a port database marks it as "unknown" doesn't mean it has no story.

It just means you have to look a little harder.