- Which ports must be opened in the firewall configurations
- Why static IPs can't be whitelisted in the firewall
- Why NTP synchronization is important
What you are going to learn:
If the Agent Mode is
Private Server or
Private Internet Server, the network performance monitoring packets (default port is
23999/UDP) and speed test packets (default port is
23999/TCP) must be forwarded from the firewall/router to the agent. A port forwarding rule is probably required on the firewall/router facing the agent.
For the majority of customers, nothing is required to let the agent communicate with the Internet. However, for customers with strict outbound firewall rules, here is the list of ports and domains the agent needs to communicate with:
67/UDPfor DHCP (Hardware & Virtual Appliance agents)
123/UDPfor NTP (Hardware & Virtual Appliance agents)
443/TCPfor HTTPS and OpenVPN
23999/TCPfor Speed Test
23999/UDPfor Network Performance Monitoring
- ICMP (
TTL Exceeded) for Ping and Traceroute
23999 can be changed in the Advanced Parameters of the agents.
If the firewall has URL filtering, the following domains must be allowed:
*.obkio.com(All agent types)
*.amazonaws.com(All agent types)
*.rollbar.com(All agent types)
*.balena-cloud.com(Hardware & Virtual Appliance agents)
*.docker.com(Hardware & Virtual Appliance agents)
*.docker.io(Hardware & Virtual Appliance agents)
All the Obkio Back-end systems are hosted at AWS and the IP addresses of our servers can change at any time. For that reason, it is not possible to publish a list of fixed IP to authorize by our customers. For enterprise customers, a Cloud Proxy service is available to tunnel all the back-end communications to 4 static IPs using port
1080/TCP. Contact us for more details about the Cloud Proxy offering.
For the Hardware and Virtual Appliances, a remote VPN connection is established to let the Support Team access the appliances for troubleshooting and OS software upgrades. If the Support Team is not able to get access to the VPN, maybe the
OpenVPN protocol is not enabled for port
443/TCP. This is the case when the firewall is configured to analyze the protocol and only let HTTPS traffic on port
123/UDP is blocked, the date on the hardware and virtual appliances will draft over time. At some point, the agent might not be able to validate the SSL certificates used to communicate with the back-end systems. If the NTP port is blocked, the Support Team can change them on the appliances.