Firewall Configuration

    What you are going to learn:

  • Which ports must be opened in the firewall configurations
  • Why static IPs can't be whitelisted in the firewall
  • Why NTP synchronization is important

Inbound Firewall Configuration
Inbound Firewall Configuration

If the Agent Mode is Private Server or Private Internet Server, the network performance monitoring packets (default port is 23999/UDP) and speed test packets (default port is 23999/TCP) must be forwarded from the firewall/router to the agent. A port forwarding rule is probably required on the firewall/router facing the agent.

Outbound Firewall Configuration
Outbound Firewall Configuration

For the majority of customers, nothing is required to let the agent communicate with the Internet. However, for customers with strict outbound firewall rules, here is the list of ports and domains the agent needs to communicate with:

  • Port 53/UDP for DNS
  • Port 67/UDP for DHCP (Hardware & Virtual Appliance agents)
  • Port 80/TCP for HTTP
  • Port 123/UDP for NTP (Hardware & Virtual Appliance agents)
  • Port 443/TCP for HTTPS and OpenVPN
  • Port 23999/TCP for Speed Test
  • Port 23999/UDP for Network Performance Monitoring
  • ICMP (Echo & TTL Exceeded) for Ping and Traceroute

Note: Port 23999 can be changed in the Advanced Parameters of the agents.

URL Filtering
URL Filtering

If the firewall has URL filtering, the following domains must be allowed:

  • *.obkio.com (All agent types)
  • *.amazonaws.com (All agent types)
  • *.rollbar.com (All agent types)
  • *.balena-cloud.com (Hardware & Virtual Appliance agents)
  • *.docker.com (Hardware & Virtual Appliance agents)
  • *.docker.io (Hardware & Virtual Appliance agents)

Fixed IPs to Authorize
Fixed IPs to Authorize

All the Obkio Back-end systems are hosted at AWS and the IP addresses of our servers can change at any time. For that reason, it is not possible to publish a list of fixed IP to authorize by our customers. For enterprise customers, a Cloud Proxy service is available to tunnel all the back-end communications to 4 static IPs using port 1080/TCP. Contact us for more details about the Cloud Proxy offering.

Remote VPN Access
Remote VPN Access

For the Hardware and Virtual Appliances, a remote VPN connection is established to let the Support Team access the appliances for troubleshooting and OS software upgrades. If the Support Team is not able to get access to the VPN, maybe the OpenVPN protocol is not enabled for port 443/TCP. This is the case when the firewall is configured to analyze the protocol and only let HTTPS traffic on port 443/TCP.

NTP Servers
NTP Servers

If port 123/UDP is blocked, the date on the hardware and virtual appliances will draft over time. At some point, the agent might not be able to validate the SSL certificates used to communicate with the back-end systems. If the NTP port is blocked, the Support Team can change them on the appliances.