Connectivity requirements

0 users found this article helpful

Resolution

Before starting a deployment of the Awingu platform, a few connectivity requirements need to be checked and/or enabled. Please review this section to ensure proper installation and operation.

Connectivity Requirements during Installation:

During installation of the Awingu appliance as virtual machine (VM), we need to be able to have a connection to Awingu's repository servers and sync to the right time-zone.

Connection

From

To

NTP: UDP port 123

The Awingu VM

On- or off-site NTP service. A common use case is to use the NTP service of the AD servers.
The NTP service should use the same time zone as the hypervisor (UTC is recommended).

DNS: UDP port 53

The Awingu VM

DNS server which resolves the NTP (when provided via FQDN*) and Awingu's repository servers (repo-pub.awingu.com).
A common use case is to use the DNS service of the AD service.

HTTP : TCP port 8080

The browser of the admin

The Awingu VM

HTTP : TCP port 80

The browser of the admin

The Awingu VM

* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com

Connectivity Requirements during Operation and Configuration:

The Awingu appliance has a few requirements for correct operation. Before deployment, check whether the following ports can be opened.

Best practice: configure your firewall rules to only allow traffic from/to the ports which are needed for operation.

Connection

From

To

LDAP(S): TCP port 389 (or TCP port 636 for SSL encryption)

The Awingu VM

LDAP or Active Directory server(s) back-end

Kerberos: UDP/TCP port 88 and TCP port 464

The Awingu VM

Kerberos server (Only required when users need to be able to change password at next logon) 
Important: The Kerberos server should also have PTR (reverse DNS) and SRV records in place to locate the KDC server and define the protocol to use**

RADIUS (if used): UDP port 1812

The Awingu VM

RADIUS service for second factor authentication

CIFS (if used): UDP port 137, TCP port 445

The Awingu VM

CIFS/SMB file server(s) back-end

WebDAV (if used): TCP port 80 or 443
(or different depending on WebDAV config)

The Awingu VM

WebDAV file server(s) back-end

RDP: TCP port 3389 (RDP/RemoteApp)

The Awingu VM

To application server(s) back-end

NTP: UDP port 123

The Awingu VM

On- or off-site NTP service. A common use case is to use the NTP service of the AD server.

HTTPS: TCP port 443

The Awingu VM

  • Awingu's repository servers: https://repo-pub.awingu.com (directly or via the configured HTTP proxy ).
    Only mandatory during upgrades, but required for Anonymous Usage Reporting.

  • When using SaaS services, those services need to be reachable by Awingu or via the configured HTTP proxy:

HTTP(S): TCP port 80/443

The Awingu VM

Web applications reversed proxied by Awingu

DNS: UDP port 53

The Awingu VM

DNS server which resolves all connections mentioned above (when provided as FQDN*)

HTTP: TCP port 80 (long living WebSocket)

The (end user browser) client***

  • The Awingu VM

  • When using automatic certificate: the servers of Let's Encrypt

HTTPS: TCP port 443 (long living WebSocket)

The (end user browser) client***

  • The Awingu VM (Only when SSL Offloader enabled)

  • When using automatic certificates: the servers of Let's Encrypt

SNMP (if used): UDP port 161

Monitoring System

The Awingu VM (Only if SNMP enabled)

HTTP(s) : TCP port 80/443

All servers involved in Kerberos Authentication (AD and Application Servers)

The Awingu VM ( http(s)://<AWINGU_URL>/crl/<AWINGU_DOMAIN_NAME>.crl )

SSH: TCP port 22

The client

The Awingu VM (Only necessary to access Awingu using SFTP to obtain the backup of the Awingu database)

* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com
** e.g. kerberos-master.(tcp|udp).staging.awingu.com - For more information: https://technet.microsoft.com/en-us/library/cc961719.aspx
*** When this connection goes via an SSL-offloader, reverse proxy, firewalls, etc., please make sure that WebSockets are supported and that open WebSocket connections are not killed after a while. 

For multi node deployment, all TCP, UDP and ICMP traffic should be allowed between the nodes. This traffic is not encrypted. Each node has an internal firewall only allowing traffic from other nodes (based on the IP address).

While the Awingu appliance always listens for incoming requests on ports 80 (HTTP) or 443 (HTTPS), port forwarding originating from a different port is supported, e.g. https://awingu.company.com:8443 .

Note: Using Awingu as an IdP in combination with accessing Awingu on an different port than 80 or 443 is not tested.

Connectivity Requirements only during Remote Intervention:

In some cases, the Awingu support team will request direct SSH access to the Awingu appliance. For security, the appliance only allows access using public key authentication (with an optional intervention password on top of the public key authentication).

Connection

From

To

SSH: TCP port 22

Awingu headquarters
( IP address will be provided
by support )

The Awingu VM

 

 

 

Was this article helpful?

Tell us how we can improve it.