Resolution
Before starting a deployment of the Awingu platform, a few connectivity requirements need to be checked and/or enabled. Please review this section to ensure proper installation and operation.
Connectivity Requirements during Installation:
During installation of the Awingu appliance as virtual machine (VM), we need to be able to have a connection to Awingu's repository servers and sync to the right time-zone.
Connection |
From |
To |
---|---|---|
NTP: UDP port 123 |
The Awingu VM |
On- or off-site NTP service. A common use case is to use the NTP service of the AD servers. |
DNS: UDP port 53 |
The Awingu VM |
DNS server which resolves the NTP (when provided via FQDN*) and Awingu's repository servers (repo-pub.awingu.com). |
HTTP : TCP port 8080 |
The browser of the admin |
The Awingu VM |
HTTP : TCP port 80 |
The browser of the admin |
The Awingu VM |
* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com
Connectivity Requirements during Operation and Configuration:
The Awingu appliance has a few requirements for correct operation. Before deployment, check whether the following ports can be opened.
Best practice: configure your firewall rules to only allow traffic from/to the ports which are needed for operation.
Connection |
From |
To |
---|---|---|
LDAP(S): TCP port 389 (or TCP port 636 for SSL encryption) |
The Awingu VM |
LDAP or Active Directory server(s) back-end |
Kerberos: UDP/TCP port 88 and TCP port 464 |
The Awingu VM |
Kerberos server (Only required when users need to be able to change password at next logon) |
RADIUS (if used): UDP port 1812 |
The Awingu VM |
RADIUS service for second factor authentication |
CIFS (if used): UDP port 137, TCP port 445 |
The Awingu VM |
CIFS/SMB file server(s) back-end |
WebDAV (if used): TCP port 80 or 443 |
The Awingu VM |
WebDAV file server(s) back-end |
RDP: TCP port 3389 (RDP/RemoteApp) |
The Awingu VM |
To application server(s) back-end |
NTP: UDP port 123 |
The Awingu VM |
On- or off-site NTP service. A common use case is to use the NTP service of the AD server. |
HTTPS: TCP port 443 |
The Awingu VM |
|
HTTP(S): TCP port 80/443 |
The Awingu VM |
Web applications reversed proxied by Awingu |
DNS: UDP port 53 |
The Awingu VM |
DNS server which resolves all connections mentioned above (when provided as FQDN*) |
HTTP: TCP port 80 (long living WebSocket) |
The (end user browser) client*** |
|
HTTPS: TCP port 443 (long living WebSocket) |
The (end user browser) client*** |
|
SNMP (if used): UDP port 161 |
Monitoring System |
The Awingu VM (Only if SNMP enabled) |
HTTP(s) : TCP port 80/443 |
All servers involved in Kerberos Authentication (AD and Application Servers) |
The Awingu VM ( http(s)://<AWINGU_URL>/crl/<AWINGU_DOMAIN_NAME>.crl ) |
SSH: TCP port 22 |
The client |
The Awingu VM (Only necessary to access Awingu using SFTP to obtain the backup of the Awingu database) |
* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com
** e.g. kerberos-master.(tcp|udp).staging.awingu.com - For more information: https://technet.microsoft.com/en-us/library/cc961719.aspx
*** When this connection goes via an SSL-offloader, reverse proxy, firewalls, etc., please make sure that WebSockets are supported and that open WebSocket connections are not killed after a while.
For multi node deployment, all TCP, UDP and ICMP traffic should be allowed between the nodes. This traffic is not encrypted. Each node has an internal firewall only allowing traffic from other nodes (based on the IP address).
While the Awingu appliance always listens for incoming requests on ports 80 (HTTP) or 443 (HTTPS), port forwarding originating from a different port is supported, e.g. https://awingu.company.com:8443 .
Note: Using Awingu as an IdP in combination with accessing Awingu on an different port than 80 or 443 is not tested.
Connectivity Requirements only during Remote Intervention:
In some cases, the Awingu support team will request direct SSH access to the Awingu appliance. For security, the appliance only allows access using public key authentication (with an optional intervention password on top of the public key authentication).
Connection |
From |
To |
---|---|---|
SSH: TCP port 22 |
Awingu headquarters |
The Awingu VM |
Was this article helpful?
Tell us how we can improve it.