KB Parallels: Connectivity requirements

Connectivity requirements

0 users found this article helpful

Applies to:
- Awingu
Last Review: Mar 15, 2023
Available Translations:
Get updates Download

Resolution

Before starting a deployment of the Awingu platform, a few connectivity requirements need to be checked and/or enabled. Please review this section to ensure proper installation and operation.

Connectivity Requirements during Installation:

During installation of the Awingu appliance as virtual machine (VM), we need to be able to have a connection to Awingu's repository servers and sync to the right time-zone.

Connection	From	To
NTP: UDP port 123	The Awingu VM	On- or off-site NTP service. A common use case is to use the NTP service of the AD servers. The NTP service should use the same time zone as the hypervisor (UTC is recommended).
DNS: UDP port 53	The Awingu VM	DNS server which resolves the NTP (when provided via FQDN*) and Awingu's repository servers (repo-pub.awingu.com). A common use case is to use the DNS service of the AD service.
HTTP : TCP port 8080	The browser of the admin	The Awingu VM
HTTP : TCP port 80	The browser of the admin	The Awingu VM

* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com

Connectivity Requirements during Operation and Configuration:

The Awingu appliance has a few requirements for correct operation. Before deployment, check whether the following ports can be opened.

Best practice: configure your firewall rules to only allow traffic from/to the ports which are needed for operation.

Connection	From	To
LDAP(S): TCP port 389 (or TCP port 636 for SSL encryption)	The Awingu VM	LDAP or Active Directory server(s) back-end
Kerberos: UDP/TCP port 88 and TCP port 464	The Awingu VM	Kerberos server (Only required when users need to be able to change password at next logon) Important: The Kerberos server should also have PTR (reverse DNS) and SRV records in place to locate the KDC server and define the protocol to use**
RADIUS (if used): UDP port 1812	The Awingu VM	RADIUS service for second factor authentication
CIFS (if used): UDP port 137, TCP port 445	The Awingu VM	CIFS/SMB file server(s) back-end
WebDAV (if used): TCP port 80 or 443 (or different depending on WebDAV config)	The Awingu VM	WebDAV file server(s) back-end
RDP: TCP port 3389 (RDP/RemoteApp)	The Awingu VM	To application server(s) back-end
NTP: UDP port 123	The Awingu VM	On- or off-site NTP service. A common use case is to use the NTP service of the AD server.
HTTPS: TCP port 443	The Awingu VM	Awingu's repository servers: https://repo-pub.awingu.com (directly or via the configured HTTP proxy ). Only mandatory during upgrades, but required for Anonymous Usage Reporting. When using SaaS services, those services need to be reachable by Awingu or via the configured HTTP proxy: Microsoft OneDrive for Business: <mydomain>-my.sharepoint.com login.microsoftonline.com graph.microsoft.com DUO Multi-Factor Authentication: <your_api>.duosecurity.com Automatic certificates through Let's Encrypt: *.api.letsencrypt.org (only directly, not through HTTP proxy)
HTTP(S): TCP port 80/443	The Awingu VM	Web applications reversed proxied by Awingu
DNS: UDP port 53	The Awingu VM	DNS server which resolves all connections mentioned above (when provided as FQDN*)
HTTP: TCP port 80 (long living WebSocket)	The (end user browser) client***	The Awingu VM When using automatic certificate: the servers of Let's Encrypt
HTTPS: TCP port 443 (long living WebSocket)	The (end user browser) client***	The Awingu VM (Only when SSL Offloader enabled) When using automatic certificates: the servers of Let's Encrypt
SNMP (if used): UDP port 161	Monitoring System	The Awingu VM (Only if SNMP enabled)
HTTP(s) : TCP port 80/443	All servers involved in Kerberos Authentication (AD and Application Servers)	The Awingu VM ( http(s)://<AWINGU_URL>/crl/<AWINGU_DOMAIN_NAME>.crl )
SSH: TCP port 22	The client	The Awingu VM (Only necessary to access Awingu using SFTP to obtain the backup of the Awingu database)

* FQDN = Fully Qualified Domain Name, e.g. ntp.mycompany.com
** e.g. kerberos-master.(tcp|udp).staging.awingu.com - For more information: https://technet.microsoft.com/en-us/library/cc961719.aspx
*** When this connection goes via an SSL-offloader, reverse proxy, firewalls, etc., please make sure that WebSockets are supported and that open WebSocket connections are not killed after a while.

For multi node deployment, all TCP, UDP and ICMP traffic should be allowed between the nodes. This traffic is not encrypted. Each node has an internal firewall only allowing traffic from other nodes (based on the IP address).

While the Awingu appliance always listens for incoming requests on ports 80 (HTTP) or 443 (HTTPS), port forwarding originating from a different port is supported, e.g. https://awingu.company.com:8443 .

Note: Using Awingu as an IdP in combination with accessing Awingu on an different port than 80 or 443 is not tested.

Connectivity Requirements only during Remote Intervention:

In some cases, the Awingu support team will request direct SSH access to the Awingu appliance. For security, the appliance only allows access using public key authentication (with an optional intervention password on top of the public key authentication).

Connection	From	To
SSH: TCP port 22	Awingu headquarters ( IP address will be provided by support )	The Awingu VM

Was this article helpful?

Tell us how we can improve it.