Network firewall settings

Overview

This document describes the network connections required between the NetBeez agents, the dashboard/server, and other external resources such as software repositories to download the latest release, DNS servers for hostname resolutions, and other network services.

Network Agents Firewall Dependencies

This set of rules applies to all network agents such as hardware Ethernet and Wi-Fi, virtual agents, cloud agents, and docker containers. The first two rules don’t apply to Linux-based agents.

 

Prot

Port

Direction

Destination Address

Service

TCP

123

Outbound

0.debian.pool.ntp.org

1.debian.pool.ntp.org

2.debian.pool.ntp.org

3.debian.pool.ntp.org

Required - Needed to synchronize the agent’s clock. The NTP servers can be reconfigured to use the customer’s corporate NTP servers.

TCP

443

Outbound

NetBeez server

Required - The network agents download from the server the software updates.

TCP

20018

Outbound

NetBeez server

Required - Control and communication channel between agents and server (default port)

TCP

443

Outbound

NetBeez server

Optional - Control and communication channel between agents and server (must be enabled on the server - overrides previous dependency)

 

* The current version of web-socket doesn’t support test results caching should the endpoint not be able to connect to the dashboard; use the standard TCP 20018 socket if you wish to cache test data.

 

Remote Worker Agents Firewall Dependencies

This set of rules applies to all macOS and Windows endpoints.

Proto

Port

Direction

Destination Address

Service

TCP

443

Outbound

NetBeez server

Required - The NetBeez agents download from the server the package to install software updates.

TCP

20018

Outbound

NetBeez server

Required - Control and communication channel between agents and server (default port)

TCP

443

Outbound

NetBeez server

Optional - Control and communication channel between agents and server (if enabled)

 

* The current version of web-socket doesn’t support test results caching should the endpoint not be able to connect to the dashboard; use the standard TCP 20018 socket if you wish to cache test data.

Central Server Firewall Dependencies

This set of rules applies to the NetBeez central server, which can be hosted on-premises or in the cloud.

 

Proto

Port

Direction

Source/Destination IP

Service

TCP

443 (proxy support)

Outbound

repo.netbeez.net.s3.amazonaws.com

Required - This dependency is required for the server to download from the NetBeez software repository the agent and server updates.

TCP

443

Outbound

965055446066.dkr.ecr.us-east-1.amazonaws.com

prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com

auth.docker.io

registry-1.docker.io

production.cloudflare.docker.com

Required - This dependency with AWS ECR container registry is required for software updates to function. Docker Hub Registry access is also required for some 3rd-party images required.

TCP

22

Inbound

Email support to request the IP address.

Optional - Used by NetBeez customer support for remote access upon request by the customer. This service can be disabled if requested and enforced by ACL.

TCP

25

Outbound

SMTP server as provided here

Required - Needed to handle user activation emails, password reset, account unlocking in case of an account getting locked.

TCP

443

Inbound

NetBeez agents

Required - The network agents download from the server the package to install software updates.

TCP

443

Inbound

NetBeez user

Required - Allow NetBeez for (1) dashboard users to establish a web connection with the server and (2) agents to establish a web-socket connection with the server (if enabled).

TCP

80/443 (proxy support)

Outbound

us.archive.ubuntu.com

security.ubuntu.com

download.docker.com

Required - The NetBeez server downloads OS updates and upgrades from the Ubuntu and Docker repository.

TCP 443 Inbound NetBeez agent to BeezKeeper communications using web-socket Optional - Control and communication channel between agents and server (must be enabled on the server - overrides previous dependency)

TCP

20018

Inbound

NetBeez agent to BeezKeeper communications using TCP/SSL socket

Required - Control and communication channel between agents and server (default port)

TCP

123

Outbound

time1.google.com (default)

time2.google.com (default)

time3.google.com (default)

time4.google.com (default)

Required - Needed to synchronize the server’s clock. The NTP servers can be reconfigured to use the customer’s corporate NTP servers if needed or indicated during the onboarding.

TCP

443

Outbound

ims.netbeez.net

Used during the netbeez installation.

TCP

8200

Outbound

apm.netbeez.net

Optional - If you opt-in to provide NetBeez with Application Performance Monitoring data to help us troubleshoot server bugs and performance issues, specifically for your instance.

 

Web server certificates

By default the web server runs over HTTPS with a certificate issued by a self-signed certification authority. This is acceptable for most of the customers that run an on-premises instance of NetBeez. Customers can use their own certificate if needed. Just submit the request to support@netbeez.net and one of our representatives will contact you to perform the update of your instance.

Have more questions? Submit a request

0 Comments

Article is closed for comments.