Overview
This document describes the network connections required between the NetBeez agents, the dashboard/server, and other external resources such as software repositories to download the latest release, DNS servers for hostname resolutions, and other network services.
Network Agents Firewall Dependencies
This set of rules applies to all network agents such as hardware Ethernet and Wi-Fi, virtual agents, cloud agents, and docker containers. The first two rules don’t apply to Linux-based agents.
Prot |
Port |
Direction |
Destination Address |
Service |
TCP |
123 |
Outbound |
0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org |
Required - Needed to synchronize the agent’s clock. The NTP servers can be reconfigured to use the customer’s corporate NTP servers. |
TCP |
443 |
Outbound |
NetBeez server |
Required - The network agents download from the server the software updates. |
TCP |
20018 |
Outbound |
NetBeez server |
Required - Control and communication channel between agents and server (default port) |
TCP |
443 |
Outbound |
NetBeez server |
Optional - Control and communication channel between agents and server (must be enabled on the server - overrides previous dependency) |
Remote Worker Agents Firewall Dependencies
This set of rules applies to all macOS and Windows endpoints.
Proto |
Port |
Direction |
Destination Address |
Service |
TCP |
443 |
Outbound |
https://github.com |
Optional - Required when "Auto update" is enabled, allowing the agent to download new updates from GitHub. |
TCP |
443 |
Outbound |
NetBeez server |
Optional - Required when both "Auto update" and "Validate agent version" are enabled, to allow the agent to validate the server's current version. |
TCP |
20018 |
Outbound |
NetBeez server |
Required - Control and communication channel between agents and server (default port) |
TCP |
443 |
Outbound |
NetBeez server |
Optional - Control and communication channel between agents and server (if enabled) |
Central Server Firewall Dependencies
This set of rules applies to the NetBeez central server, which can be hosted on-premises or in the cloud.
Proto |
Port |
Direction |
Source/Destination IP |
Service |
TCP |
443 (proxy support) |
Outbound |
repo.netbeez.net.s3.amazonaws.com |
Required - This dependency is required for the server to download from the NetBeez software repository the agent and server updates. |
TCP |
443 |
Outbound |
965055446066.dkr.ecr.us-east-1.amazonaws.com prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com auth.docker.io registry-1.docker.io production.cloudflare.docker.com s3.amazonaws.com ecr.us-east-1.amazonaws.com |
Required - This dependency with AWS ECR container registry is required for software updates to function. Docker Hub Registry access is also required for some 3rd-party images required. |
TCP |
22 |
Inbound |
Email support to request the IP address. |
Optional - Used by NetBeez customer support for remote access upon request by the customer. This service can be disabled if requested and enforced by ACL. |
TCP |
25 |
Outbound |
SMTP server as provided here |
Required - Needed to handle user activation emails, password reset, account unlocking in case of an account getting locked. |
TCP |
443 |
Inbound |
NetBeez agents |
Required - The network agents download from the server package to install software updates. |
TCP |
443 |
Inbound |
NetBeez user |
Required - Allow NetBeez for (1) dashboard users to establish a web connection with the server and (2) agents to establish a web-socket connection with the server (if enabled). |
TCP |
80/443 (proxy support) |
Outbound |
us.archive.ubuntu.com security.ubuntu.com download.docker.com |
Required - The NetBeez server downloads OS updates and upgrades from the Ubuntu and Docker repository. |
TCP | 443 | Inbound | NetBeez agent to BeezKeeper communications using web-socket | Optional - Control and communication channel between agents and server (must be enabled on the server - overrides previous dependency) |
TCP |
20018 |
Inbound |
NetBeez agent to BeezKeeper communications using TCP/SSL socket |
Required - Control and communication channel between agents and server (default port) |
TCP |
123 |
Outbound |
time1.google.com (default) time2.google.com (default) time3.google.com (default) time4.google.com (default) |
Required - Needed to synchronize the server’s clock. The NTP servers can be reconfigured to use the customer’s corporate NTP servers if needed or indicated during the onboarding. |
TCP |
443 |
Outbound |
ims.netbeez.net |
Used during the netbeez installation. |
TCP |
8200 |
Outbound |
apm.netbeez.net |
Optional - If you opt-in to provide NetBeez with Application Performance Monitoring data to help us troubleshoot server bugs and performance issues, specifically for your instance. |
Web server certificates
By default, the web server runs over HTTPS with a certificate issued by a self-signed certification authority. This is acceptable for most of the customers that run an on-premises instance of NetBeez. Customers can use their own certificate if needed. Just submit the request to support@netbeez.net and one of our representatives will contact you to perform the update of your instance.
0 Comments