9.0 Configuring Ports and Firewall

IMPORTANT:Ports 443 and 80 are used inside the Advanced Authentication Server appliance and cannot be changed.

Port forwarding is supported but is not recommended. In this case the entire appliance will be available via the Internet. It is recommended to use reverse proxy to map only specific URLs.

Advanced Authentication Server Appliance uses the following RFC standard ports by default:

Service

Port

Protocol

Usage

REST

443

HTTPS

All Communications

Administrative portal, Self-Service portal, Helpdesk portal, Reporting portal

443

HTTPS

All Communications (<AAServer>/admin, <AAServer>/account, <AAServer>/helpdesk, <AAServer>/report)

Server Update

443

HTTPS

Update channel: appliance - update server (repo.authasas.com)

Database replication

5432: This port is required only for the installation of a new DB Server. Then the port can be closed.

TCP

Database replication between DB servers

Database replication

8080

TCP

Database replication between DB servers

DNS

53

TCP, UDP

DNS

NTP

123

UDP

NTP, used for time synchronization

LDAP

389

TCP, UDP

LDAP (if used with repository)

LDAPS

636

TCP,UDP

LDAP over TLS/SSL (if used with repository)

Dashboard and Reporting portal

9200

HTTPS

Collecting statistics from the Advanced Authentication servers in the cluster

Advanced Authentication Server Appliance uses the following ports required for the different methods:

Service

Port

Protocol

Usage

RADIUS

1812

TCP, UDP

Authentication

RADIUS

1813

TCP, UDP

Accounting

E-Mail Service

Variable

SMTP

E-Mail Traffic

Voice Call Service

Variable

HTTPS

All Communications (<AAServer>/twilio/status, <AAServer>/twilio/gather)

Smartphone

Variable

HTTPS

All Communications (<AAServer>/smartphone)

Smartphone Push Service

443

HTTPS

Communication between AAF and proxy.authasas.com (push service)

SMS

Variable

HTTPS

Communication to a used SMS service

Swisscom Mobile ID

Variable

HTTPS

Communication to the specified Swisscom Mobile ID service URL

Voice OTP Service

Variable

HTTPS

All Communications (<AAServer>/twilio/otp)

IMPORTANT:Any port can be used in case of reverse proxying. E.g., https://dnsname:888/smartphone. There is reverse proxy redirect from port 888 to port 443 internally to appliance. Port 888 is used from outside, but port 443 is used inside the appliance.

The following URLs are used in Advanced Authentication.

URL

Used for

Advanced Authentication Server

/static/*, /user/api

Web portals

/admin

Administration Portal

/account

Self-Service Portal

/helpdesk

Helpdesk Portal

/report

Reporting Portal

/api

REST API calls

/adfs

ADFS plug-in

/osp

SAML2, OAuth2 integrations

/search-card

Search Card Portal

Smartphone

/smartphone/adddevice/{path}/{enc_dev_id}

 

/smartphone/confirm/{path}

 

/smartphone/pushid/{path}

 

/smartphone/requestsalt/{path}

 

/smartphone/saltpushid/{path}

 

Twilio (SMS, Voice Call, Voice OTP)

/twilio/gather/{proc_id}

 

/twilio/otp/{proc_id}

 

/twilio/otp_anon/{tenant_id}/{otp}

 

/twilio/status/{proc_id}