You can view your current firewall configuration directly from the appliance in the Firewall tab. By default, all ports are blocked except those that are required by the appliance. For example, the Login page for the Configuration Console uses port 9443, so this port is open by default.
NOTE:To have a seamless experience with the appliance, ensure that you do not block the ports with your firewall settings.
To view firewall settings for the appliance:
Log in to the Configuration Console as the root user.
Click Firewall.
The Firewall page lists port numbers with the current status of each port number. The page is not editable.
IMPORTANT:The Advanced Authentication server uses ports 443 and 80. These ports cannot be changed.
Port forwarding is not recommended in a production environment because the entire appliance is available through the internet. It is recommended to use reverse proxy to map only the specific URLs.
By default, the Advanced Authentication server uses the following RFC standard ports.
Service |
Port |
Protocol |
Usage |
---|---|---|---|
REST |
443 |
HTTPS |
All Communications |
Administration portal, Self-Service portal, Helpdesk portal, Reporting portal, and Search card portal |
443 |
HTTPS |
All Communications (<AAServer>/admin, <AAServer>/account, <AAServer>/helpdesk, <AAServer>/report) |
Server Update |
443 |
HTTPS |
Update channel: appliance - update server (repo.authasas.com) |
Database replication |
5432 |
TCP |
Database replication between DB servers. The port must be opened to the Master server of the same site (or to the Global Master server for the installation of DB Master Server in the new sites) only for the installation of new server. Then the port can be closed. |
Database replication |
8080 |
TCP |
Database replication between DB servers |
DNS |
53 |
TCP, UDP |
DNS |
NTP |
123 |
UDP |
NTP, used for time synchronization |
LDAP |
389 |
TCP, UDP |
LDAP (if used with repository) |
LDAPS |
636 |
TCP,UDP |
LDAP over TLS/SSL (if used with repository) |
Dashboard and Reporting portal |
9200, 9300 |
HTTPS |
Collecting statistics from the Advanced Authentication servers in the cluster |
SQL |
1433 |
TCP, 1434 UDP |
Microsoft SQL Server (if used with repository) |
Advanced Authentication server uses the following ports for the different methods:
Service |
Port |
Protocol |
Usage |
---|---|---|---|
RADIUS |
1812 |
TCP, UDP |
Authentication |
RADIUS |
1813 |
TCP, UDP |
Accounting |
E-Mail Service |
Variable |
SMTP |
E-Mail Traffic |
Voice Call Service |
Variable |
HTTPS |
All Communications (<AAServer>/twilio/status, <AAServer>/twilio/gather) |
Smartphone |
Variable |
HTTPS |
All Communications (<AAServer>/smartphone) |
Smartphone Push Service |
443 |
HTTPS |
Communication between AAF and proxy.authasas.com (push service) |
SMS |
Variable |
HTTPS |
Communication to a used SMS service |
Swisscom Mobile ID |
Variable |
HTTPS |
Communication to the specified Swisscom Mobile ID service URL |
Voice OTP Service |
Variable |
HTTPS |
All Communications (<AAServer>/twilio/otp) |
Face Recognition |
443 |
HTTPS |
Microsoft Cognitive Services (URL specified in Administration portal > Methods > Face Recognition > Endpoint URL) |
IMPORTANT:For reverse proxy, you can use any port. For example, https://dnsname:888/smartphone. A reverse proxy redirect is done from port 888 to port 443 internally to appliance. Port 888 is used from outside, but port 443 is used inside the appliance.
The following table lists the ports of the common appliance:
Port |
Description |
---|---|
22 |
SSH port for the appliance |
25 |
SMTP and SMTPS outbound ports |
80 |
Standard Web server ports |
1099 |
Java RMI port |
7380 |
Ganglia RRD-REST ports |
9080 |
Apache/HTTPD port |
9090, 9443 |
Jetty port for the appliance (Administrator Interface) |
The following table lists the URLs to access the external address for Advanced Authentication.
URL |
Port |
Description |
---|---|---|
docker.io |
443 |
Required to download the docker updates |
ftp.novell.com |
21 |
Required to upload the logs for sending information to the Support team. For more information, see |
www.novell.com |
80 |
Required for the testing of YaST Proxy. For more information, see |
nu.novell.com and secure-www.novell.com |
443 |
Required for all the SUSE products |
proxy.authasas.com |
443 |
Required for the push service in Smartphone authentication |
Advanced Authentication uses the following URLs.
URL |
Used for |
---|---|
Advanced Authentication Server |
|
/static/*, /user/api |
Web portals |
/admin |
Administration portal |
/account |
Self-Service portal |
/helpdesk |
Helpdesk portal |
/report |
Reporting portal |
/api |
REST API calls |
/adfs |
ADFS plug-in |
/osp |
SAML 2.0, OAUTH 2.0 integrations |
/search-card |
Search Card portal |
Authentication Agent |
|
/oob/{oob_proc_id:[0-9a-zA-Z-]{3,32}} |
Authentication Agent |
Smartphone |
|
/smartphone/adddevice/{path}/{enc_dev_id} |
|
/smartphone/confirm/{path} |
|
/smartphone/pushid/{path} |
|
/smartphone/requestsalt/{path} |
|
/smartphone/saltpushid/{path} |
|
Twilio (SMS, Voice Call, Voice OTP) |
|
/twilio/gather/{proc_id} |
|
/twilio/otp/{proc_id} |
|
/twilio/otp_anon/{tenant_id}/{otp} |
|
/twilio/status/{proc_id} |
|