4.5 Configuring the Firewall

You can view your current firewall configuration directly from the appliance in the Firewall tab. By default, all ports are blocked except those that are required by the appliance. For example, the Login page for the Configuration Console uses port 9443, so this port is open by default.

NOTE:To have a seamless experience with the appliance, ensure that you do not block the ports with your firewall settings.

To view firewall settings for the appliance:

  1. Log in to the Configuration Console as the root user.

  2. Click Firewall.

    The Firewall page lists port numbers with the current status of each port number. The page is not editable.

4.5.1 Configuring the Ports and Firewall

IMPORTANT:The Advanced Authentication server uses ports 443 and 80. These ports cannot be changed.

Port forwarding is not recommended in a production environment because the entire appliance is available through the internet. It is recommended to use reverse proxy to map only the specific URLs.

By default, the Advanced Authentication server uses the following RFC standard ports.

Service

Port

Protocol

Usage

REST

443

HTTPS

All Communications

Administration portal, Self-Service portal, Helpdesk portal, Reporting portal, and Search card portal

443

HTTPS

All Communications (<AAServer>/admin, <AAServer>/account, <AAServer>/helpdesk, <AAServer>/report)

Server Update

443

HTTPS

Update channel: appliance - update server (repo.authasas.com)

Database replication

5432

TCP

Database replication between DB servers.

The port must be opened to the Master server of the same site (or to the Global Master server for the installation of DB Master Server in the new sites) only for the installation of new server. Then the port can be closed.

Database replication

8080

TCP

Database replication between DB servers

DNS

53

TCP, UDP

DNS

NTP

123

UDP

NTP, used for time synchronization

LDAP

389

TCP, UDP

LDAP (if used with repository)

LDAPS

636

TCP,UDP

LDAP over TLS/SSL (if used with repository)

Dashboard and Reporting portal

9200, 9300

HTTPS

Collecting statistics from the Advanced Authentication servers in the cluster

SQL

1433

TCP, 1434 UDP

Microsoft SQL Server (if used with repository)

Advanced Authentication server uses the following ports for the different methods:

Service

Port

Protocol

Usage

RADIUS

1812

TCP, UDP

Authentication

RADIUS

1813

TCP, UDP

Accounting

E-Mail Service

Variable

SMTP

E-Mail Traffic

Voice Call Service

Variable

HTTPS

All Communications (<AAServer>/twilio/status, <AAServer>/twilio/gather)

Smartphone

Variable

HTTPS

All Communications (<AAServer>/smartphone)

Smartphone Push Service

443

HTTPS

Communication between AAF and proxy.authasas.com (push service)

SMS

Variable

HTTPS

Communication to a used SMS service

Swisscom Mobile ID

Variable

HTTPS

Communication to the specified Swisscom Mobile ID service URL

Voice OTP Service

Variable

HTTPS

All Communications (<AAServer>/twilio/otp)

Face Recognition

443

HTTPS

Microsoft Cognitive Services (URL specified in Administration portal > Methods > Face Recognition > Endpoint URL)

IMPORTANT:For reverse proxy, you can use any port. For example, https://dnsname:888/smartphone. A reverse proxy redirect is done from port 888 to port 443 internally to appliance. Port 888 is used from outside, but port 443 is used inside the appliance.

The following table lists the ports of the common appliance:

Port

Description

22

SSH port for the appliance

25

SMTP and SMTPS outbound ports

80

Standard Web server ports

1099

Java RMI port

7380

Ganglia RRD-REST ports

9080

Apache/HTTPD port

9090, 9443

Jetty port for the appliance (Administrator Interface)

The following table lists the URLs to access the external address for Advanced Authentication.

URL

Port

Description

docker.io

443

Required to download the docker updates

ftp.novell.com

21

Required to upload the logs for sending information to the Support team. For more information, see Sending Information to Support

www.novell.com

80

Required for the testing of YaST Proxy. For more information, see Configuring the Proxy Settings

nu.novell.com and

secure-www.novell.com

443

Required for all the SUSE products

proxy.authasas.com

443

Required for the push service in Smartphone authentication

Advanced Authentication uses the following URLs.

URL

Used for

Advanced Authentication Server

/static/*, /user/api

Web portals

/admin

Administration portal

/account

Self-Service portal

/helpdesk

Helpdesk portal

/report

Reporting portal

/api

REST API calls

/adfs

ADFS plug-in

/osp

SAML 2.0, OAUTH 2.0 integrations

/search-card

Search Card portal

Authentication Agent

/oob/{oob_proc_id:[0-9a-zA-Z-]{3,32}}

Authentication Agent

Smartphone

/smartphone/adddevice/{path}/{enc_dev_id}

 

/smartphone/confirm/{path}

 

/smartphone/pushid/{path}

 

/smartphone/requestsalt/{path}

 

/smartphone/saltpushid/{path}

 

Twilio (SMS, Voice Call, Voice OTP)

/twilio/gather/{proc_id}

 

/twilio/otp/{proc_id}

 

/twilio/otp_anon/{tenant_id}/{otp}

 

/twilio/status/{proc_id}