2.5 Configuring the Firewall

You can view your current firewall configuration directly from the appliance in the Firewall tab. It lists the port numbers that the appliance expects to use on your network and the current status of each port. By default, all ports are blocked except those that are required by the appliance. For example, the Login page for the Configuration Console uses port 9443, so this port is open by default.

NOTE:To have a seamless experience with the appliance, ensure that you do not block the ports with your firewall settings.

To view firewall settings for the appliance:

  1. Log in to the Configuration Console as the root user.

  2. Click Firewall.

    The Firewall page lists port numbers with the current status of each port number. The page is not editable.

2.5.1 Configuring the Ports and Firewall

IMPORTANT:The Advanced Authentication server uses ports 443 and 80. These ports cannot be changed.

Port forwarding is not recommended in a production environment because the entire appliance is available through the internet. It is recommended to use reverse proxy to map only the specific URLs.

By default, the Advanced Authentication server uses the following RFC standard ports.

Service

Port

Protocol

Usage

REST

443

HTTPS

All Communications

Administration portal, Self-Service portal, Helpdesk portal, Reporting portal, and Search card portal

443

HTTPS

All Communications (<AAServer>/admin, <AAServer>/account, <AAServer>/helpdesk, <AAServer>/report)

Database replication

5432

TCP

Database replication between DB servers.

The port must be opened to the Master server of the same site (or to the Global Master server for the installation of any server in the new sites) only for the installation of new DB server. For Web servers port must be always opened.

Database replication

8080

TCP

Database replication between DB servers

DNS

53

TCP, UDP

DNS

NTP

123

UDP

NTP, used for time synchronization

LDAP

389

TCP, UDP

LDAP (if used with repository)

LDAPS

636

TCP,UDP

LDAP over TLS/SSL (if used with repository)

Dashboard and Reporting portal

9200, 9300

HTTPS

Collecting statistics from the Advanced Authentication servers in the cluster

SQL

1433

TCP, 1434 UDP

Microsoft SQL Server (if used with repository)

Advanced Authentication server uses the following ports for the different methods:

Service

Port

Protocol

Usage

RADIUS

1812

UDP

Authentication

RADIUS

1813

UDP

Accounting

E-Mail Service

Variable

SMTP

E-Mail Traffic

Voice Call Service

Variable

HTTPS

All Communications (<AAServer>/twilio/status, <AAServer>/twilio/gather)

Smartphone

Variable

HTTPS

All Communications (<AAServer>/smartphone)

Smartphone Push Service

443

HTTPS

Communication between Advanced Authentication and proxy.authasas.com (push service)

SMS

Variable

HTTPS

Communication to a used SMS service

Swisscom Mobile ID

Variable

HTTPS

Communication to the specified Swisscom Mobile ID service URL

Voice OTP Service

Variable

HTTPS

All Communications (<AAServer>/twilio/otp)

Face Recognition

443

HTTPS

Microsoft Cognitive Services (URL specified in Administration portal > Methods > Face Recognition > Endpoint URL)

HANIS

443

HTTPS

Third-party Service Provider (URL specified in Administration portal > Methods > HANIS > Base URL)

Out-of-band

443

HTTPS

Outgoing connection to fcm.googleapis.com

IMPORTANT:For reverse proxy, you can use any port. For example, https://dnsname:888/smartphone. A reverse proxy redirect is done from port 888 to port 443 internally to appliance. Port 888 is used from outside, but port 443 is used inside the appliance.

The following table lists the ports of the common appliance:

Port

Description

22

SSH port for the appliance

25

SMTP and SMTPS outbound ports

80

Standard Web server ports

1099

Java RMI port

7380

Ganglia RRD-REST ports

9080

Apache/HTTPD port

9090, 9443

Jetty port for the appliance (Administrator Interface)

Use SuSEfirewall2 to change the firewall settings. For example, execute the following commands to enable port 9443 for external network:

SuSEfirewall2 open EXT TCP 9443
SuSEfirewall2 stop
SuSEfirewall2 start
systemctl stop aauth
systemctl restart docker
systemctl start aauth

The following table lists the URLs to access the external address for Advanced Authentication.

URL

Port

Description

ftp.novell.com

21

Required to upload the logs for sending information to the Support team. For more information, see Sending Information to Support

ftp.suse.com

21

Required for the testing of YaST Proxy. For more information, see Configuring the Proxy Settings

nu.novell.com and

secure-www.novell.com

443

Required for all the SUSE products

proxy.authasas.com

443

Required for the push service in Smartphone authentication

recaptcha.net

443

Google reCAPTCHA

fcm.googleapis.com

443

Authentication Agent for Web or OOB portal when using the Out-of-band method

NOTE:Granting access to docker.io, docker.com, and redis.io is required only for the helm chart and not for the appliance.

Advanced Authentication uses the following URLs.

URL

Used for

Advanced Authentication Server

/static/*, /user/api, /rest/user/api

Web portals

/admin

Administration portal

/account

Self-Service portal

/helpdesk

Helpdesk portal

/report

Reporting portal

/api

REST API calls

/adfs

ADFS plug-in

/osp

SAML 2.0, OAuth 2.0 integrations, Authenticators Management event (New Enrollment Portal), Smartphone Enrollment event, and OOB UI logon event.

/osp/a/TOP/auth/oauth2/.well-known/openid-configuration

Well-known/openid-configuration OAuth 2.0 integrations, Authenticators Management event (New Enrollment Portal), Smartphone Enrollment event, and OOB UI logon event.

/search-card

Search Card portal

/smartphone/*

Smartphone method

Out-of-band

/oob/agent

Authentication Agent

/oob/ui

OOB portal

Twilio (SMS, Voice Call, Voice OTP)

/twilio/gather/{proc_id}

 

/twilio/otp/{proc_id}

 

/twilio/otp_anon/{tenant_id}/{otp}

 

/twilio/status/{proc_id}

 

2.5.2 Configuring Firewall for Advanced Authentication as a Service

The following table lists the ports of Advanced Authentication as a Service (SaaS):

Port

Description

9092

The Cloud Bridge Agent, on-prem SaaS Agent communicates to a SaaS service.

443

For all other outbound communications.