2.5 Configuring the Firewall
You can view your current firewall configuration directly from the appliance in the Firewall 
tab. It lists the port numbers that the appliance expects to use on your network and the current status of each port. By default, all ports are blocked except those that are required by the appliance. For example, the Login page for the Configuration Console uses port 9443, so this port is open by default.
NOTE:To have a seamless experience with the appliance, ensure that you do not block the ports with your firewall settings.
To view firewall settings for the appliance:
-
Log in to the Configuration Console as the root user.
-
Click Firewall.
The Firewall page lists port numbers with the current status of each port number. The page is not editable.
2.5.1 Configuring the Ports and Firewall
IMPORTANT:The Advanced Authentication server uses ports 443 and 80. These ports cannot be changed.
Port forwarding is not recommended in a production environment because the entire appliance is available through the internet. It is recommended to use reverse proxy to map only the specific URLs.
By default, the Advanced Authentication server uses the following RFC standard ports.
|
Service |
Port |
Protocol |
Usage |
|---|---|---|---|
|
REST |
443 |
HTTPS |
All Communications |
|
Administration portal, Self-Service portal, Helpdesk portal, Reporting portal, and Search card portal |
443 |
HTTPS |
All Communications (<AAServer>/admin, <AAServer>/account, <AAServer>/helpdesk, <AAServer>/report) |
|
Database replication |
5432 |
TCP |
Database replication between DB servers. The port must be opened to the Master server of the same site (or to the Global Master server for the installation of any server in the new sites) only for the installation of new DB server. For Web servers port must be always opened. |
|
Database replication |
8080 |
TCP |
Database replication between DB servers |
|
DNS |
53 |
TCP, UDP |
DNS |
|
NTP |
123 |
UDP |
NTP, used for time synchronization |
|
LDAP |
389 |
TCP, UDP |
LDAP (if used with repository) |
|
LDAPS |
636 |
TCP,UDP |
LDAP over TLS/SSL (if used with repository) |
|
Dashboard and Reporting portal |
9200, 9300 |
HTTPS |
Collecting statistics from the Advanced Authentication servers in the cluster |
|
SQL |
1433 |
TCP, 1434 UDP |
Microsoft SQL Server (if used with repository) |
Advanced Authentication server uses the following ports for the different methods:
|
Service |
Port |
Protocol |
Usage |
|---|---|---|---|
|
RADIUS |
1812 |
UDP |
Authentication |
|
RADIUS |
1813 |
UDP |
Accounting |
|
E-Mail Service |
Variable |
SMTP |
E-Mail Traffic |
|
Voice Call Service |
Variable |
HTTPS |
All Communications (<AAServer>/twilio/status, <AAServer>/twilio/gather) |
|
Smartphone |
Variable |
HTTPS |
All Communications (<AAServer>/smartphone) |
|
Smartphone Push Service |
443 |
HTTPS |
Communication between Advanced Authentication and proxy.authasas.com (push service) |
|
SMS |
Variable |
HTTPS |
Communication to a used SMS service |
|
Swisscom Mobile ID |
Variable |
HTTPS |
Communication to the specified Swisscom Mobile ID service URL |
|
Voice OTP Service |
Variable |
HTTPS |
All Communications (<AAServer>/twilio/otp) |
|
Face Recognition |
443 |
HTTPS |
Microsoft Cognitive Services (URL specified in Administration portal > Methods > Face Recognition > Endpoint URL) |
|
HANIS Face and HANIS Fingerprint |
443 |
HTTPS |
Third-party Service Provider (URL specified in Administration portal > Methods > HANIS Face > Base URL) |
|
Out-of-band |
443 |
HTTPS |
Outgoing connection to fcm.googleapis.com |
IMPORTANT:For reverse proxy, you can use any port. For example, https://dnsname:888/smartphone. A reverse proxy redirect is done from port 888 to port 443 internally to appliance. Port 888 is used from outside, but port 443 is used inside the appliance.
The following table lists the ports of the common appliance:
|
Port |
Description |
|---|---|
|
22 |
SSH port for the appliance |
|
25 |
SMTP and SMTPS outbound ports |
|
80 |
Standard Web server ports |
|
1099 |
Java RMI port |
|
7380 |
Ganglia RRD-REST ports |
|
9080 |
Apache/HTTPD port |
|
9090, 9443 |
Jetty port for the appliance (Administrator Interface) |
Use SuSEfirewall2 to change the firewall settings. For example, execute the following commands to enable port 9443 for external network:
SuSEfirewall2 open EXT TCP 9443 SuSEfirewall2 stop SuSEfirewall2 start systemctl stop aauth systemctl restart docker systemctl start aauth
The following table lists the URLs to access the external address for Advanced Authentication.
|
URL |
Port |
Description |
|---|---|---|
|
ftp.novell.com |
21 |
Required to upload the logs for sending information to the Support team. For more information, see |
|
ftp.suse.com |
21 |
Required for the testing of YaST Proxy. For more information, see |
|
nu.novell.com and secure-www.novell.com |
443 |
Required for all the SUSE products |
|
proxy.authasas.com |
443 |
Required for the push service in Smartphone authentication |
|
recaptcha.net |
443 |
Google reCAPTCHA |
|
fcm.googleapis.com |
443 |
Authentication Agent for Web or OOB portal when using the Out-of-band method |
NOTE:Granting access to docker.io, docker.com, and redis.io is required only for the helm chart and not for the appliance.
Advanced Authentication uses the following URLs.
|
URL |
Used for |
|---|---|
|
Advanced Authentication Server |
|
|
/static/*, /user/api, /rest/user/api |
Web portals |
|
/admin |
Administration portal |
|
/account |
Self-Service portal |
|
/helpdesk |
Helpdesk portal |
|
/report |
Reporting portal |
|
/api |
REST API calls |
|
/adfs |
ADFS plug-in |
|
/osp |
SAML 2.0, OAuth 2.0 integrations, Authenticators Management event (New Enrollment Portal), Smartphone Enrollment event, and OOB UI logon event. |
|
/osp/a/TOP/auth/oauth2/.well-known/openid-configuration |
Well-known/openid-configuration OAuth 2.0 integrations, Authenticators Management event (New Enrollment Portal), Smartphone Enrollment event, and OOB UI logon event. |
|
/search-card |
Search Card portal |
|
/smartphone/* |
Smartphone method |
|
Out-of-band |
|
|
/oob/agent |
Authentication Agent |
|
/oob/ui |
OOB portal |
|
Twilio (SMS, Voice Call, Voice OTP) |
|
|
/twilio/gather/{proc_id} |
|
|
/twilio/otp/{proc_id} |
|
|
/twilio/otp_anon/{tenant_id}/{otp} |
|
|
/twilio/status/{proc_id} |
|
2.5.2 Configuring Firewall for Advanced Authentication as a Service
The following table lists the ports of Advanced Authentication as a Service (SaaS):
|
Port |
Description |
|---|---|
|
9092 |
The Cloud Bridge Agent, on-prem SaaS Agent communicates to a SaaS service. |
|
443 |
For all other outbound communications. |