Support Portal

How To Install A Server Behind A Firewall

If your server is going to sit behind a firewall, you need to configure the firewall to allow the necessary traffic through.  You need to open the following ports to allow the required traffic to pass through your firewall. 

 

From the servers WAN IP address to the Internet (outbound):

We strongly recommend that you allow all traffic outbound from the WAN IP of your server to the Internet. We also strongly recommend that any form of traffic filtering is disabled.

However, if you do have to restrict what ports are open outbound - the following ports are required to be open Outbound, from the WAN IP of your Zynstra server to the specified hosts:

A VPN tunnel needs to be established from the server to our Management Cloud, on either port UDP 1194 or TCP 443. The server will first try and use UDP 1194, and if that doesn't work will fall back to TCP 443.

VPN Connection

  • UDP 1194 to 54.229.127.80 (access.zcp.zynstra.com)
            OR
  • TCP 443 to 54.229.127.80 (access.zcp.zynstra.com)

 DNS

  • TCP and UDP 53 to DNS server IP specified in the Installation Console (8.8.8.8 by default)

 Software and configuration download

  • TCP 443 to 52.31.223.191 (Zynstra Sandbox (for initial configuration download))
  • TCP 443 to 54.247.79.38 (Zynstra Repo (for software updates))

 

From the Internet to the servers iLO IP address (inbound):

The following ports are required to be open Inbound to the iLO port from the specified hosts. These ports can be changed in the Commissioning Console.

  • TCP 20022 from 193.63.64.25 and 54.229.64.72
  • TCP 20080 from 193.63.64.25 and 54.229.64.72
  • TCP 20443 from 193.63.64.25 and 54.229.64.72
  • TCP 20988 from 193.63.64.25 and 54.229.64.72
  • TCP 20990 from 193.63.64.25 and 54.229.64.72

 

From the Internet to the servers WAN IP address (inbound):
If (and only if) you wish to use the End User VPN feature, you need to allow the VPN traffic through the firewall to the WAN IP address of your server. The port you need to open is below:

  • UDP 1194

Note: this is only needed if you want to allow end users to use the client VPN from remote devices to make inbound VPN connections.

 

From the Internet to the servers WAN IP address (inbound):
If (and only if) you are deploying multiple servers in a multi-site configuration, which establishes a fully-meshed IPSEC VPN between the servers, you need to allow the VPN traffic through the firewall to the WAN IP address of your server. The ports you need to open are below:

  • UDP and TCP 500
  • UDP and TCP 4500

Note: It is particularly recommended that for multi-site server deployments, none of the servers are behind a firewall. If you have any questions about multi-site deployments, please raise a support case. 

 

If you need any further help configuring your firewall please contact your Firewall vendor for support

Below are links to popular firewall documentation and support sites:

Cisco ASA: http://www.cisco.com/c/en/us/support/index.html 

Sonicwall: https://support.software.dell.com/release-notes-product-select

Netgear: https://www.netgear.com/support/

Draytek: https://www.draytek.co.uk/support

PFSense: https://doc.pfsense.org/index.php/Main_Page

Fortinet: https://support.fortinet.com/

Meraki: https://meraki.cisco.com/support/

Was this article helpful? 0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk