Internal corporate network rules
The following table outlines the firewall rules required for internal corporate network access for:
-
Core Appliance (physical or virtual) - All ports (except UDP) should be bi-directional to allow information / data exchange between systems.
-
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel) - the Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.
Core Appliance and the Sentry Appliance items communicate with each other.
|
Requirement |
Description |
Port |
|
Traffic from Internal Corporate Network to Core Core is in the DMZ |
||
|
Core administrator access (System Manager) |
Open HTTPS 8443 from the corporate network to the Core appliance |
HTTPS 8443 |
| Core administrator access | Open HTTPS 443 and SSH 22 from the corporate network to the Core appliance | HTTPS 443, SSH 22 |
|
Core Enterprise Connector (Optional LDAP Proxy) |
Open HTTPS 443 from Enterprise Connector to Core | HTTPS 443 |
| Core Reporting Database (Optional) | Ensure that HTTPS 7443 from the Reporting Database to Core is open. It is open by default. | HTTPS 7443 |
| Self-service user portal | Open HTTPS 443 from the corporate network to the Core appliance | HTTPS 443 |
|
Traffic from Core to Internal Corporate Network Core is in the DMZ |
||
| LDAP / Active Directory | LDAP User Lookup and Authentication | TCP 636 (secure) -or- TCP 389 |
| SMTP Relay for SMS and Email Notifications | Open TCP 25 (if not in DMZ) and define the SMTP relay server | TCP 25 |
| DNS Lookup Open |
Open UDP 53 (if not in DMZ) and define DNS server(s) TCP is needed in case of large DNS Queries |
UDP 53 |
| NTP Time Synchronization Service | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 |
| Certificate / SCEP Server | SCEP Proxy Configuration | HTTP 443 |
| Core access to Sentry | Open HTTPS 9090 (primary access) and HTTPS 443 (view of Sentry certificate) to the Sentry appliance | HTTPS 9090 and HTTPS 443 |
| Sentry access to Core | Open HTTPS 8443 to the Core appliance (HTTPS 8443 is the default, but HTTPS 443 is also supported.) | HTTPS 8443 |
|
Traffic from Internal Corporate Network to Standalone Sentry Standalone Sentry is in the DMZ |
||
| Core administrator access | Open HTTPS 8443 from the corporate network to Sentry (System Manager access) | HTTPS 8443 |
| Core administrator access | Open SSH 22 from the corporate network to Sentry | SSH 22 |
|
Traffic from Standalone Sentry to Internal Corporate Network Standalone Sentry is in the DMZ |
||
| CIFS-based Content Server | Open TCP 445 if using Docs@Work with CIFS-based content servers | TCP 445 |
| Certificate / SCEP Server | SCEP Server/CA Access (for CRL verification only) | HTTP 80 or HTTPS 443 |
| App Server for AppTunnel | Open HTTP 80 or HTTPS 443 to the app/content server if configuring this Sentry for AppTunnel | HTTP 80 or HTTPS 443 (typically) |
| Exchange ActiveSync | Open HTTP 80 or HTTPS 443 to the ActiveSync server if configuring this Sentry for email service | HTTP 80 or HTTPS 443 |
| DNS Lookup | Open UDP 53 (if not in DMZ) and define DNS server(s) | UDP 53 |
| NTP Time Synchronization | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 |
| LDAP / Active Directory | Open TCP/UDP 389 Kerberos LDAP ping (optional for Kerberos-constrained delegation) | TCP/UDP 389 |
| SMTP Relay for Sentry Console Email Notifications | Open TCP 25 (if not in DMZ) and define SMTP relay server | TCP 25 |
| Kerberos Server | Open TCP 88 (for Kerberos-constrained delegation) | TCP 88 |
- For firewall rules required for Internal rules/outside rules, see External and Internet rules.
- For additional firewall rules, see Additional firewall rules.