Configuring firewall ports for the gateway
The Blue Cedar Connect Gateway requires specific firewall ports to be open so that the appropriate data traffic can pass through the firewall to the gateway.
For any corporate backend server that you use with the gateway (such as SSH, SCP, HTTPS, Syslog, CRL, SCEP, or EST), consider whether the firewall is public-facing (towards the external Internet) or private-facing (towards the corporate backend resources) in relationship to the gateway.
- If the gateway sits behind a public-facing firewall, then you must open ports 443, 500, and 4500 to permit traffic from the public Internet to pass through to the gateway.
- However, if there is a private-facing firewall that sits between the gateway and the backend resource, there are additional firewall ports that must be opened for traffic to flow freely between the gateway and the backend resource. Otherwise, operations such as user authentication fail because the necessary data is blocked by the private-facing firewall.
Blue Cedar recommends opening the following ports in your firewall configuration so that the required data traffic can freely travel between the gateway and the backend resource:
| To transport data through a private-facing firewall for this protocol... | Use this port number... | And configure for this transport protocol... |
|---|---|---|
| Syslog | 514 | UDP |
| CRL (LDAP/SLDAP or HTTP) | 389 | TCP |
| DNS | 53 | UDP or TCP |
HTTPS | 443 | TCP |
| NTP | 123 | UDP |
| RADIUS | 1812 | UDP |
| SCEP (HTTP) | 80 | TCP |
| SSH or SCP | 22 | TCP |
Note: EST runs on a port configured for HTTPS.
Note: If you are using Active Directory (AD) as your authentication provider, there are additional firewall ports you must open to allow traffic to flow freely between AD and the gateway. For details about setting this up, see Configure the firewall ports for the Gateway and Active Directory.