Quick Summary Diagram:
Quick Summary Table:
Software | Connecting to | Direction | Port | Required |
ZDE/ZME | Controller | OUTBOUND | 443/TCP | Yes |
ZDE/ZME | Edge Routers | OUTBOUND | 443/TCP | Yes |
Edge Router | Controller | OUTBOUND | 443/TCP | Yes |
Edge Router | Controller | OUTBOUND | 80/TCP [#] | Yes |
Edge Router | Controller | OUTBOUND | 6262/TCP | Yes |
Edge Router | Edge Router | OUTBOUND | 443/TCP | Yes |
Edge Router | Edge Router | OUTBOUND | 80/TCP [#] | Yes |
Edge Router | Edge Router | INBOUND | 443/TCP | No |
Edge Router | Edge Router | INBOUND | 80/TCP | No |
[#] Move to single port - 443 via APLN:
- Cloud Ziti Controller and Routers can operate with a single open port of 443 instead of two ports - 443 & 80.
- In order to implement this feature we use ALPN (Application Layer Protocol Negotiation) TLS extension. It allows TLS client to request and TLS server to select appropriate application protocol handler during TLS handshake.
- Customers can move to a single port of 443 from the current model of two ports - 443 & 80 by requesting for a network upgrade to 7.3.94/0.30.0 and above.
Ziti Desktop Edge & Ziti Mobile Edge
Outbound Requirements
Required Ports:
- 443/TCP
Port 443 toward the the network control is for configuration, session & authentication.
Port 443 toward the edge router provides the data plane.
The ZDE/ZME products need outbound access to port 443/TCP to the network controller and any Edge Router that it's granted access to reach via the Edge Router Policy.
Diagram: ZDE/ZME with NF Hosted Edge Router and Controller
Diagram: ZDE/ZME with Customer Hosted Edge Router and Controller
Inbound Requirements
The ZDE/ZME products do not need any inbound ports.
NetFoundry Edge Routers
Connections between Edge Routers and the Network Controller are over TLS.
Connections between Edge Routers and other Routers are over TLS.
Outbound Requirements
Required Ports:
- 80/TCP [#]
- 443/TCP
- 6262/TCP
[#] Network Versions 7.3.94/0.30.4 and newer does not require opening of port 80/TCP outbound.
Connections to the Network Controller
Port 80/TCP toward the network controller are for the establishment of the fabric/data layer.
Port 443 toward the the network control are for sessions & initial authentication.
Port 6262/TCP towards the network controller are a fabric/data layer for software maintenance.
Diagram: Edge Router and Network Controller
Connections to other Edge Routers
Port 80/TCP toward public edge routers are for the establishment of the fabric/data layer.
Port 443/TCP toward public edge routers are for establishment of data plane.
Diagram: Edge Router to Edge Router
Inbound Requirements
By default customer hosted edge routers DO NOT need any inbound ports open.
Optional Ports:
- 80/TCP
- 443/TCP
Port 80/TCP toward public edge routers are for the establishment of the fabric/data layer.
Port 443/TCP toward public edge routers is for the establishment of the data plane.
Allowing Connections from other Edge Routers
Diagram: Public Customer ER connection
Registration and other OUTBOUND Requirements for the Ubuntu Virtual Machine Image
In order to successfully register and run the Ubuntu Virtual Machine, the following ports are required toward the DNS names provided:
Registration and initial software download
Note: Not all URLs are required, and others may be, depending on the installation method used for the software. Several options are available for downloading and installing the various components of the Ziti network; the URLs listed below are the most common.
- gateway.production.netfoundry.io(TCP/443) (registration key authentication)
- github.com(TCP/443) (software download)
- objects.githubusercontent.com(TCP/443) (software download)
- (Legacy images)jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com(TCP/443) (software download)
- (Legacy images)netfoundry.jfrog.io(TCP/443)(software download)
Login, updates & time synchronization
-
ipinfo.io (TCP/443)(Gets external IP for login banner)(can be disabled using hush-net-info command)
-
(Legacy images)api.ipify.org (TCP/443)(Gets external IP for login banner)(can be disabled using hush-net-info command)
-
security.ubuntu.com (TCP/443) (security updates)
-
*.pool.ntp.org(UDP/123) (NTP time sync)
Enabling link listener
If you plan on creating a publicly accessible customer hosted edge router, you should enable the link listener option when creating the router in the console & open the optional ports listed in the Edge Router inbound(TCP/80, TCP/443):
White Listing IP Addresses
How to find IP addresses
To find IP addresses from within the console, start by navigating to "Manage Networks"
From here you can click on the hamburger menu for the network of your choice
You will be presented with all the IP address information:
Traversing Firewall Requirements
Outbound traffic going toward the Controller and Hosted Fabric should be excluded from any Proxy and/or Web Application firewall.
Deep packet Inspection will cause reachability issues to the controller and other ERs.
Comments
2 comments