Quick Summary Diagram:

NetFoundry_FW_requirements_HLD.jpg

Quick Summary Table:

Software Connecting to Direction Port Required
ZDE/ZME Controller OUTBOUND 443/TCP Yes
ZDE/ZME Edge Routers OUTBOUND 443/TCP Yes
Edge Router Controller OUTBOUND 443/TCP Yes
Edge Router Controller OUTBOUND 80/TCP [#] Yes
Edge Router Controller OUTBOUND 6262/TCP Yes
Edge Router Edge Router OUTBOUND 443/TCP Yes
Edge Router Edge Router OUTBOUND 80/TCP [#] Yes
Edge Router Edge Router INBOUND 443/TCP No
Edge Router Edge Router INBOUND 80/TCP No

[#] Move to single port - 443 via APLN:

  • Cloud Ziti Controller and Routers can operate with a single open port of 443 instead of two ports -  443 & 80.
  • In order to implement this feature we use ALPN (Application Layer Protocol Negotiation) TLS extension. It allows TLS client to request and TLS server to select appropriate application protocol handler during TLS handshake.
  • Customers can move to a single port of 443 from the current model of two ports -  443 & 80 by requesting for a network upgrade to 7.3.94/0.30.0 and above. 

Ziti Desktop Edge & Ziti Mobile Edge

Outbound Requirements

Required Ports:

  • 443/TCP

Port 443 toward the the network control is for configuration, session & authentication.

Port 443 toward the edge router provides the data plane.

The ZDE/ZME products need outbound access to port 443/TCP to the network controller and any Edge Router that it's granted access to reach via the Edge Router Policy.

Diagram:  ZDE/ZME with NF Hosted Edge Router and Controller

Firewall-ZDE_NF_ER__1_.png

Diagram: ZDE/ZME with Customer Hosted Edge Router and Controller

Firewall-ZDE_Customer_ER__1_.png

Inbound Requirements

The ZDE/ZME products do not need any inbound ports.

NetFoundry Edge Routers

Connections between Edge Routers and the Network Controller are over TLS.

Connections between Edge Routers and other Routers are over TLS.

Outbound Requirements

Required Ports:

  • 80/TCP [#]
  • 443/TCP
  • 6262/TCP

[#] Network Versions 7.3.94/0.30.4 and newer does not require opening of port 80/TCP outbound.

Connections to the Network Controller

Port 80/TCP toward the network controller are for the establishment of the fabric/data layer.  
Port 443 toward the the network control are for sessions & initial authentication.
Port 6262/TCP towards the network controller are a fabric/data layer for software maintenance.

Diagram: Edge Router and Network Controller

Firewall-ER.png

Connections to other Edge Routers

Port 80/TCP toward public edge routers are for the establishment of the fabric/data layer.  
Port 443/TCP toward public edge routers are for establishment of data plane.

Diagram: Edge Router to Edge Router

Firewall-Page-4__1_.png

Inbound Requirements

By default customer hosted edge routers DO NOT need any inbound ports open.

Optional Ports:

  • 80/TCP
  • 443/TCP

Port 80/TCP toward public edge routers are for the establishment of the fabric/data layer.  
Port 443/TCP toward public edge routers is for the establishment of the data plane.

Allowing Connections from other Edge Routers

Diagram: Public Customer ER connection

Firewall-ER_to_ER_Inbound.png

 

Registration and other OUTBOUND Requirements for the Ubuntu Virtual Machine Image

In order to successfully register and run the Ubuntu Virtual Machine, the following ports are required toward the DNS names provided:

Registration and initial software download

Note:  Not all URLs are required, and others may be, depending on the installation method used for the software.  Several options are available for downloading and installing the various components of the Ziti network; the URLs listed below are the most common.

  • gateway.production.netfoundry.io(TCP/443) (registration key authentication)
  • github.com(TCP/443) (software download)
  • objects.githubusercontent.com(TCP/443) (software download)
  • (Legacy images)jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com(TCP/443) (software download)
  • (Legacy images)netfoundry.jfrog.io(TCP/443)(software download)

Login, updates & time synchronization 

  • ipinfo.io (TCP/443)(Gets external IP for login banner)(can be disabled using hush-net-info command)

  • (Legacy images)api.ipify.org (TCP/443)(Gets external IP for login banner)(can be disabled using hush-net-info command)

  • security.ubuntu.com (TCP/443) (security updates)

  • *.pool.ntp.org(UDP/123) (NTP time sync)

Enabling link listener

If you plan on creating a publicly accessible customer hosted edge router, you should enable the link listener option when creating the router in the console & open the optional ports listed in the Edge Router inbound(TCP/80, TCP/443):

mceclip0.png

White Listing IP Addresses

How to find IP addresses

To find IP addresses from within the console, start by navigating to "Manage Networks" 

mceclip1.png

From here you can click on the hamburger menu for the network of your choice

mceclip5.png

You will be presented with all the IP address information:

Firewall-info.png

Traversing Firewall Requirements 

Outbound traffic going toward the Controller and Hosted Fabric should be excluded from any Proxy and/or Web Application firewall.

Deep packet Inspection will cause reachability issues to the controller and other ERs.

 

 

 

 

Was this article helpful?
4 out of 4 found this helpful

Comments

2 comments

  • Edward Moscardini This looks great for inclusion into our documentation.  Some things I noticed (nothing technical)...

    1. Lots of whitespaces make the page way longer than it really is (makes it look like a longer read).  Can we collapse it into tables or some form of an index w/ anchors to specific scenarios?
    2. The images are where the money is at (in my mind).  I'll read the context once and likely only remember the images.  Would it be possible to add the port/proto at the end of the arrows as well?  
    3. These scenarios add very important context to the "Deployment Scenarios" you created.  Let's definitely cross them together in a page link to each other! (https://netfoundry.atlassian.net/wiki/spaces/CLOUDDEV/pages/1958412354/MOP%2BZiti%2BStandard%2BDeployment%2BModels)
    4. Might want to make a foot note that the ports/protos are DEFAULTS that can be customized with a professional service (maybe?).  If we are required to, we could modify them.
    0
  • Edward Moscardini Right as I posted that you updated with a quick view matrix.  PERFECT!

    0

Article is closed for comments.