Difference between revisions of "Firewall Configuration for Single Server Mode"
[unchecked revision] | [checked revision] |
Ltalaschus (talk | contribs) |
|||
(29 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
− | It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. | + | It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Multi Server Mode can be found in [[Firewall Configuration for Multi Server Mode|this document]]. |
'''Important Notices:''' | '''Important Notices:''' | ||
Line 6: | Line 6: | ||
* The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below). | * The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below). | ||
− | + | The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. These are the default ports which may have been altered. The following abbreviations are used in the source and target columns of that table: | |
− | |||
− | The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. The following abbreviations are used in the source and target columns of that table: | ||
* ANY = Any computer from private or public networks | * ANY = Any computer from private or public networks | ||
* ADM = Computer or network used for administration | * ADM = Computer or network used for administration | ||
* SERVER = Server that hosts MailStore Service Provider Edition | * SERVER = Server that hosts MailStore Service Provider Edition | ||
− | + | * CA = Certificate Authority | |
− | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
Line 21: | Line 18: | ||
! width="80px" | Target | ! width="80px" | Target | ||
! class="unsortable"| Description | ! class="unsortable"| Description | ||
+ | |- | ||
+ | | align="center" | 80 | ||
+ | | align="center" | ANY | ||
+ | | align="center" | CA | ||
+ | | Access to certificate authorities to check certificate revocation status via HTTP. | ||
|- | |- | ||
| align="center" | 110 | | align="center" | 110 | ||
Line 36: | Line 38: | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| IMAP access to archives secured by TLS (STARTTLS) encryption. | | IMAP access to archives secured by TLS (STARTTLS) encryption. | ||
+ | |- | ||
+ | | align="center" | 389 | ||
+ | | align="center" | SERVER | ||
+ | | align="center" | ANY | ||
+ | | Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session. | ||
+ | |- | ||
+ | | align="center" | 443 | ||
+ | | align="center" | SERVER | ||
+ | | align="center" | ANY | ||
+ | | Access to Microsoft Exchange servers for archiving via Exchange Web Services (EWS) secured by TLS encryption. | ||
|- | |- | ||
| align="center" | 443 | | align="center" | 443 | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| align="center" | ANY | | align="center" | ANY | ||
− | | Access to | + | | Access to IceWarp Mail Servers for synchronizing and authenticating users via API secured by TLS encryption. |
|- | |- | ||
| align="center" | 443 | | align="center" | 443 | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| align="center" | my.mailstore.com | | align="center" | my.mailstore.com | ||
− | | Usage reporting and license update | + | | Usage reporting and license update. If a system wide proxy has been configured, it will be used.<br/><span class="mswarning">'''Important:''' DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.</span> |
|- | |- | ||
| align="center" | 443 | | align="center" | 443 | ||
| align="center" | ANY | | align="center" | ANY | ||
| align="center" | SERVER | | align="center" | SERVER | ||
− | | HTTPS access to instances used by | + | | HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and Web Access. |
+ | |- | ||
+ | | align="center" | 587 | ||
+ | | align="center" | SERVER | ||
+ | | align="center" | ANY | ||
+ | | Access to an email server to let instances send status reports and to let the Management Server send product update emails. | ||
+ | |- | ||
+ | | align="center" | 636 | ||
+ | | align="center" | SERVER | ||
+ | | align="center" | ANY | ||
+ | | Access to LDAP servers (including Microsoft Active Directory) using a TSL encrypted connection. | ||
|- | |- | ||
| align="center" | 993 | | align="center" | 993 | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| align="center" | ANY | | align="center" | ANY | ||
− | | Access to email servers for archiving via IMAP ( | + | | Access to email servers for archiving via IMAP (TSL). |
|- | |- | ||
| align="center" | 993 | | align="center" | 993 | ||
| align="center" | ANY | | align="center" | ANY | ||
| align="center" | SERVER | | align="center" | SERVER | ||
− | | IMAP access to archives secured by TLS | + | | IMAP access to archives secured by TLS encryption. |
|- | |- | ||
| align="center" | 995 | | align="center" | 995 | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| align="center" | ANY | | align="center" | ANY | ||
− | | Access to email servers for archiving via POP3 ( | + | | Access to email servers for archiving via POP3 (TLS). |
+ | |- | ||
+ | | align="center" | 4040 | ||
+ | | align="center" | SERVER | ||
+ | | align="center" | ANY | ||
+ | | Access to Kerio Connect Servers for synchronizing users via API secured by TLS encryption. | ||
|- | |- | ||
| align="center" | 8470 | | align="center" | 8470 | ||
Line 71: | Line 98: | ||
| align="center" | SERVER | | align="center" | SERVER | ||
| Web-based access to the MailStore Management Console. | | Web-based access to the MailStore Management Console. | ||
+ | |- | ||
+ | | align="center" | 8474 | ||
+ | | align="center" | ADM | ||
+ | | align="center" | SERVER | ||
+ | | Access to the MailStore Management API. | ||
|} | |} | ||
=== Windows Advanced Firewall === | === Windows Advanced Firewall === | ||
− | |||
The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default. | The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default. | ||
Line 85: | Line 116: | ||
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" ` | netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" ` | ||
action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY | action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY | ||
+ | |||
+ | # Allow access to MailStore Management API from adminstrator network 192.0.2.0/24 | ||
+ | netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" ` | ||
+ | action=ALLOW dir=IN protocol=TCP localport="8474" remoteip="192.0.2.0/24" profile=ANY | ||
</source> | </source> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 12:16, 22 September 2023
It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Multi Server Mode can be found in this document.
Important Notices:
- The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
- The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).
The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. These are the default ports which may have been altered. The following abbreviations are used in the source and target columns of that table:
- ANY = Any computer from private or public networks
- ADM = Computer or network used for administration
- SERVER = Server that hosts MailStore Service Provider Edition
- CA = Certificate Authority
Port | Source | Target | Description |
---|---|---|---|
80 | ANY | CA | Access to certificate authorities to check certificate revocation status via HTTP. |
110 | SERVER | ANY | Access to email servers for archiving via POP3 (Unencrypted/STARTTLS). |
143 | SERVER | ANY | Access to email servers for archiving via IMAP (Unencrypted/STARTTLS). |
143 | ANY | SERVER | IMAP access to archives secured by TLS (STARTTLS) encryption. |
389 | SERVER | ANY | Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session. |
443 | SERVER | ANY | Access to Microsoft Exchange servers for archiving via Exchange Web Services (EWS) secured by TLS encryption. |
443 | SERVER | ANY | Access to IceWarp Mail Servers for synchronizing and authenticating users via API secured by TLS encryption. |
443 | SERVER | my.mailstore.com | Usage reporting and license update. If a system wide proxy has been configured, it will be used. Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com. |
443 | ANY | SERVER | HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and Web Access. |
587 | SERVER | ANY | Access to an email server to let instances send status reports and to let the Management Server send product update emails. |
636 | SERVER | ANY | Access to LDAP servers (including Microsoft Active Directory) using a TSL encrypted connection. |
993 | SERVER | ANY | Access to email servers for archiving via IMAP (TSL). |
993 | ANY | SERVER | IMAP access to archives secured by TLS encryption. |
995 | SERVER | ANY | Access to email servers for archiving via POP3 (TLS). |
4040 | SERVER | ANY | Access to Kerio Connect Servers for synchronizing users via API secured by TLS encryption. |
8470 | ADM | SERVER | Web-based access to the MailStore Management Console. |
8474 | ADM | SERVER | Access to the MailStore Management API. |
Windows Advanced Firewall
The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.
# Allow access to CAS ports from everwhere
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (CAS)" `
action=ALLOW dir=IN protocol=TCP localport="143,443,993" profile=ANY
# Allow access to MailStore Service Provider Management Console from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY
# Allow access to MailStore Management API from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
action=ALLOW dir=IN protocol=TCP localport="8474" remoteip="192.0.2.0/24" profile=ANY