Difference between revisions of "Firewall Configuration for Multi Server Mode"
| [checked revision] | [quality revision] |
Ltalaschus (talk | contribs) |
Ltalaschus (talk | contribs) |
||
| (9 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
| − | It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Single Server Mode can be found in [[Firewall Configuration for Single Server Mode|this | + | It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Single Server Mode can be found in [[Firewall Configuration for Single Server Mode|this document]]. |
'''Important Notices:''' | '''Important Notices:''' | ||
| − | * The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways. | + | * The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways. |
| + | * If there are multiple Client Access Servers (CAS) and a load balancer is installed in front of these CAS, the load balancer must be configured in such a way that a user's sessions terminate on the same CAS (sticky sessions). | ||
* The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below). | * The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below). | ||
| − | The below table lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in multi server mode. The following abbreviations are used in the source and target columns: | + | The below table lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in multi server mode. These are the default ports which may have been altered. The following abbreviations are used in the source and target columns: |
* ANY = Any computer from private or public networks | * ANY = Any computer from private or public networks | ||
| Line 13: | Line 14: | ||
* IH = Server hosting Instance Host role | * IH = Server hosting Instance Host role | ||
* MGMT = Server hosting Management Server role | * MGMT = Server hosting Management Server role | ||
| + | * CA = Certificate Authority | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
| Line 19: | Line 21: | ||
! width="80px" | Target | ! width="80px" | Target | ||
! class="unsortable" | Description | ! class="unsortable" | Description | ||
| + | |- | ||
| + | | align="center" | 80 | ||
| + | | align="center" | ANY | ||
| + | | align="center" | CA | ||
| + | | Access to certificate authorities to check certificate revocation status via HTTP. | ||
|- | |- | ||
| align="center" | 110 | | align="center" | 110 | ||
| Line 44: | Line 51: | ||
| align="center" | ANY | | align="center" | ANY | ||
| Access to Microsoft Exchange Server for archiving via Exchange Web Services (EWS) secured by SSL encryption. | | Access to Microsoft Exchange Server for archiving via Exchange Web Services (EWS) secured by SSL encryption. | ||
| + | |- | ||
| + | | align="center" | 443 | ||
| + | | align="center" | IH | ||
| + | | align="center" | ANY | ||
| + | | Access to IceWarp Mail Servers for synchronizing and authenticating users via API secured by TLS encryption. | ||
|- | |- | ||
| align="center" | 443 | | align="center" | 443 | ||
| Line 53: | Line 65: | ||
| align="center" | MGMT | | align="center" | MGMT | ||
| align="center" | my.mailstore.com | | align="center" | my.mailstore.com | ||
| − | | Usage reporting and license update | + | | Usage reporting and license update. If a system wide proxy has been configured, it will be used.<br/><span class="mswarning">'''Important:''' DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.</span> |
| + | |- | ||
| + | | align="center" | 587 | ||
| + | | align="center" | MGMT | ||
| + | | align="center" | ANY | ||
| + | | Access to an email server to let the Management Server send product update emails. | ||
| + | |- | ||
| + | | align="center" | 587 | ||
| + | | align="center" | IH | ||
| + | | align="center" | ANY | ||
| + | | Access to an email server to let instances send status reports. | ||
|- | |- | ||
| align="center" | 636 | | align="center" | 636 | ||
| align="center" | IH | | align="center" | IH | ||
| align="center" | ANY | | align="center" | ANY | ||
| − | | Access to LDAP servers (including Microsoft Active Directory) using a | + | | Access to LDAP servers (including Microsoft Active Directory) using a TLS encrypted connection. |
|- | |- | ||
| align="center" | 993 | | align="center" | 993 | ||
| align="center" | ANY | | align="center" | ANY | ||
| align="center" | CAS | | align="center" | CAS | ||
| − | | IMAP access to archives secured by TLS | + | | IMAP access to archives secured by TLS encryption. |
|- | |- | ||
| align="center" | 993 | | align="center" | 993 | ||
| align="center" | IH | | align="center" | IH | ||
| align="center" | ANY | | align="center" | ANY | ||
| − | | Access to email servers for archiving via IMAP ( | + | | Access to email servers for archiving via IMAP (TLS). |
|- | |- | ||
| align="center" | 995 | | align="center" | 995 | ||
| align="center" | IH | | align="center" | IH | ||
| align="center" | ANY | | align="center" | ANY | ||
| − | | Access to email servers for archiving via POP3 ( | + | | Access to email servers for archiving via POP3 (TLS). |
| + | |- | ||
| + | | align="center" | 4040 | ||
| + | | align="center" | IH | ||
| + | | align="center" | ANY | ||
| + | | Access to Kerio Connect Servers for synchronizing users via API secured by TLS encryption. | ||
|- | |- | ||
| align="center" | 8470 | | align="center" | 8470 | ||
| Line 79: | Line 106: | ||
| align="center" | MGMT | | align="center" | MGMT | ||
| Web-based access to the MailStore Management Console. | | Web-based access to the MailStore Management Console. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
| align="center" | 8471 | | align="center" | 8471 | ||
| Line 104: | Line 126: | ||
| align="center" | MGMT | | align="center" | MGMT | ||
| Access to the MailStore Management API. | | Access to the MailStore Management API. | ||
| + | |- | ||
| + | | align="center" | 8474 | ||
| + | | align="center" | IH, CAS | ||
| + | | align="center" | MGMT | ||
| + | | Optional: Required for initial pairing with Management Server in Multi Server Mode. If not available, manual registration of Instance Hosts and Client Access Servers in Management Server is required. | ||
|} | |} | ||
Latest revision as of 12:16, 22 September 2023
It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Single Server Mode can be found in this document.
Important Notices:
- The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
- If there are multiple Client Access Servers (CAS) and a load balancer is installed in front of these CAS, the load balancer must be configured in such a way that a user's sessions terminate on the same CAS (sticky sessions).
- The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).
The below table lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in multi server mode. These are the default ports which may have been altered. The following abbreviations are used in the source and target columns:
- ANY = Any computer from private or public networks
- ADM = Computer or network used for administration
- CAS = Server hosting Client Access Server role
- IH = Server hosting Instance Host role
- MGMT = Server hosting Management Server role
- CA = Certificate Authority
| Port | Source | Target | Description |
|---|---|---|---|
| 80 | ANY | CA | Access to certificate authorities to check certificate revocation status via HTTP. |
| 110 | IH | ANY | Access to email servers for archiving via POP3 (Unencrypted/STARTTLS). |
| 143 | IH | ANY | Access to email servers for archiving via IMAP (Unencrypted/STARTTLS). |
| 143 | ANY | CAS | IMAP access to archives secured by TLS (STARTTLS) encryption. |
| 389 | IH | ANY | Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session. |
| 443 | IH | ANY | Access to Microsoft Exchange Server for archiving via Exchange Web Services (EWS) secured by SSL encryption. |
| 443 | IH | ANY | Access to IceWarp Mail Servers for synchronizing and authenticating users via API secured by TLS encryption. |
| 443 | ANY | CAS | HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and MailStore Web Access. |
| 443 | MGMT | my.mailstore.com | Usage reporting and license update. If a system wide proxy has been configured, it will be used. Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com. |
| 587 | MGMT | ANY | Access to an email server to let the Management Server send product update emails. |
| 587 | IH | ANY | Access to an email server to let instances send status reports. |
| 636 | IH | ANY | Access to LDAP servers (including Microsoft Active Directory) using a TLS encrypted connection. |
| 993 | ANY | CAS | IMAP access to archives secured by TLS encryption. |
| 993 | IH | ANY | Access to email servers for archiving via IMAP (TLS). |
| 995 | IH | ANY | Access to email servers for archiving via POP3 (TLS). |
| 4040 | IH | ANY | Access to Kerio Connect Servers for synchronizing users via API secured by TLS encryption. |
| 8470 | ADM | MGMT | Web-based access to the MailStore Management Console. |
| 8471 | CAS, IH | MGMT | Internal communication with Management Server |
| 8472 | MGMT, CAS | IH | Internal communication with Instance Hosts |
| 8473 | MGMT | CAS | Internal communication with Client Access Servers |
| 8474 | ADM | MGMT | Access to the MailStore Management API. |
| 8474 | IH, CAS | MGMT | Optional: Required for initial pairing with Management Server in Multi Server Mode. If not available, manual registration of Instance Hosts and Client Access Servers in Management Server is required. |
