Deployment Firewall Settings
- Kim Rasmussen
- Kim Rasmussen (Unlicensed)
- Sebastian Gardan (Unlicensed)
This section describes what you need to consider about firewalls, firewall openings and ports in a typical setup.
Note that your setup might differ - this just describes a common setup using default ports and values.
Separate Ceptor Servers and Gateways (recommended)
In this setup, which is the recommended setup, gateways are deployed together with a load balancer in a DMZ zone, and the Ceptor server is behind the inner firewall.
This has the disadvantage that 4 machines are used, but the advantage in security that if someone manages to breach the security on the machine hosting the gateway, they have a 2nd firewall to bypass before they get access to sensitive information such as private keys or passwords in the configuration.
In this setup, the following traffic flows between components, so you need to open the relevant ports in the firewalls
| Port | From | To | Purpose | Notes |
|---|---|---|---|---|
| 80/443 | Internet | Loadbalancer | HTTP and HTTPS traffic from clients | |
| 80/443 | Loadbalancer | Gateway1/2 | HTTP and HTTPS traffic from load balancer to gateway | |
| 8080 or 443 | Gateway 1/2 | Application servers | HTTP or HTTPS traffic from gateway to application servers | Depends on configured destinations what ports and protocols are used. |
| 21233 | Gateway 1/2 | Ceptor Server 1/2 | Connection from gateway to configuration server | |
| 21236 | Gateway 1/2 | Ceptor Server 1/2 | Connection from gateway to log server | |
| 21342 | Gateway 1/2 | Ceptor Server 1/2 | Restricted Connection from gateway to session controller | Connection is restricted, meaning not all proprties are sent to gateway, only "safe" properties from the session are sent to limit information available in the DMZ zone. |
| 21344 | Ceptor Server 1 | Ceptor Server 2 | Connection for mirroring data between session controllers in a cluster | |
| 21233 | Ceptor Server 2 | Ceptor Server 1 | Connection between configuration servers to synchronize changes to the configuration. | |
| 21112 | Ceptor Server 1 | Ceptor Server 2 | Connection from statistics server to configuration servers to read statistics retrieved from connected servers and agents. | |
| Connections used for management and administration | ||||
| 4242/4243 | Workstation | Ceptor Server 1/2 | HTTP/HTTPS Connection to Ceptor Console from a browser used to monitor and manage Ceptor. | |
| 4343/4344 | Workstation | Ceptor Server 1/2 | HTTP/HTTPS Connection to Useradmin Application from a browser used to manage users in the useradmin database. | Only used in setups where useradmin database / API is used. |
| Potential connections from applications servers running Application Server Plugins or Agents | ||||
| 21233 | Application Servers | Ceptor Server 1/2 | Connection from agents to configuration server | |
| 21236 | Application Servers | Ceptor Server 1/2 | Connection from agents to log server | |
| 21343 | Application Servers | Ceptor Server 1/2 | Connection from agents to session controller | |
| 15000 | Application Servers | Ceptor Server 1/2 | Connection to Useradmin server from useradmin client and useradmin access APIs | Only used in setups where useradmin database / API is used. |
Ceptor Server and Gateway Deployed on Same Machine
Note that although it is possible to run a setup like this, we never recommend doing it for production environments.
The best security is archived if you separate gateway and server and deploy the server inside a 2nd firewall layer.
A better alternative, depending on the capabilities of the load balancer might be something like this. If your load balancer is just a dumb TCP forwarder, this is security-wise not any better than the one above, but if your load balancer also has Application Firewall capability you will be more secure this way.
In both cases, the number of port openings in the firewall will be limited compared to the setup with separate servers.
© Ceptor ApS. All Rights Reserved.