Deployment Firewall Settings

This section describes what you need to consider about firewalls, firewall openings and ports in a typical setup.

Note that your setup might differ - this just describes a common setup using default ports and values.


Separate Ceptor Servers and Gateways (recommended)

In this setup, which is the recommended setup, gateways are deployed together with a load balancer in a DMZ zone, and the Ceptor server is behind the inner firewall.

This has the disadvantage that 4 machines are used, but the advantage in security that if someone manages to breach the security on the machine hosting the gateway, they have a 2nd firewall to bypass before they get access to sensitive information such as private keys or passwords in the configuration.

In this setup, the following traffic flows between components, so you need to open the relevant ports in the firewalls

PortFromToPurposeNotes
80/443InternetLoadbalancerHTTP and HTTPS traffic from clients
80/443LoadbalancerGateway1/2HTTP and HTTPS traffic from load balancer to gateway
8080 or 443Gateway 1/2Application serversHTTP or HTTPS traffic from gateway to application serversDepends on configured destinations what ports and protocols are used.
21233Gateway 1/2Ceptor Server 1/2Connection from gateway to configuration server
21236Gateway 1/2Ceptor Server 1/2Connection from gateway to log server
21342Gateway 1/2Ceptor Server 1/2Restricted Connection from gateway to session controllerConnection is restricted, meaning not all proprties are sent to gateway, only "safe" properties from the session are sent to limit information available in the DMZ zone.
21344Ceptor Server 1Ceptor Server 2Connection for mirroring data between session controllers in a cluster
21233Ceptor Server 2Ceptor Server 1Connection between configuration servers to synchronize changes to the configuration.
21112Ceptor Server 1Ceptor Server 2Connection from statistics server to configuration servers to read statistics retrieved from connected servers and agents.
Connections used for management and administration
4242/4243WorkstationCeptor Server 1/2HTTP/HTTPS Connection to Ceptor Console from a browser used to monitor and manage Ceptor.
4343/4344WorkstationCeptor Server 1/2HTTP/HTTPS Connection to Useradmin Application from a browser used to manage users in the useradmin database.Only used in setups where useradmin database / API is used.
Potential connections from applications servers running Application Server Plugins or Agents
21233Application ServersCeptor Server 1/2Connection from agents to configuration server
21236Application ServersCeptor Server 1/2Connection from agents to log server
21343Application ServersCeptor Server 1/2Connection from agents to session controller
15000Application ServersCeptor Server 1/2Connection to Useradmin server from useradmin client and useradmin access APIsOnly used in setups where useradmin database / API is used.

Ceptor Server and Gateway Deployed on Same Machine

Note that although it is possible to run a setup like this, we never recommend doing it for production environments.

The best security is archived if you separate gateway and server and deploy the server inside a 2nd firewall layer.

A better alternative, depending on the capabilities of the load balancer might be something like this. If your load balancer is just a dumb TCP forwarder, this is security-wise not any better than the one above, but if your load balancer also has Application Firewall capability you will be more secure this way.


In both cases, the number of port openings in the firewall will be limited compared to the setup with separate servers.