Firewall Configuration
In order for your monitoring point to access AppNeta Performance Manager (APM) and perform the monitoring you require, you must configure your firewall rules to allow this access. At a minimum, the monitoring point must be able to connect to APM. Additional configuration beyond this is based on your monitoring needs. In addition to setting firewall rules, you can create Access Control Lists (ACLs) on some monitoring point models to restrict inbound access.
Overview
The following diagram shows all the services and applications that the monitoring point may need access to.
The following table outlines the firewall rules required to access the various services and applications. Click the links for details.
| Firewall rules required? | Reason | Description |
|---|---|---|
| Mandatory | APM | Monitoring point requires access to AppNeta Performance Manager. |
| Typical | Delivery monitoring | Required if you are using Delivery monitoring. |
| Typical | Path Plus | Required if you are using Path Plus tools. |
| Optional | Voice/Video | Required if you are using voice and video monitoring tools. |
| Typical | Experience monitoring | Required if you are using Experience monitoring. |
| Optional | Proxy | Required only if a proxy server is used. |
| Optional | DNS | Required only if DNS resolver is located externally. |
| Optional | NTP | Required only if NTP server is located externally. |
| Optional | SNMP | Required only if you are using SNMP and the NMS is located externally. |
APM servers
Access to APM is mandatory.
Configuration details
Specifying *.pm.appneta.com provides access to all AppNeta APM servers but you can create rules for specific APM servers you need to access. The details are provided in the following table.
| Assigned server | ||||
|---|---|---|---|---|
| Outbound | TCP | 80, 8080 | e.g., app-01.pm.appneta.com A monitoring point attempts to connect to APM on port 80, then on port 8080. Whether you are connecting directly or through a proxy, you must allow outbound TCP connections to your assigned server on one or both of these ports. To determine the URL of your assigned APM server, Log in to APM. The server URL is in the browser address bar. |
|
| Relay server | ||||
| Outbound | TCP | 443 | mp-relay.pm.appneta.com A monitoring point first tries to connect to your assigned APM server on port 80, then on port 8080. If it cannot (for example, when your security policy disallows HTTPS) the monitoring point attempts to connect to APM via an SSL relay server. In this case, you must allow outbound TCP connections on port 443 to this server. |
|
| Capture server | ||||
| Outbound | TCP | 443 | cap-01.pm.appneta.com, cap-02.pm.appneta.com, cap-03.pm.appneta.com, cap-04.pm.appneta.com, cap-05.pm.appneta.com, cap-06.pm.appneta.com, cap-07.pm.appneta.com, pvc-cap1.pathviewcloud.com, pvc-cap2.pathviewcloud.com, pvc-cap3.pathviewcloud.com, pvc-cap4.pathviewcloud.com, pvc-cap5.pathviewcloud.com, pvc-cap6.pathviewcloud.com, pvc-cap7.pathviewcloud.com Capture servers receive Usage monitoring records and packet captures, and provide a reverse proxy for SSL connections from the APM server to monitoring points. You must allow outbound TCP connections on port 443 for the capture server you use. To determine which capture server you are using, login to a monitoring point. The capture server name is in the address bar of your browser. |
|
| Upgrade repository | ||||
| Outbound | TCP | 80 | appliance-repo.pm.appneta.com You must allow outbound TCP connections on port 80 to this server so that your monitoring point can download new software versions. |
|
| Outbound | TCP | 80, 443 | mp-repo-proxy.pm.appneta.com You must allow outbound TCP connections on port 80 and 443 to this server so that your monitoring point can download new software versions. |
|
| Outbound | TCP | 80, 443 | s3.amazonaws.com (Optional) You may allow outbound TCP connections on port 80 and 443 to this server in case the monitoring point is ever unable to connect to mp-repo-proxy.pm.appneta.com. |
|
Delivery monitoring
Delivery monitoring is a fundamental feature of the AppNeta solution so ports related to Delivery monitoring should be opened. In addition, in cases where the monitoring point is a target behind a NAT device (for example, a video test target), port forwarding is required on the remote firewall to route traffic to the target monitoring point.
Configuration details
| Outbound | TCP | 443 | All Addresses Allow TCP 443 so that the monitoring point can perform TCP traceroute on single- and dual-ended paths. |
|
| Inbound + Outbound | ICMP | Message types used: Echo Request, Echo Reply, Time Exceeded, and Destination Unreachable ICMP is used for Delivery monitoring on single- and dual-ended paths, so it is essential that these messages are allowed. |
||
| Outbound | UDP | 7 | All Addresses Allow UDP 7 so that the monitoring point can perform UDP traceroute on single- and dual-ended paths. |
|
| Inbound + Outbound | UDP | 3239 | All Addresses Allow UDP 3239 inbound so that monitoring points can coordinate dual-ended monitoring. Allow UDP 3239 outbound so that monitoring points can coordinate dual-ended monitoring and perform UDP traceroute. |
|
| Inbound + Outbound | UDP | 45056-49151 | All Addresses Allow inbound and outbound UDP messages on this range so that monitoring points can perform single- and dual-ended monitoring, continuous monitoring traceroute using the port-unreachable method, voice tests, and QoS alerting. You can also customize this range. |
|
| Outbound | UDP | 49152-65535 | All Addresses APM sends UDP packets to ports in the stated range as part of QoS diagnostics, path MTU determination, and network discovery. ICMP port-unreachable messages are expected in response. Keep in mind that path targets must actually respond with an ICMP port-unreachable for any of these processes to be successful. |
|
| Outbound | UDP | 161 | All Addresses Allow outbound UDP messages on port 161 so that monitoring points can query network devices via SNMP. |
Path Plus
Part of Delivery monitoring, the Path Plus tools are used for basic network investigation so related ports should be opened.
Configuration details
| Outbound | ICMP | Message types used: Echo Request, Echo Reply. ICMP is used for pings in Path Plus. |
||
| Outbound | UDP | 7 | All Addresses UDP port 7 is used for traceroute in Path Plus. |
|
| Outbound | TCP | 53 | All Addresses TCP and UDP messages on port 53 are used for nslookup in Path Plus. |
|
| Outbound | UDP | 53 | ||
| Outbound | TCP | 3236 | All Addresses Allow outbound TCP and UDP messages on port 3236 so that PathTests can target monitoring points. The source and target monitoring points coordinate on TCP 3236 before and after tests, so it must be opened even if the testing protocol is UDP. |
|
| Outbound | UDP | 3236 |
Voice/Video
As optional Delivery monitoring components, if the voice and video tools are being used, related ports should be opened.
Configuration details
| Inbound + Outbound | UDP | 3239 | All Addresses Monitoring points coordinate over UDP 3239 for voice and video tests. Allow outbound access for source monitoring points and inbound access for target monitoring points. |
|
| Inbound + Outbound | UDP | 5060 | All Addresses Video and voice tests can use one of two signaling protocols: SIP uses port 5060, and H.323 uses port 1720. If you need to use different ports for signaling, open a support ticket. |
|
| Inbound+ Outbound | UDP | 1720 | ||
| Inbound + Outbound | UDP | 45056- 49151 |
All Addresses For video and voice tests, RTP and RTCP automatically select ports between 45056-49151. |
Experience monitoring
Experience monitoring is a fundamental feature of the AppNeta solution so ports related to Experience monitoring should be opened. Outbound TCP connections on port 80 are essential to Experience monitoring. Allow outbound connections on port 443 if a workflow includes logging in to the target site.
Optional services
There a number of services that you need access to only if required.
Proxy server
If HTTP traffic is directed to a proxy server, make sure that no ACLs prevent the monitoring point from connecting to it (for example, permit tcp host device-ip host proxy-ip eq proxy-port). This might be the case if the monitoring point is deployed in a subnet reserved for network infrastructure rather than end-stations. If the proxy service requires authentication, it must use either basic or digest authentication; NTLM and Kerberos are not supported. See the proxy setup page: physical and virtual monitoring points or software monitoring points (software sequencers).
DNS server
Domain Name System (DNS) is required for hostname to IP resolution. Firewall rules allowing access to a DNS resolver are only required if the resolver is external.
NTP server
The monitoring point needs inbound and outbound connections for Network Time Protocol (NTP) to ensure precise timestamping. Firewall rules allowing access to a NTP server are only required if the server is external.
SNMP NMS
Firewall rules allowing access to a Simple Network Management Protocol (SNMP) Network Management System (NMS) server are only required if the monitoring point is configured for SNMP notification forwarding and the server is external.
s35 on Windows
If you are installing the s35 Software Sequencer on a Windows machine, you need to to configure the Windows firewall to allow the s35 to communicate with APM. You can do this as follows:
- On your Windows machine, navigate to Control Panel > Windows Firewall.
- Click Allow a program or feature through Windows Firewall.
- Click Allow another program.
- Click Browse….
- Navigate to the install location of the s35. By default this is
C:\Program Files (x86)\AppNeta\Sequencer\sequencer.exe.
- Once added, make sure all the boxes next to the “AppNeta Sequencer” entry are selected, and click OK.
- At this point, the s35 is not blocked by your Windows firewall.