Ports Needed Through the Firewall
Once you’ve decided where you want to deploy your monitoring point, you should consult your network administrator on what level of access to the internet is permitted from that network segment based on this table. Your monitoring point will definitely need to be able to connect to our servers. Beyond that, the port and protocol requirements are mostly based on what features you intend on using.
Your monitoring point will be able to connect to all AppNeta Performance Monitor (APM) servers if you just adjust your firewall rules to allow outbound tcp connections to *.pm.appneta.com on ports 80, 8080, and 443.
| APM servers | |||||
|---|---|---|---|---|---|
| Assigned server | |||||
| Outbound | TCP | 80 | A monitoring point attempts to connect to APM on port 80, then 8080; whether you are connecting directly or through a proxy, you must allow outbound TCP connections to your assigned server on one or both of these ports. Log in to APM and look in your browser address bar to discover the name of your assigned server. | ||
| Outbound | TCP | 8080 | |||
| e.g., app-01.pm.appneta.com | |||||
| Relay server | |||||
| Outbound | TCP | 443 | An monitoring point first tries to connect to your assigned server on port 80, then 8080. If it cannot—for example, when your security policy disallows HTTPS—the monitoring point attempts to connect to APM via an SSL relay server. In this case, you must allow outbound TCP connections on port 443 to this server. | ||
| mp-relay.pm.appneta.com | |||||
| Capture server | |||||
| Outbound | TCP | 443 | Capture servers receive flow records and packet captures, and provide a reverse proxy for SSL connections from the APM server to monitoring points. You must allow outbound TCP connections on port 443 to all of these servers. | ||
|
cap-01.pm.appneta.com cap-02.pm.appneta.com cap-03.pm.appneta.com |
|||||
| Upgrade repository | |||||
| Outbound | TCP | 80 | You must allow outbound TCP connection on port 80 to this server so that your monitoring point can download new software versions. | ||
| appliance-repo.pm.appneta.com | |||||
| Outbound | TCP | 80 | You must allow outbound TCP connections on port 80 and 443 to this server so that your monitoring point can download new software versions. | ||
| Outbound | TCP | 443 | |||
| mp-repo-proxy.pm.appneta.com | |||||
| Outbound | TCP | 80 | (Optional) You may allow outbound TCP connections on port 80 and 443 to this server in case the monitoring point is ever not able to connect to mp-repo-proxy.pm.appneta.com. | ||
| Outbound | TCP | 443 | |||
| s3.amazonaws.com | |||||
| Proxy server | |||||
| e.g., permit tcp host device-ip host proxy-ip eq proxy-port | If HTTP traffic is directed to a proxy server, make sure that no ACLs prevent the monitoring point from connecting to it. This might be the case if the monitoring point is deployed in a subnet reserved for network infrastructure rather than end-stations. If the proxy service requires authentication, it must use either basic or digest authentication; NTLM and Kerberos are not supported. See the proxy setup page: physical monitoring point or software sequencer. | ||||
| NTP server | |||||
| Outbound | UDP | 123 | Unless you have your own NTP server, the monitoring point needs an outbound connection for NTP to ensure precise time stamping. | ||
| pool.ntp.org | |||||
| DNS server | |||||
| Outbound | UDP | 53 | DNS is required for hostname to IP resolution. | ||
| Web admin | |||||
| Outbound | TCP | 443 | When you access web admin via the manage monitoring points page, a capture server provides a reverse proxy so that your connection remains secure. | ||
|
cap-02.pm.appneta.com cap-03.pm.appneta.com |
|||||
| Delivery Monitoring | |||||
| Outbound | TCP | 443 | Allow TCP 443 so that the monitoring point can perform TCP traceroute. | ||
| Inbound + Outbound | ICMP | ICMP is the instrument for delivery monitoring on single-ended paths, so it is essential that these messages are allowed in the outbound direction. | |||
| echo-request, echo-reply, time-exceeded, port-unreachable, fragmentation-needed | |||||
| Inbound | UDP | 3239 | Allow UDP 3239 inbound so that monitoring points can coordinate dual-ended monitoring. | ||
| Outbound | UDP | 3239 | Allow UDP 3239 outbound so that monitoring points can coordinate dual-ended monitoring and perform UDP traceroute. | ||
| Inbound | UDP | 45056-49151 | Allow inbound and outbound UDP messages on this range so that monitoring points can perform dual-ended monitoring, continuous monitoring traceroute using the port-unreachable method, voice tests, and QoS alerting. Customize this range. | ||
| Outbound | UDP | 45056-49151 | |||
| Outbound | UDP | 49152-65535 | APM sends UDP packets to ports in the stated range as part of QoS diagnostics, path MTU determination, and network discovery. ICMP port-unreachable messages are expected in response. Keep in mind that path targets must actually respond with an ICMP port-unreachable for any of these processes to be successful. | ||
| Outbound | UDP | 161 | Allow outbound UDP messages on port 161 so that monitoring points can query network devices via SNMP. | ||
| Path Plus | |||||
| Outbound | UDP | 7 | UDP port 7 is used for traceroute in Path Plus. | ||
| Outbound | TCP | 3236 | Allow outbound TCP and UDP messages on port 3236 so that PathTests can target monitoring points. The source and target monitoring points coordinate on TCP 3236 before and after tests, so it must be opened even if the testing protocol is UDP. | ||
| Outbound | UDP | 3236 | |||
| Voice/Video | |||||
| Inbound | UDP | 3239 | Monitoring points coordinate over UDP 3239 for voice and video tests: allow outbound for source monitoring points and inbound for target monitoring points. | ||
| Outbound | UDP | 3239 | |||
| Inbound | UDP | 5060 | Video and voice tests can use one of two signaling protocols: SIP uses port 5060, and H.323 uses port 1720; if you need to use different ports for signaling, open a support ticket. | ||
| Outbound | UDP | 5060 | |||
| Inbound | UDP | 1720 | |||
| Outbound | UDP | 1720 | |||
| Inbound | UDP | 45056-49151 | For video and voice tests, RTP and RTCP automatically select ports between 45056-49151. | ||
| Outbound | UDP | 45056-49151 | |||
| Experience monitoring | |||||
| Outbound | TCP | 80 | Outbound TCP connections on port 80 are essential to web monitoring. Allow outbound connections on port 443 if a scripted transaction will include logging in to the target site. | ||
| Outbound | TCP | 443 | |||
| SNMP | |||||
| Outbound | UDP | 162 | Allow outbound UDP messages on port 162 so that monitoring points can send SNMP traps. | ||