Configure Firewall
The table below describes the Enterprise firewall rule for managing the communications between the components of the Live Platform Device Manager provisioning deployment. Endpoints deployed in the enterprise sites traverse the public internet to connect to the Live Platform deployed in the AudioCodes Data center. All communication between these components is over port 443 TCP (HTTPS), which is by default open on the Device Manager.
The parameter 'Secure (HTTPS) communication from the Device Manager to the Devices' should be enabled in the Live Platform deployment, see Configuring System Settings.
The figure below illustrates the Firewall topology.
The table below describes the firewall rules for the components of the Device Manager provisioning deployment.
|
Protocol |
Allow Port |
Port Number |
Allowed Network |
Purpose |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Endpoints |
||||||||||||||||
|
Live Platform Device Manager Þ Endpoints |
TCP (HTTPS) |
443 |
Outbound connection (Send-only) with Device Manager. |
Used by the Endpoints for sending requests to the Device Manager. |
||||||||||||
|
Endpoints Þ WAF (Imperva Incapsula) |
TCP (HTTPS) |
443 |
Outbound connection (Send-only) with WAF.
|
Used by endpoints for sending aggregated Keep-alive requests from phones to the WAF. |
||||||||||||
|
Endpoints Û Azure Blob Storage Container |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with the Azure Blob.
|
Used by endpoints for sending requests to the Blob for updated firmware and configuration files and for receiving them in return. |
||||||||||||
|
WAF (Imperva Incapsula) |
||||||||||||||||
|
WAF Ü Endpoints |
TCP (HTTPS) |
443 |
Inbound connection (Receive-only) with endpoints. |
Used by WAF for receiving aggregated Keep-alive requests from the endpoints. |
||||||||||||
|
WAF Û Microsoft Azure Aggregator Service |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with the Aggregator Service. |
REST communication between the WAF and the Aggregator Service. |
||||||||||||
|
WAF Û Device Manager |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with Device Manager |
REST communication between the WAF and the Device Manager. |
||||||||||||
|
Device Manager |
||||||||||||||||
|
Live Platform Device Manager Û Endpoints |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) between the Endpoints and the Device Manager.
|
Used by the Device Manager for performing REST actions on the device such as Device restart and collecting logs. |
||||||||||||
|
Live Platform Device Manager Þ Azure Blob Storage Container |
TCP (HTTPS) |
443 |
Outbound connection (Send only) to Azure Blob.
|
Used by Live Platform Device Manager to update firmware and configuration files to the Azure Blob. See references below to *.blob.core.windows.net firewall whitelist requirements:
|
||||||||||||
|
Live Platform Device Manager Û ShareFile |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with ShareFile.
|
Used by Live Platform Device Manager for downloading firmware and configuration files from ShareFile and sending request to ShareFile. SharePoint: Citrix recommends as a best practice that customers leverage domain inclusion instead of IP address inclusion as described here: SharePoint Best Practices. This is due to frequent changes of cloud services to scale up and to introduce new services. For information on ShareFile firewall rules, see ShareFile Firewall Rules. |
||||||||||||
|
Live Platform Device Manager Þ AudioCodes Redirect Server |
TCP (HTTPS) |
443 |
Outbound connection (Send-only) with AudioCodes Redirect Server.
|
Used by Live Platform Device Manager for adding endpoints to Live Platform and for directing them to the Service Device URL on the Live Platform; the Provisioning URL which triggers the firmware and configuration file update upon bootup and connection to the network. |
||||||||||||
|
AudioCodes Redirect Server |
||||||||||||||||
|
AudioCodes Redirect Server Ü Live Platform Device Manager |
TCP (HTTPS) |
443 |
Inbound connection (Receive-only) with AudioCodes Redirect Server.
|
Used by the Redirect Server for receiving requests from Device Manager for adding new endpoints (a list of physical MAC addresses of endpoints to be added), and then redirecting them to the provisioning URL (the Service Device URL in Live Platform). For example, https://sandbox3.finebak.com/ltcfordevice/c/<LivePlatformServiceID>/. |
||||||||||||
|
Aggregator Service |
||||||||||||||||
|
Aggregator service Û WAF (Imperva Incapsula) |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with the WAF.
|
REST communication between the Aggregator Service and the WAF. |
||||||||||||
|
Aggregator service Û Device Manager |
TCP (HTTPS) |
443 |
Inbound and Outbound connection (Bi-Directional) with the Device Manager.
|
REST communication between the Aggregator Service and the Device Manager. |
||||||||||||
|
Azure Blob |
||||||||||||||||
|
Azure Blob Storage Container Û Endpoints |
TCP (HTTPS |
443 |
Inbound and Outbound connection (Bi-Directional) with the Endpoints.
|
Used for receiving requests from the endpoints for firmware and configuration updates and for sending the files. |
||||||||||||
|
Azure Blob Storage Container Ü Device Manager |
TCP (HTTPS) |
443 |
Inbound connection (Receive-only) from Device Manager.
|
Used for receiving updated firmware and configuration files from the Device Manager. Azure Blob Storage and SharePoint are synchronized through the Device Manager. |
||||||||||||
|
ShareFile |
||||||||||||||||
|
ShareFile Ü Device Manager |
TCP (HTTPS) |
443 |
Inbound (Receive-only) Initiator: Device Manager |
Used by ShareFile for receiving requests for firmware and configuration files from the Device Manager. |
||||||||||||