Login
    Contents x
    Firewall Requirements
    • 23 Aug 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Firewall Requirements

    • Updated on 23 Aug 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Please also see our Firewall Connectivity Guide for basic guidance when preparing to deploy an on-premise Netreo VA (whether as a stand-alone deployment or service engine).

    External Communication

    Netreo can operate without internet access. However, licensing, software updates, and remote support are greatly simplified with some basic Internet access.

    Here are the firewall configuration requirements to get Netreo's online components working correctly.

    For remote technical support

    Netreo's remote support VPN functionality allows it to connect to a secure network that allows our support engineers to get remote access to the Netreo appliance.

    If your firewall allows you to restrict access by domain name, you can use the following destination:

    • Destination charon.netreo.net
      • Port UDP/1194 -or-
      • Port TCP/443

    Application-aware firewalls will need to configure this as SSL/TLS and OpenVPN.

    For automatic license updates

    Netreo can automatically update its license over the Internet, so manually renewing it is unnecessary.

    Requirement
    This access is required for customers using a monthly service agreement.

    If your firewall allows you to restrict access by domain name, you can use the following destination:

    • Destination activation.netreo.net:443

    Application-aware firewalls will need to configure this as SSL/TLS or HTTPS.

    For software updates

    Netreo allows you to perform online software updates to receive the latest patches and fixes.

    If your firewall allows you to restrict access by domain name, you can use the following destination:

    • Destination updates.netreo.com:443

    For mobile and cloud features

    These features include the use of the Netreo Mobile application and the ability to initiate cloud-based remote web application performance monitoring.

    Cloud Features
    To fully use cloud features it is recommended to give Netreo outbound access on port 443 for all SSL/TLS or HTTPS connections.

    Netreo uses various dynamic technologies to route and assign users to the best or closest cloud-hosted server, so it is not possible to restrict access to a specific group of IP addresses.

    If your firewall allows you to restrict access by domain name, you can use the following destinations:

    • Destination rr.api.netreo.com:443 - for any communication to or from Netreo for remote WebART or to or from a reflector in the cloud.
    • Destination *.rr.netreo.com:443 - for any communication to or from Netreo for remote WebART or to or from a reflector in the cloud.
    • Destination incident.api.netreo.com:443 - for all communication from Netreo to the cloud for publishing incidents.
    • Destination heartbeat.api.netreo.com:443 - for all heartbeat messages from Netreo to the cloud.
    • Destination *.api.netreo.com:443 - for accessing the Netreo cloud libraries.
    • Destination mobile.api.netreo.com:443 - for primary communication to or from a mobile device.
    • Destination vpn.api.netreo.com:443 - for providing live data to mobile devices.

    For geocoding and time zone information

    Used by the Netreo site and geographic map features. These domains must be allowed for the aforementioned features to work properly.

    • api.geonames.org - time zone
    • dev.virtualearth.net - geocoding

    For Microsoft 365 email authentication

    If you select the SMTP Authenticated Relay (Office 365) option in Mail Alerting Administration, Netreo will be required to have outbound access to the internet to login.microsoftonline.com on port TCP/443 for authentication.

    For monitoring Amazon Web Services Resources

    To monitor AWS resources, the Netreo appliance performing the checks (whether primary, replica, or service engine) must be able to reach the following domains.

    • *.amazonaws.com

    For sending email alerts

    Netreo is generally configured to send alerts via email. Our best practice recommendation is to allow Netreo to communicate outbound to the Internet on port TCP/25, as this allows direct connections to smartphone gateways that you want to receive alerts.

    If that access is not possible, you can relay SMTP mail through an internal server, however this creates a single point of failure for alerts if that relay host stops responding, so we recommend this configuration only as a last resort or for testing purposes.

    Internal Communication

    For web user UI access

    Web users access the Netreo user interface through a web browser on the following ports:

    • Port TCP/80
    • Port TCP/443

    Port access can optionally be restricted to TCP/443 only. (Requires the SuperAdmin user access level.)

    For high availability cluster communication

    For communication between cluster members. Only required if using a Netreo HA cluster.

    • Port: TCP/443
    • Port: TCP/4567
    • Port: TCP/4568
    • Port: TCP/4444
    • Port: TCP/48100

    For service engine communication

    For communication between Netreo and its service engines. Required when using a service engine with a Netreo deployment (including high availability deployments).

    • Port: TCP/443
    Was this article helpful?
    What's Next
    PLATFORM
    WHY NETREO?
    SOLUTIONS BY INITIATIVE
    SOLUTIONS BY INDUSTRY
    SOLUTIONS BY JOB FUNCTION
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout