Introduction
This document will guide you in configuring your network to install and configure the following products:
Nasuni Edge Appliance.
Nasuni Management Console (NMC).
Nasuni Access Anywhere (NAA) .
Nasuni File IQ Appliance.
Nasuni Edge Appliance
This section will guide you in configuring your network to install and configure the Nasuni Edge Appliance.
Note: The Nasuni Edge Appliance (NEA) port configurations also apply to the Nasuni File IQ Appliance.
Each Nasuni Edge Appliance performs two main tasks:
Securely transmits files to cloud object storage.
Caches actively used files locally to provide high-performance file access.
A Nasuni Edge Appliance can be a virtual machine that runs on hypervisors, or a Nasuni Edge Appliance can be a Nasuni hardware appliance.
Nasuni Edge Appliances support NFS, SMB (CIFS), FTP/SFTP, and HTTP/ REST protocols.
Each Nasuni Edge Appliance offers a Web-based interface that enables you to manage volumes and performance.
To manage many Edge Appliances, you use the Nasuni Management Console (NMC).
Summary of frequently used firewall and port settings.
See below for detailed information that might apply to your site.
Port 443
Port 443 (HTTPS) is required to be open on your network (outbound only). This port is used when transferring data from the Nasuni Edge Appliance to the cloud storage provider. Port 443 is used for Nasuni Management Console Administrative Access and Web Access.
The Nasuni Edge Appliance must be able to talk to both Nasuni (to send alerts and metrics, download new versions, and so forth) and to the cloud (to reach cloud storage with Amazon S3 or Azure).
Because of the load-balancing nature of our systems, it is best to refrain from performing this using IP. Instead, we suggest you open HTTPS traffic (port 443) to *.nasuni.com and *.amazonaws.com.
Tip: Certain firewall manufacturers offer Nasuni application types for their safelists or allow lists, which should be enabled.
Important: The Nasuni Mobile Access app is scheduled for End-of-Life on May 1, 2024. After this date, the Nasuni Mobile Access app will no longer be supported or available from app stores.
We distinguish an Administrative path, a Control path, and a Data/Metadata path.
For the Data/Metadata path, ensure that port 443 is open to the FQDNs referenced in the cloud credentials.
For the Control path, ensure that port 443 is open to the following FQDNs:
FQDN | Meaning |
|---|---|
account.nasuni.com | Endpoint necessary for deploying Edge Appliance. |
alerts.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send alerts to NOC. |
am1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
arbiter-http-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
as1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
auth.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to authenticate during the Edge Appliance and NMC install wizard. |
av-updates.api.nasuni.com | Endpoint for service that Edge Appliances use to get antivirus definition files. |
*.blob.core.windows.net | For Azure Linux Agent (WALinuxAgent) to perform validation checks during boot and normal operations. |
config.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send configuration bundles (used for Recovery) to NOC. |
credentials.api.nasuni.com | Endpoint for service that Edge Appliances use to get integrated storage credentials. |
creds.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to get SQS credentials (used for Edge Appliance and NMC communication). |
escrow.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send escrowed encryption keys to NOC. |
eu1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
fa-us1.api.nasuni.com | Endpoint for the Global File Acceleration (GFA) service. |
fa-us1.api.nasuni.com | (Optional.) Endpoint for the Global File Acceleration service. If using the Global File Acceleration service, ensure that port 443 is open to this FQDN. |
fa-us2.api.nasuni.com | (Optional.) Endpoint for the Global File Acceleration service. If using the Global File Acceleration service, ensure that port 443 is open to this FQDN. |
filer.api.nasuni.com | Endpoint for service that Edge Appliances use for miscellaneous services, including push lock. |
globallock-frankfurt.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Frankfurt, Germany). Redundant with Ireland. |
globallock-ireland.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Dublin, Ireland). Redundant with Frankfurt. |
globallock-oregon.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Oregon, USA). Redundant with Virginia. |
globallock-sydney.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Sydney, Australia). Redundant with Singapore. |
globallock-singapore.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Singapore). Redundant with Sydney. |
globallock-virginia.api.nasuni.com | Endpoint for service that Edge Appliances use for global locking (Virginia, USA). Redundant with Oregon. |
license.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to get a license. |
metrics.api.nasuni.com | Endpoint for service that Edge Appliances use to send metrics to NOC. |
metrics-dpv.api.nasuni.com | Endpoint for service that NMCs use to send data propagation visibility metrics to NOC. |
nasunicdn.s3.amazonaws.com | Endpoint for viewing Nasuni Release Notes from the Edge Appliance or NMC. |
nasuniscripts.s3.amazonaws.com | (Optional) Endpoint for debugging tools used by Nasuni Support to more quickly diagnose and fix problems. |
r3.api.nasuni.com | To get ransomware detection definition files for Ransomware Detection. |
replication.api.nasuni.com | Endpoint for service that Edge Appliances use to set up volume sharing. |
*.servicebus.windows.net | OPTIONAL Nasuni File IQ uses the Azure event hub, which requires this endpoint to be accessible by the NEAs that are paired with Nasuni File IQ. NOT required by the Nasuni File IQ appliance itself. |
sqs.us-east-2.amazonaws.com | Endpoints for Amazon AWS’s SQS service that Edge Appliances and NMCs use to communicate with each other. |
support-bridge.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge02.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge03.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
telemetry.api.nasuni.com | Endpoint for the use of the Volume Telemetry Service (VTS) for Global File Acceleration (GFA). |
updates.api.nasuni.com | Endpoint for service that provides Edge Appliances and NMCs with software updates. |
Important: It is a best practice not to cache DNS entries for longer than the TTL that Nasuni specifies in DNS entries. For example, the TTL of the DNS entry globallock-virginia.api.nasuni.com is 60 seconds.
Note: Firewalls or any other security devices or software that process, inspect, or log port 443 traffic from the Nasuni Edge Appliance can affect performance when the Nasuni Edge Appliance is communicating with the cloud.
Tip: If you must use IP addresses (not recommended), note these considerations:
For Amazon Web Services (AWS), the IP ranges are published here: https://ip-ranges.amazonaws.com/ip-ranges.json. For access to the NOC (Nasuni Orchestration Center), including if using NMC, add to your firewall all IP address ranges with a region value of “us-east-1” or “us-east-2” and a service value of “AMAZON”.
For Microsoft Azure, the IP ranges are published here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653. Download the Microsoft Azure Datacenter IP Ranges XML file.
Additionally, for Global File Lock, add the "AMAZON" ranges for the following regions, depending on the lock servers you are using.
Virginia, US or Oregon, US: us-east-1 and us-west-2.
Sydney, Australia or Singapore: ap-southeast-2 and ap-northeast-1.
Frankfurt, Germany or Dublin, Ireland: eu-central-1 and eu-west-1.
Important: For zScaler devices with an Edge Appliance, it is important to include .amazonaws.com and .nasuni.com on safelists. A leading period (".") functions as a wildcard to the left of the named URL up to five subdomain levels deep, meaning that the same policies are applied to the subdomains. For details, see URL Format Guidelines.
Other Ports
Port number | Protocol | Used for | Inbound (to Nasuni Edge Appliance) | Outbound (from Nasuni Edge Appliance) |
|---|---|---|---|---|
20, 21 | FTP (File Transfer Protocol) | File Transfer Protocol (FTP) data transfer. | 20 (data transfer): Optional. The server initiates a data channel to the client from its port 20, the FTP server data port. | 21 (control): Optional. The client creates a TCP control connection to the FTP server command port 21. |
22 | SFTP (SSH File Transfer Protocol) Tip: To use the SFTP (SSH File Transfer Protocol) protocol rather than the FTP protocol, navigate to the Edge Appliance UI and click the Configuration tab. From the Firewall page, and for each Traffic Group, select SFTP and deselect FTP. | SSH File Transfer Protocol (SFTP) data transfer. Note: This is not the same as FTPS, the File Transfer Protocol over SSL. | 22 (data transfer): Optional. For receiving data files. | 22 (control and data transfer: Optional. For sending controls and for sending data files. |
25 | TCP | Simple Mail Transfer Protocol (SMTP) processing for outgoing email messages. | N/A | Optional, if using external servers for email for Nasuni Edge Appliance messages. |
53 | TCP and UDP | DNS | N/A | Open to clients that need to use DNS. |
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | N/A | An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, port 123 must be open. |
137 | UDP | Must be open between NEA and the Domain Controller in order for NTLM to work and for the NEA to join Active Directory. Also, Samba uses port 137 to look up workstation, server, and domain names. | Required to join Active Directory. | Required to join Active Directory. |
161, 162 | UDP | Connecting to Simple Network Management Protocol (SNMP) services. | 161: Optional, if using external Simple Network Management Protocol (SNMP) trap addresses. | 162: Optional, if using external Simple Network Management Protocol (SNMP) trap addresses. |
5671 | TCP | Auditing using AMQP with SSL. | N/A | If using external auditing (such as Varonis), open port 5671 outbound from the Edge Appliance to the configured audit endpoint. |
8443 | TCP | HTTPS: Access Nasuni Edge Appliance administrative interface. | Optional (but not recommended), open to Nasuni Edge Appliance for external management access direct or via NAT. | N/A |
Optional Ports
The Nasuni Edge Appliance has several ports that are optional to be open on your network:
25 – SMTP: You can configure the Nasuni Edge Appliance to use your local SMTP server. However, if you use the default settings, you must open port 25 on your network. This is so the Nasuni Edge Appliance can send you alerts via SMTP if you configure it to do so.
123 – NTP (Network Time Protocol): An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, outbound port 123 outbound must be open. The default NTP servers are from time.nasuni.com.
161 – SNMP: You can configure the Nasuni Edge Appliance to use SNMP. However, if you use the default settings, you must open port 161 on your network.
8443 – Optional, for external management access direct or via NAT.
iDRAC Ports
The Integrated Dell Remote Access Controller (iDRAC) is a Dell controller that provides remote management capabilities for Nasuni Edge Appliance hardware appliances. Ports for iDRAC access, along with details about iDRAC features, are available at: https://www.dell.com/support/manuals/uk/en/ukbsdt1/poweredge-fx2/idrac8_2.30.30.30_ug/idrac-port-information.
Ports for internal network firewalls
In addition to the preceding, for environments with internal network firewalls and segmentation, the following port configurations between users and the Nasuni Edge Appliance might be necessary for the respective protocol to function.
Inbound (to Nasuni Edge Appliance)
Port number | Protocol | Used for | Inbound (to Nasuni Edge Appliance) |
|---|---|---|---|
443 | TCP | To administer Nasuni Management Console (NMC). | If these features are in use, Nasuni recommends opening this port to all clients/ranges. Note that these features must be enabled on the Nasuni Edge Appliance. |
8443 | TCP | To administer the Nasuni Edge Appliance. | Open to clients that need to use the Nasuni administration interface. |
111, 662, 875, 892, 2049, and 2050 | TCP and UDP | NFS | Open to clients that need to use NFS:
NFS mounts using TCP are supported by default. NFS mounts using UDP are not supported by default. |
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | N/A |
161 | UDP | SNMP | Open to clients that need to use SNMP. |
222 | TCP | SSH for Support usage. | Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges. |
445 | TCP | SMB/CIFS and Active Directory | Open to clients that need to use SMB/CIFS. |
Outbound (from Nasuni Edge Appliance)
Port number | Protocol | Used for | Outbound (from Nasuni Edge Appliance) |
|---|---|---|---|
88 | UDP | Kerberos | Open to clients that use Kerberos. |
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, port 123 must be open. |
162 | UDP | SNMP | Open to clients that use SNMP. |
514 | UDP | Syslog | Open to clients that act as Syslog receiver. |
Connecting Nasuni Edge Appliances to the Internet at large
Nasuni recommends the following:
Close all ports that are not actively needed.
Restrict access to only the client machines that are needed. For example, if you are connecting by using the HTTPS protocol, then do not open the unneeded SMB (CIFS) port also.
HTTPS proxy server configuration
The HTTPS proxy server acts as an intermediary between your client machine and external resources. This allows you to conceal the IP address of the client machine. All HTTPS traffic goes through the proxy server that you specify. HTTPS traffic includes:
Storage traffic.
Global File Lock server traffic.
Antivirus definition files.
Nasuni Management Console Administrative Access.
Web Access.
NOC traffic.
To configure the HTTPS proxy server for a Nasuni Edge Appliance, you need the hostname or IP address of the proxy server, as well as the port number used by the proxy server. If a username and password are required to authenticate with the proxy server, those are also necessary.
You can specify hostnames or IP addresses that need not be routed through the proxy server. These would include trusted hosts that do not require the protection of the proxy server. These hosts are still protected by HTTPS access.
Alternatively, instead of using the HTTPS proxy, you can allow outbound traffic from the IP address of the Nasuni Edge Appliance on port 443. That reduces the load on your HTTPS proxy.
Important: The Nasuni Mobile Access app is scheduled for End-of-Life on May 1, 2024. After this date, the Nasuni Mobile Access app will no longer be supported or available from app stores.
Configuring an Edge Appliance in the DMZ
A “DMZ” is a physical or logical subnetwork that exposes an organization's external-facing services to an untrusted network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Intranet or LAN: an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.
An organization might want to configure a Nasuni Edge Appliance in the DMZ. With such an arrangement, the Edge Appliance can communicate with services that it needs, such as the Nasuni Orchestration Center (NOC), Microsoft Azure, and Amazon AWS. The Edge Appliance would have limited access to the organization’s Intranet, including Active Directory domain controllers there.
Configuring external firewall
The external firewall must allow outbound traffic to the following ports:
TCP Port 443: allows the Edge Appliance to communicate with services, including the NOC, Microsoft Azure, and Amazon AWS.
If using Nasuni Web Access, the external firewall must allow inbound traffic to the following ports:
TCP Port 443.
Otherwise, inbound traffic to TCP Port 443 is optional.
Configuring internal firewall
The internal firewall must open the following ports:
TCP/UDP Port 88: for Kerberos authentication.
TCP/UDP Port 111, 662, 875, 829, 2049, 2050: for NFS. NFS mounts using TCP are supported by default. NFS mounts using UDP are not supported by default.
TCP/UDP Port 135: for Remote Procedure Call traffic.
UDP Port 137: for Samba, Active Directory.
TCP/UDP Port 389: for LDAP.
TCP Port 443: for HTTPS: NMC, Web Access, Antivirus.
TCP Port 445: for SMB/CIFS, Active Directory.
TCP/UDP Port 464: for Kerberos Password Change.
TCP Port 3268 and 3269: for Global Catalog.
TCP Port 8443: for Edge Appliance administration.
An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, outbound port 123 must be open.
Platform-specific considerations for installing appliances
Certain platforms require specific configurations for installing appliances.
Microsoft Azure
For installing on Microsoft Azure, follow these suggestions:
Running the Nasuni Edge Appliance or NMC on the Microsoft Azure platform is like running these systems outside of your business. Unused ports should not be exposed to the public Internet, including the SSH port, port 222.
Outbound ports: Microsoft Azure does not enable restricting outbound traffic. Nasuni recommends allowing outgoing traffic on all ports to all hosts for the Nasuni Edge Appliance and NMC.
Inbound: Here are recommendations for the following ports:
Ports 111, 662, 875, 892, 2049, and 32803 TCP or UDP: Open to clients needing NFS. NFS mounts using TCP are supported by default. NFS mounts using UDP are not supported by default.
Port 123 UDP: An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, outbound port 123 must be open.
Ports 139 and 445 TCP: Open to clients that need to use SMB/CIFS.
Port 161 UDP: Open to clients that need to use SNMP.
Port 222 SSH: Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges.
Port 443 TCP: Used for administration access to the NMC, and Web Access. If these features are in use, Nasuni recommends opening this port to all clients/ranges. Note that these features must be enabled on the Nasuni Edge Appliance.
Port 8443 TCP: Used to administer the Nasuni Edge Appliance. Open to clients that need to use the Nasuni administration interface.
Amazon EC2
For installing on Amazon EC2, follow these suggestions:
Running the Nasuni Edge Appliance or NMC on the Amazon EC2 platform is similar to running these systems outside of your business. Unused ports should not be exposed to the public Internet, including the SSH port, port 222.
Outbound ports: Amazon EC2 does not enable restricting outbound traffic. Nasuni recommends allowing outgoing traffic on all ports to all hosts for the Nasuni Edge Appliance and NMC.
Inbound: Here are recommendations for the following ports:
Ports 111, 662, 875, 892, 2049, and 32803 TCP or UDP: Open to clients that need to use NFS. NFS mounts using TCP are supported by default. NFS mounts using UDP are not supported by default.
Port 123 UDP: N/A
Ports 139 and 445 TCP: Open to clients that need to use SMB/CIFS.
Port 161 UDP: Open to clients that need to use SNMP.
Port 222 SSH: Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges.
Port 443 TCP: Used for administration access to the NMC, and Web Access. If these features are in use, Nasuni recommends opening this port to all clients/ranges. Note that these features must be enabled on the Nasuni Edge Appliance.
Port 8443 TCP: Used to administer the Nasuni Edge Appliance. Open to clients that need to use the Nasuni administration interface.
Platform-specific considerations for accessing on-premises storage
If your storage is not in the cloud, it is necessary to ensure that the Nasuni Edge Appliance can reach the storage location. Be sure that the proper port is open between the Nasuni Edge Appliance and the object storage solution.
Platform-specific considerations for accessing storage
Certain platforms require specific configurations for accessing storage.
For all storage platforms, ensure that port 443 (HTTPS) is open between the Nasuni Edge Appliance and the object storage solution.
Amazon
While our IP list for *.nasuni.com is limited to just a few machines, the distributed nature of Amazon S3 means that there are many IP addresses in multiple large blocks, to the point that Amazon does not recommend or offer IP address recommendations.
Tip: If you must use IP addresses (not recommended), note these considerations:
For Amazon Web Services (AWS), the IP ranges are published here: https://ip-ranges.amazonaws.com/ip-ranges.json.
Microsoft Azure
Tip: If you must use IP addresses (not recommended), note these considerations:
For Microsoft Azure, the IP ranges are published here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653. Download the Microsoft Azure Datacenter IP Ranges XML file.
For accessing Google Cloud Storage, safelist the service IP addresses, as specified in https://www.gstatic.com/ipranges/goog.json.
Nasuni Management Console (NMC)
This section will guide you in configuring your network to install and configure the Nasuni Management Console (NMC).
The Nasuni Management Console (NMC) enables you to monitor and manage many Nasuni Edge Appliances from one central Web-based interface. Using the Nasuni Management Console, you can view the status of all of your Nasuni Edge Appliances, as well as configure their settings. Using the Nasuni Management Console, you can also ensure consistent settings by applying changes to all appliances with one operation.
Summary of frequently used firewall and port settings.
See below for detailed information that might apply to your site.
Port 443
Port 443 (HTTPS) is required to be open on your network (outbound only). Port 443 is used for Nasuni Management Console Administrative Access and for NMC API.
Tip: Certain firewall manufacturers offer Nasuni application types for their safelists or allow lists, which should be enabled.
We distinguish an Administrative path, a Control path, and a Data/Metadata path.
For the Control path, ensure that port 443 is open to the following FQDNs:
FQDN | Meaning |
|---|---|
alerts.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send alerts to NOC. |
am1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
arbiter-http-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
as1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
auth.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to authenticate during the Edge Appliance and NMC install wizard. |
*.blob.core.windows.net | For Azure Linux Agent (WALinuxAgent) to perform validation checks during boot and normal operations. |
config.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send configuration bundles (used for Recovery) to NOC. |
creds.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to get SQS credentials (used for Edge Appliance and NMC communication). |
escrow.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to send escrowed encryption keys to NOC. |
eu1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
fda.api.nasuni.com | Endpoint to establish the communication link between the Edge Appliance and Nasuni File IQ. |
license.api.nasuni.com | Endpoint for service that Edge Appliances and NMCs use to get a license. |
metrics.api.nasuni.com | Endpoint for service that NMCs use to send metrics to NOC. |
metrics-dpv.api.nasuni.com | Endpoint for service that NMCs use to send data propagation visibility metrics to NOC. |
nasunicdn.s3.amazonaws.com | Endpoint for viewing Nasuni Release Notes from the Edge Appliance or NMC. |
nasuniscripts.s3.amazonaws.com | (Optional) Endpoint for debugging tools used by Nasuni Support to more quickly diagnose and fix problems. |
r3.api.nasuni.com | To get ransomware detection definition files for Ransomware Detection. |
sqs.us-east-2.amazonaws.com | Endpoints for Amazon AWS’s SQS service that Edge Appliances and NMCs use to communicate with each other. |
support-bridge.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge02.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge03.api.nasuni.com | Endpoint for connection to Edge Appliance from Nasuni Support. This allows Remote Support to be enabled. |
updates.api.nasuni.com | Endpoint for service that provides Edge Appliances and NMCs with software updates. |
Important: It is a best practice not to cache DNS entries for longer than the TTL that Nasuni specifies in DNS entries.
Note: Firewalls or any other security devices or software that process, inspect, or log port 443 traffic from the NMC can affect performance when the NMC is communicating with the cloud.
Tip: If you must use IP addresses (not recommended), note these considerations:
For Amazon Web Services (AWS), the IP ranges are published here: https://ip-ranges.amazonaws.com/ip-ranges.json. For access to the NOC (Nasuni Orchestration Center), including if using NMC, add to your firewall all IP address ranges with a region value of “us-east-1” or “us-east-2” and a service value of “AMAZON”.
For Microsoft Azure, the IP ranges are published here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653. Download the Microsoft Azure Datacenter IP Ranges XML file.
Additionally, for Global File Lock, add the "AMAZON" ranges for the following regions, depending on the lock servers you are using.
Virginia, US or Oregon, US: us-east-1 and us-west-2.
Sydney, Australia or Singapore: ap-southeast-2 and ap-northeast-1.
Frankfurt, Germany or Dublin, Ireland: eu-central-1 and eu-west-1.
Other Ports
Port number | Protocol | Used for | Inbound (to NMC) | Outbound (from NMC) |
|---|---|---|---|---|
25 | TCP | Simple Mail Transfer Protocol (SMTP) processing for outgoing email messages. | N/A | Optional, if using external servers for email for Nasuni Edge Appliance messages. |
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | N/A | An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, port 123 must be open. |
161, 162 | UDP | Connecting to Simple Network Management Protocol (SNMP) services. | 161: Optional, if using external Simple Network Management Protocol (SNMP) trap addresses. | 162: Optional, if using external Simple Network Management Protocol (SNMP) trap addresses. |
Optional Ports
The NMC has several ports that are optional to be open on your network:
25 – SMTP: You can configure the Nasuni Edge Appliance to use your local SMTP server. However, if you use the default settings, you must open port 25 on your network. This is so the Nasuni Edge Appliance can send you alerts via SMTP if you configure it to do so.
123 – NTP (Network Time Protocol): An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, outbound port 123 must be open. The default NTP servers are from time.nasuni.com.
161 – SNMP: You can configure the Nasuni Edge Appliance to use SNMP. However, if you use the default settings, you must open port 161 on your network.
Ports for internal network firewalls
In addition to the preceding, for environments with internal network firewalls and segmentation, the following port configurations between users and the Nasuni Edge Appliance might be necessary for the respective protocol to function.
Inbound (to NMC)
Port number | Protocol | Used for | Inbound (to Nasuni Edge Appliance) |
|---|---|---|---|
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | N/A |
161 | UDP | SNMP | Open to clients that need to use SNMP. |
222 | TCP | SSH for Support usage. | Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges. |
443 | TCP | To administer Nasuni Management Console (NMC). | If these features are in use, Nasuni recommends opening this port to all clients/ranges. Note that these features must be enabled on the Nasuni Edge Appliance. |
Outbound (from NMC)
Port number | Protocol | Used for | Outbound (from Nasuni Edge Appliance) |
|---|---|---|---|
88 | UDP | Kerberos | (Optional) Open to clients that use Kerberos. |
123 | UDP | Connecting to Network Time Protocol (NTP) servers. | An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, port 123 must be open. |
162 | UDP | SNMP | Open to clients that use SNMP. |
514 | UDP | Syslog | Open to clients that act as Syslog receiver. |
HTTPS proxy server configuration
The HTTPS proxy server acts as an intermediary between your client machine and external resources. This allows you to conceal the IP address of the client machine. All HTTPS traffic goes through the proxy server that you specify. HTTPS traffic includes:
Nasuni Management Console Administrative Access.
NOC traffic.
To configure the HTTPS proxy server, you need the hostname or IP address of the proxy server, as well as the port number used by the proxy server. If a username and password are required to authenticate with the proxy server, those are also necessary.
You can specify hostnames or IP addresses that need not be routed through the proxy server. These would include trusted hosts that do not require the protection of the proxy server. These hosts are still protected by HTTPS access.
Alternatively, instead of using the HTTPS proxy, you can allow outbound traffic from the IP address of the NMC on port 443. That reduces the load on your HTTPS proxy.
Configuring internal firewall
The internal firewall must open the following ports:
TCP/UDP Port 88 (Optional): for Kerberos authentication.
TCP/UDP Port 135 (Optional): for Remote Procedure Call traffic.
TCP/UDP Port 389 (Optional): for LDAP.
TCP Port 443: for HTTPS: NMC.
TCP/UDP Port 464 (Optional): for Kerberos Password Change.
An NTP server must be accessible by the appliance. If the chosen NTP server is on the Internet, outbound port 123 must be open.
Platform-specific considerations for installing appliances
Certain platforms require specific configurations for installing appliances.
Microsoft Azure
For installing on Microsoft Azure, follow these suggestions:
Running the Nasuni Edge Appliance or NMC on the Microsoft Azure platform is like running these systems outside of your business. Unused ports should not be exposed to the public Internet, including the SSH port, port 222.
Outbound ports: Microsoft Azure does not enable restricting outbound traffic. Nasuni recommends allowing outgoing traffic on all ports to all hosts for the Nasuni Edge Appliance and NMC.
Inbound: Here are recommendations for the following ports:
Port 123 UDP: N/A
Port 161 UDP: Open to clients that need to use SNMP.
Port 222 SSH: Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges.
Port 443 TCP: Used for administration access to the NMC. If these features are in use, Nasuni recommends opening this port to all clients/ranges.
Amazon EC2
For installing on Amazon EC2, follow these suggestions:
Running the Nasuni Edge Appliance or NMC on the Amazon EC2 platform is similar to running these systems outside of your business. Unused ports should not be exposed to the public Internet, including the SSH port, port 222.
Outbound ports: Amazon EC2 does not enable restricting outbound traffic. Nasuni recommends allowing outgoing traffic on all ports to all hosts for the Nasuni Edge Appliance and NMC.
Inbound: Here are recommendations for the following ports:
Port 123 UDP: N/A.
Port 161 UDP: Open to clients that need to use SNMP.
Port 222 SSH: Close this port. If Nasuni Customer Support requests you to open this port, open this port temporarily to all clients/ranges.
Port 443 TCP: Used for administration access to the NMC. If these features are in use, Nasuni recommends opening this port to all clients/ranges.
Nasuni Access Anywhere (NAA)
This section documents the inbound ports and outbound services for Nasuni Access Anywhere Server.
Service | Protocol | Port | Function |
Cloud FTPS | TCP | 21 990 20000 - 20100 | OPTIONAL FTP-Compatible service |
SSH | TCP | 22 | SSH for initial configuration |
DNS | TCP, UDP | 53 | Outbound from the NAA to DNS servers |
HTTP | TCP | 80 | Redirects to the main website |
LDAP | TCP, UDP | 389 | Outbound from the NAA to the domain controllers |
CloudDAV | TCP | 443 | OPTIONAL WebDav-compatible service |
HTTPS | TCP | 443 | Web app and API endpoint |
SMB | TCP | 445 | Outbound from the NAA to the NEA |
LDAPS | TCP, UDP | 636 | Outbound from the NAA to the domain controllers |
Cloud SFTP | TCP | 2200 | OPTIONAL SSH File Transfer Protocol. Uses default RSA key |
Config Server | TCP | 8080 | Installation website (temporary) |
Edge Extend Server | UDP | 8443 | OPTIONAL endpoint for Edge Extend Agents |
External Service Connectivity
The NAA Appliance requires connectivity to the following external services.
Note the following:
“Ingress” refers to traffic originating from outside of the NAA Server and being routed to the NAA Server.
“Egress” refers to traffic originating from the NAA Server and being routed to another listed service.
This list DOES NOT include:
Storage Connectors — that the customers are using. The customer should consult with their storage vendor regarding these.
SMTP or Mail Relay Services — Customers are required to bring their own. This would be egress access, but the destination is unknown to Nasuni.
Integrations such as NAA’s Microsoft Teams integration happen directly between the User and NAA Server. It is assumed that the users can reach the NAA Server without restriction through their web browser.
It is assumed that local user machines are not restricted in terms of hosts that they can connect to directly. For example, NAA’s AutoCAD Viewer renders pages hosted at autocad-viewer.storagemadeeasy.com.
Host | Direction | Destination Port | Function |
|---|---|---|---|
LetsEncrypt | Ingress + Egress | 80 / 443 | OPTIONAL Let’s Encrypt if used to create licenses. See Integration Guide - Firewall Configuration. |
www.geoplugin.net | Egress | 80 | OPTIONAL Enable GEO-IP look-ups, mapping IP address to location. |
api.twillio.com | Egress | 443 | OPTIONAL Sharing - Twilio SMS - Required if enabling Twilio integration for SMS Sending. |
autocad-viewer.storagemadeeasy.com | Ingress | 443 | OPTIONAL AutoCAD Previewer - Required if using the hosted AutoCAD previewer |
cadviewer-us.api.nasuni.com | Ingress | 443 | OPTIONAL 2309 AutoCAD Previewer - Required if using the hosted AutoCAD previewer |
database.clamav.net | Egress | 443 | OPTIONAL ClamAV (freshclam) location for pulling updated Clam signatures. |
docs.google.com | Ingress | 443 | OPTIONAL Google Viewer - Required if Google Viewer has been enabled for document previewing |
eu.storagemadeeasy.com | Ingress | 443 | OPTIONAL Slack file sharing. |
filer.api.nasuni.com | Egress | 443 | REQUIRED Automatic license provisioning |
graph.microsoft.com | Egress | 443 | OPTIONAL SAML - Azure AD - Required if using the MS Graph integration for Group lookups |
metrics.api.nasuni.com | Egress | 443 | Endpoint for service to send metrics to NOC. |
onenote.officeapps.live.com | Egress | 443 | OPTIONAL MS Office Online - WOPI Host Discovery |
registry.storagemadeeasy.com | Egress | 443 | REQUIRED Software repository for downloading containerized services |
registry-1.docker.io | Egress | 443 | REQUIRED Software repository for downloading public containerized services |
repo.storagemadeeasy.com | Egress | 443 | REQUIRED Software repositories for downloading updates |
slack-us.api.nasuni.com | Ingress | 443 | OPTIONAL 2309 Slack file sharing. |
vision.googleapis.com | Egress | 443 | OPTIONAL Content Intelligence - Google Vision - Required for pushing content up to Google |
wopi-proxy-eu.storagemadeeasy.com | Ingress | 443 | DEPRECATED OPTIONAL MS Office Online - Required if using MS Office Online Editing with EU Location (Deprecated). |
wopi-us.api.nasuni.com | Ingress | 443 | OPTIONAL PLANNED FOR FUTURE USE MS Office Online - Required if using MS Office Online Editing (single or collaborative mode) |
Nasuni File IQ Appliance
This section documents the inbound ports and outbound services for Nasuni File IQ.
Note: The Nasuni Edge Appliance (NEA) port configurations also apply to the Nasuni File IQ Appliance.
Port 9093 (Outbound)
Ensure that port 9093 is open to the following FQDNs:
Port number | FQDN | Meaning |
9093 | *.servicebus.windows.net | Nasuni File IQ uses the Azure event hub, which requires this endpoint to be accessible by the Nasuni File IQ Appliance. |
Other Ports (Inbound)
Port number | Meaning |
|---|---|
3000 | Open from your internal network to access the Nasuni File IQ Grafana interface directly or via NAT. |
Port 443
Port 443 is used for NIQ.
We distinguish an Administrative path, a Control path, and a Data/Metadata path.
For the Control path, ensure that port 443 is open to the following FQDNs:
FQDN | Meaning |
|---|---|
am1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
arbiter-http-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-http-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-frankfurt.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-ireland.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-oregon.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-singapore.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-sydney.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
arbiter-ws-virginia.gfl.api.nasuni.com | Endpoint for Write Oplock support for Advanced GFL. |
as1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
eu1.portal.api.nasuni.com | Endpoint for Nasuni Portal API. |
fda.api.nasuni.com | Endpoint to establish the communication link between the Edge Appliance and Nasuni File IQ. |
support-bridge.api.nasuni.com | Endpoint for connection from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge02.api.nasuni.com | Endpoint for connection from Nasuni Support. This allows Remote Support to be enabled. |
support-bridge03.api.nasuni.com | Endpoint for connection from Nasuni Support. This allows Remote Support to be enabled. |
Technical Support
Online self-help resources and Technical Support are available at www.nasuni.com/support.
Copyright © 2010-2024 Nasuni Corporation. All rights reserved.