Firewall Configuration

Overview

This section describes how to configure a firewall or similar network facility to allow the Partner System’s various network operations to work correctly. For a more in-depth description of the networking involved in various Partner Systems, please read Partner System Networking.

Many of these interactions take place within the corporate intranet LAN, while a few do take place across the far less secure Internet. Some organizations may strictly limit the ports and routes used by even internal software, while others may allow general communication within the intranet environment. The following instructions are based on the stricter policy and list the specific ports used. If you do not limit intranet communications by port, internal communications should work without special configuration.

Similarly, some organizations stricly limit outbound connections to Internet servers, even on common ports such as HTTP (80). Others may allow outbound connections in general, but limit inbound. Partner’s security architecture intentionally only uses outbound connections to Internet servers, so no inbound connections from the Internet need be configured at all. Regardless, we’ll list the ports used so that you can design your firewall configuration to your satisfaction.

Be warned, however, that if a firewall prevents proper operation of the Partner System or any Partner application, Partner Support will not be able to assist beyond noting that a connectivity problem is present. Such problems may be due to faulty hardware or incorrect firewall configuration. Historically, troubleshooting these has proven very time-consuming for our staff, so please respect any request that you double-check your network and firewall configurations when we suspect they may be the cause.

For a quick checklist of the tasks involved in firewall configuration, see the following page Checklist: Firewall Configuration.

Details

Computer Names

Since network communications must be described as an interaction between two computers, we need a nomenclature for identifying the computer or computer role involved in each instruction.

The following names are used to denote these computers by their role:

  • Hub is the Partner Central Hub server,
  • Hosted Hub is a Partner Complete hosted Hub server,
  • iOS Update Hub is a hosted update server for iOS,
  • Directory Server is the hosted directory server,
  • User is the user install (laptop, desktop, etc.),
  • iOS User is an Apple iPad or iPhone device, and
  • Map Publisher is the Map Publisher machine.

Network Addresses

Network addresses for the computers involved will vary for each customer. Partner will provide you the specific DNS and/or IP addresses of the server machines as needed.

Generally, you do not need or you will be in control of the network addresses of client machines.

You may need some or all of the following addresses:

  • Hub
  • Hosted Hub
  • iOS Update Hub
  • Directory Server

Routing

This is obvious but bears repeating - if two computers cannot “see” each other, via a valid IP route, then they cannot communicate at all. We recommend enabling the ICMP ping facility so that this can easily be tested. If ping is available, you can test routing by ensuring that each machine in a given communication is able to ping the other.

Caching and Proxies

HTTP connections in particular are often intercepted by network proxy facilities. In general this is a bad idea for Partner System connections. Partner uses HTTP for a number of critical functions, particularly Update. When a proxy is configured for caching, Update clients sometimes fail to see changes on the server due to stale copies of the files involved. This can be very difficult to diagnose.

Protocol-Specific Firewalling

Be cautious when enabling protocol-specific rules. In general, Partner network communications will fail if the data streams are modified in any way. Consult the Partner System Networking for details on the protocols used.

Network Appliances

You may have a network appliance that serves a firewall or proxy role. There are many of these, and some provide a variety of functions. Ensure that you know which functions are enabled and that no behaviors are enabled that you are unaware of.

Connection Direction

For each port, we’ve identified from and to computers. The from computer is the one initiating the connection. It needs to see the to computer and have access to the port listed on the to computer. The to computer has that port open and answers connections on that port.

This is very important and most firewall facilities are based on configuration of “inbound” or “outbound” access. In our nomenclature, the from computer needs to able to make an outbound connection on that port, and the to computer needs to be

Application-Specific Configuration

While there are some common features, different Partner products and applications have different network requirements. These are noted individually below.

Additional Integrations

Additional ports may be required for specific integrations (e.g. staking-to-accounting).

Note these as well and configure them along with the generic requirements.

Changing Addresses

When addresses change, you may have to modify the Partner system configuration and your firewall configuration to match.

Partner will alert you whenever any hosted or otherwise Partner-controlled addresses change.

If the addresses of your Hubs or third-party servers change, notify Partner and go through the firewall process and checklist again to ensure that everything has been addressed.

Moving the Hub is a special case, with its own task documentation. See Moving a Partner Hub if that situation applies.

Port Requirements by Application

Please refer to the products below and configure your firewall to allow the products you have purchased access to the listed ports.

Partner Basic

From User to Hub:

  • TCP port 80 for updates

From Map Publisher to Hub:

  • TCP port 8002
  • TCP port 8004

Partner On iOS

From iOS User to Directory Server:

  • port 80

From iOS User to iOS Update Hub:

  • port 443

From Map Publisher to iOS Update Hub:

  • port 22

Field Designer

From User to Hub:

  • port 8000
  • port 8004
  • port 8002
  • port 3306
  • port 80

Partner Plus

This includes the application products Distribution Inspection, Damage Assessment, Right-of-Way and any other applications based on the Haversack platform that sync to the Partner Hub.

From User to Hub:

  • port 3306

Partner Complete

This includes the application products Mobile Outage, Damage Assessment, and any other applications based on the Haversack platform that sync to a hosted server.

From User to Directory Server:

  • port 80

From User to Hosted Hub:

  • port 443

From iOS User to Hosted Hub:

  • port 443