What firewall ports do I need open?

Network Firewalls

You may need to alter your network firewall configuration to allow AT&T Client management and VPN traffic to route properly. The table below lists the required changes.

Figure 67: Network Firewall Configuration Table

SMiX List

Figure 68: SMiX Address Table

Personal/Client Firewalls

The Client program uses IP to communicate with other computers on the network just like other network programs (such as web browsers and e-mail programs). Third-party personal firewalls can prohibit certain types of network communication.  Running multiple firewalls on users’ PCs can cause difficulties and is not supported by AT&T.

Some firewalls must be configured to allow the Client to communicate with the network in order for client features to function properly.  The table below lists the required changes.  More information about the features is found in the list below the table.

Figure 69: Client Firewall Configuration Table

Dial Authentication

The AT&T Client uses a proprietary enhanced authentication process using TCP:5053.

A customization could be made to the AT&T Client to disable enhanced authentication and use PAP, but it is not recommended.  If disabled, the following consequences would occur:

• · Meaningful error messages are lost. Instead of "invalid user ID", "expired password", "revoked password", etc. the user only sees "authentication failed."
• · Login retries are lost. The user must redial to change user ID or password.
• · The ability to warn a user if a closer access number is available is lost.
• · Ability to change passwords is lost.
• · The AT&T helpdesk will not provide first-level support without special arrangements

Disconnect warning

The AT&T Client communicates with the dialed gateway after connecting using UDP:7000 to be notified of pending disconnects.  Disconnect time limits are configured in the AT&T Administration Server. If the connection is idle for the specified amount of time a datagram is sent from the gateway to the Client and the Client displays a warning that the connection will be disconnected in 1 minute unless the user takes the appropriate action.

Maximum inactivity timeouts are set in the AT&T Configuration Server at the account level. The AT&T gateways will timeout inactive connections regardless of the client used. The warning will only be displayed if the Client is allowed to communicate on UDP port 7000.

This is not a critical feature, but it is recommended.

Software updates

The AT&T Client periodically checks for and downloads updates to the Access Point Directory and the executable program using anonymous FTP (TCP:20/21).

SLA data collection

The AT&T Client uploads data about all connection attempts using HTTP (TCP:80) to a server after connecting.  This data is used for measuring SLAs (Service Level Agreements). If the SLA data is not collected, AT&T will not provide service-level guarantees.

AT&T requires companies to add policy rules to the company’s firewall to allow SLA data to be sent to those servers.

Configuration Updates

The AT&T Client requests configuration settings (like start page, e-mail server, proxy server, etc) from an AT&T Administration Server. The AT&T Client updates third-party e-mail and browser programs with these settings. AT&T recommends adding policy rules to the firewall to allow updates to be retrieved.

[1] When using the AT&T VIG as your Gateway, obtain the most recent list of VIG IP addresses from AT&T Customer Service.

[2] Location will change to London in July 2007

[3] Location will change to Frankfurt in July 2007

[4] Scheduled to be discontinued in April 2007

The official source of the above information is the  AT&T Global Network Administrator's Guide Appendix B: Third Party Firewall Support.  If there are any discrepancies between the information shown here and what is shown in the AT&T Global Network Client Administrator's Guide, please use the information from the Administrator's Guide.  You can find the guide on the Documents page of this web site.