Mentor
•
49 Messages
What firewall ports do I need open?
Important Note: You MUST have a working knowledge of how to make updates to your firewall in order to utilize the information in this article. AT&T cannot provide detailed information on the specific method of updating every possible firewall device and solution which might be available. Please refer to the documentation for your firewall solution for details on how to implement the rules to allow the necessary ports and protocols specified below.
The information in this article was copied from the AT&T Global Network Client Administrator's Guide. Please refer to the Admin Guide as the master source for this information.
nortonlax
Mentor
•
49 Messages
13 years ago
Network Firewalls
You may need to alter your network firewall configuration to allow AT&T Client management and VPN traffic to route properly. The table below lists the required changes.
Source
Dest
Protocol Port Source
Protocol Port Dest
Action
Reason for opening
Local PC
Gateway IPs[1]
Gateway IPs
Local PC
ESP (50)
ESP (50)
Allow
IPSec
Local PC
165.87.194.246
TCP:1024+
TCP:21
Allow
Update of the AT&T Global Network Client Software (Passive FTP)
Local PC
129.37.0.113
TCP:1024+
HTTP:80
Allow
SLA Data collectors
Local PC
32.97.118.242
TCP:1024+
HTTP:80
Allow
Local PC
32.97.166.118
TCP:1024+
HTTP:80
Allow
Access Point Updates
Local PC
SMiX List
TCP:1024+
HTTP:80
Allow
Authentication
Local PC
Gateway IPs
TCP:1024+
TCP:443
Allow
SSL
Local PC
Gateway IPs
Gateway IPs
Local PC
UDP:1024+,500
UDP:500
UDP:500
UDP:1024+,500
Allow
IPSec
Local PC
Gateway IPs
Gateway IPs Local PC
UDP:1024+
UDP:1024+,4500
UDP:1024+,4500
UDP:1024+
Allow
Local PC
Gateway IPs
UDP:1024+
UDP:5080
Allow
AT&T VIG Server Health Check
Figure 67: Network Firewall Configuration Table
SMiX List
IP Address
Type
ReGION
LOCATION
204.146.172.230
Internet
US
Columbus
204.146.166.107
Internet
US
Dallas
204.146.172.237
Internet
US
Columbus
204.146.172.225
Internet
US
Columbus
204.146.166.105
Internet
US
Dallas
204.146.172.226
Internet
US
Columbus
204.146.219.1
Internet
US
Dallas
152.158.16.57
Internet
EMEA
Portsmouth[2]
152.158.2.57
Internet
EMEA
Ehningen[3]
210.88.144.203
Internet
EMEA
London
210.88.144.155
Internet
EMEA
Frankfurt
210.88.1.199
Internet
AP
Tokyo
210.88.144.43
Internet
AP
Osaka
210.88.0.130
Internet
AP
Tokyo
165.87.15.153
Internet
CA
Toronto[4]
165.87.17.153
Internet
CA
Montreal5
32.115.76.3
Internet
CA
Toronto
32.115.76.83
Internet
CA
Montreal
32.96.129.230
Secure
US
Columbus
32.96.129.237
Secure
US
Dallas
32.96.129.229
Secure
US
Columbus
32.96.129.227
Secure
US
Columbus
32.96.129.234
Secure
US
Dallas
32.96.129.228
Secure
US
Columbus
32.96.129.242
Secure
US
Dallas
32.239.254.6
Secure
EMEA
Portsmouth3
32.239.254.22
Secure
EMEA
Ehningen4
32.233.96.254
Secure
AP
Osaka
32.233.96.253
Secure
AP
Tokyo
32.233.96.252
Secure
AP
Tokyo
32.233.96.251
Secure
AP
Osaka
32.233.96.250
Secure
AP
Tokyo
32.230.250.1
Secure
CA
Toronto
32.230.250.5
Secure
CA
Montreal
Figure 68: SMiX Address Table
0
0
nortonlax
Mentor
•
49 Messages
13 years ago
Personal/Client Firewalls
The Client program uses IP to communicate with other computers on the network just like other network programs (such as web browsers and e-mail programs). Third-party personal firewalls can prohibit certain types of network communication. Running multiple firewalls on users’ PCs can cause difficulties and is not supported by AT&T.
Some firewalls must be configured to allow the Client to communicate with the network in order for client features to function properly. The table below lists the required changes. More information about the features is found in the list below the table.
Feature
Protocol: Port
Dial Authentication
TCP:5053
Disconnect Warning
UDP:7000
Software Updates
TCP:20,21
SLA Data Collection, Configuration Settings
HTTP/TCP:80
Figure 69: Client Firewall Configuration Table
Dial Authentication
The AT&T Client uses a proprietary enhanced authentication process using TCP:5053.
A customization could be made to the AT&T Client to disable enhanced authentication and use PAP, but it is not recommended. If disabled, the following consequences would occur:
Disconnect warning
The AT&T Client communicates with the dialed gateway after connecting using UDP:7000 to be notified of pending disconnects. Disconnect time limits are configured in the AT&T Administration Server. If the connection is idle for the specified amount of time a datagram is sent from the gateway to the Client and the Client displays a warning that the connection will be disconnected in 1 minute unless the user takes the appropriate action.
Maximum inactivity timeouts are set in the AT&T Configuration Server at the account level. The AT&T gateways will timeout inactive connections regardless of the client used. The warning will only be displayed if the Client is allowed to communicate on UDP port 7000.
This is not a critical feature, but it is recommended.
Software updates
The AT&T Client periodically checks for and downloads updates to the Access Point Directory and the executable program using anonymous FTP (TCP:20/21).
SLA data collection
The AT&T Client uploads data about all connection attempts using HTTP (TCP:80) to a server after connecting. This data is used for measuring SLAs (Service Level Agreements). If the SLA data is not collected, AT&T will not provide service-level guarantees.
AT&T requires companies to add policy rules to the company’s firewall to allow SLA data to be sent to those servers.
Configuration Updates
The AT&T Client requests configuration settings (like start page, e-mail server, proxy server, etc) from an AT&T Administration Server. The AT&T Client updates third-party e-mail and browser programs with these settings. AT&T recommends adding policy rules to the firewall to allow updates to be retrieved.
[1] When using the AT&T VIG as your Gateway, obtain the most recent list of VIG IP addresses from AT&T Customer Service.
[2] Location will change to London in July 2007
[3] Location will change to Frankfurt in July 2007
[4] Scheduled to be discontinued in April 2007
The official source of the above information is the AT&T Global Network Administrator's Guide Appendix B: Third Party Firewall Support. If there are any discrepancies between the information shown here and what is shown in the AT&T Global Network Client Administrator's Guide, please use the information from the Administrator's Guide. You can find the guide on the Documents page of this web site.
0
0