Firewall Configuration

If the Agent Mode is Private Server or Private Internet Server, the network performance monitoring packets (default port is 23999/UDP) and speed test packets (default port is 23999/TCP) must be forwarded from the firewall/router to the agent. A port forwarding rule is probably required on the firewall/router facing the agent.

For the majority of customers, nothing is required to let the agent communicate with the Internet. However, for customers with strict outbound firewall rules, here is the list of ports and domains the agent needs to communicate with:

• Port 53/UDP for DNS
• Port 67/UDP for DHCP (Hardware & Virtual Appliance agents)
• Port 80/TCP for HTTP
• Port 123/UDP for NTP (Hardware & Virtual Appliance agents)
• Port 161/UDP for SNMP (see Network Device Monitoring)
• Port 443/TCP for HTTPS and OpenVPN
• Port 23999/TCP for Speed Test
• Port 23999/UDP for Network Performance Monitoring
• ICMP (Echo & Time Exceeded) for Ping and Traceroute

Note: Port 23999 can be changed in the Advanced Parameters of the agents.

If the firewall has URL filtering, the following domains must be allowed:

• *.obkio.com (All agent types)
• *.amazonaws.com (All agent types)
• *.rollbar.com (All agent types)
• *.balena-cloud.com (Hardware & Virtual Appliance agents)
• *.docker.com (Hardware & Virtual Appliance agents)
• *.docker.io (Hardware & Virtual Appliance agents)
• *.debian.org (Hardware agents, Virtual Appliance agents and APM Web)

All the Obkio Back-end systems are hosted at AWS and the IP addresses of our servers can change at any time. For that reason, it is not possible to publish a list of fixed IP to authorize by our customers.

For the Hardware and Virtual Appliances, a remote VPN connection is established to let the Support Team access the appliances for troubleshooting and OS software upgrades. If the Support Team is not able to get access to the VPN, maybe the OpenVPN protocol is not enabled for port 443/TCP. This is the case when the firewall is configured to analyze the protocol and only let HTTPS traffic on port 443/TCP.

If port 123/UDP is blocked, the date on the hardware and virtual appliances will draft over time. At some point, the agent might not be able to validate the SSL certificates used to communicate with the back-end systems. If the NTP port is blocked, the Support Team can change them on the appliances.