DokuWiki

Site Tools

Trace: ws_payloads_retrieve_payload ws_payloads_send_payload
guides:firewall_settings

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
guides:firewall_settings [2025/04/15 16:51] greg.dapkusguides:firewall_settings [2025/09/16 16:14] (current) 216.9.23.34
Line 5: Line 5:
  
  
-{{tablelayout?colwidth="175px,125px,300px"&rowsFixed=1&rowsVisible=15&float=center}}+{{tablelayout?colwidth="335px,125px,225px"&float=center}}
 ^ Host ^ IP Address ^ Description ^ ^ Host ^ IP Address ^ Description ^
-| dev-ws02.certna.org | 204.246.133.236 | APEX installation host. +| dev-ws02.certna.org | 204.246.133.236 | APEX installation | 
-| apex-setup.certna.org | 204.246.133.236 | APEX installation host. +| apex-setup.certna.org | 204.246.133.236 | APEX installation | 
-| apex-prd.certna.org | 204.246.133.237 | APEX production ERDS application servers. +| apex-prd.certna.org | 204.246.133.237 | APEX production ERDS web
-| apex-prd.certnag2g.org | 209.170.199.196 | APEX production G2G application servers. +| apex-prd.certnag2g.org | 209.170.199.196 | APEX production G2G web
-| reports.certna.org | 204.246.133.238 | APEX production ERDS report servers. +| reports.certna.org | 204.246.133.238 | APEX production ERDS reports
-| reports.certnag2g.org | 209.170.199.202 | APEX production G2G report servers. +| reports.certnag2g.org | 209.170.199.202 | APEX production G2G reports
-| *.digicert.com | * | DigiCert PKI certificate services. (Note 1) | +| *.digicert.com | * | PKI certificates (Note 2) | 
-| *.ssl.com | * | SSL Code Signing certificate services. (Note 1) | +| *.ssl.com | * | Code Signing certificate (Note 2) | 
-| *.godaddy.com | * | SSL certificate services. (Note 1) | +| *.godaddy.com | * | SSL certificates (Note 2) |
-| checkip.dyndns.org | * | Used by APEX to obtain public IP address of client. (Note 2) |+
  
  
 CeRTNA no longer interfaces with Entrust, therefore, the references to *.entrust.com and *.entrust.net shown above have been stricken out. CeRTNA no longer interfaces with Entrust, therefore, the references to *.entrust.com and *.entrust.net shown above have been stricken out.
  
 +**Note 1:** CeRTNA recognizes that different firewalls are in service at our customers and that firewall features functions can vary broadly. CeRTNA prefers to minimize the amount of IT administrative support required by creating rules based on the following tolerance and/or capabilities of your firewall:
  
-**Note 1:** Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificatesThe CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expiredFurther, during the APEX installation/update process, the code-signing certificate is validatedThe lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functionsIt is important that your firewall team take this into consideration.+  - Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org) 
 +  - Use host names if possible(Ex: apex-prd.certna.org or reports.certna.org) 
 +  - Last resort, use IP addresses
  
-CeRTNA recognizes that different firewalls are in service at our customers and that firewall features functions can vary broadlyCeRTNA prefers to minimize the amount of IT administrative support required by creating rules based on the following tolerance and/or capabilities of your firewall:+The preceding list is sorted in order of preference.
  
-  * Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org) 
-  * Use host names if possible. (Ex: apex-prd.certna.org or reports.certna.org) 
-  * Last resort, use IP addresses. (This is the least preferred.) 
  
-The preceding list is sorted in order of preference.+**Note 2:** Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificates. The CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expired. Further, during the APEX installation/update process, the code-signing certificate is validated. The lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functions. It is important that your firewall team take this into consideration. 
 + 
 +=== Workstation Support ===
  
 In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support. In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support.
Line 39: Line 40:
 | *.update.microsoft.com | * | General Windows update domain. | | *.update.microsoft.com | * | General Windows update domain. |
  
-Configuring the firewall rules for Windows Updates and other fundamental OS support, for example, virus definition files for Symantec Endpoint Protection or other 3rd party anti-virus/anti-malware protection is the responsibility of your organizations IT staff. The information provided in the preceding table is here simply point out that there are additional URL's that may need to be accomodated beyond those that are required for APEX and/or CeRTNA functionality.+Configuring the firewall rules for Windows Updates and other fundamental OS support, for example, virus definition files for Endpoint Protection or other 3rd party system management tools is the responsibility of your organizations IT staff. The information provided in the preceding table is here simply point out that there are additional URL's that may need to be accommodated beyond those that are required for APEX and/or CeRTNA functionality.
  
  
-**Note 2:** Although APEX will function properly without knowing its public IP, allowing APEX to report the public IP of the client is very helpful in diagnostic and troubleshooting as it allows CeRTNA to identify the specific client traffic in our firewall. It preferred that you allow http://checkip.dyndns.org to be accessed from the ERDS or G2G workstation. Please note that the connection is made over the standard http port 80.+**Note 3:** Support for Teams meetings and screensharing is also required for remote support of the APEX software
  
-**Note 3:** Support for Teams meetings and screensharing is also required for remote support of the APEX software and client installation.  
  
guides/firewall_settings.1744735892.txt.gz · Last modified: by greg.dapkus