DokuWiki

Site Tools

Trace: xml_common_guide apex_managing_users
guides:firewall_settings

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
guides:firewall_settings [2025/06/19 20:51] greg.dapkusguides:firewall_settings [2025/10/23 21:04] (current) 216.9.23.34
Line 5: Line 5:
  
  
-{{tablelayout?colwidth="335px,125px,250px"&rowsFixed=1&rowsVisible=15&float=center}}+{{tablelayout?colwidth="335px,125px,225px"&float=center}}
 ^ Host ^ IP Address ^ Description ^ ^ Host ^ IP Address ^ Description ^
 | dev-ws02.certna.org | 204.246.133.236 | APEX installation | | dev-ws02.certna.org | 204.246.133.236 | APEX installation |
Line 13: Line 13:
 | reports.certna.org | 204.246.133.238 | APEX production ERDS reports| | reports.certna.org | 204.246.133.238 | APEX production ERDS reports|
 | reports.certnag2g.org | 209.170.199.202 | APEX production G2G reports| | reports.certnag2g.org | 209.170.199.202 | APEX production G2G reports|
-CeRTNA-APEX-g6bygtdgh0aqh0fh.z01.azurefd.us | * (Note 1| APEX Cloud WAF +*.sectigo.com | * | PKI certificates (Note 2) | 
-| *.digicert.com | * | DigiCert certificates (Note 2) | +| *.digicert.com | * | PKI certificates (Note 2) | 
-| *.ssl.com | * | SSL Code Signing certificate (Note 2) |+| *.ssl.com | * | Code Signing certificate (Note 2) |
 | *.godaddy.com | * | SSL certificates (Note 2) | | *.godaddy.com | * | SSL certificates (Note 2) |
  
Line 25: Line 25:
   - Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org)   - Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org)
   - Use host names if possible. (Ex: apex-prd.certna.org or reports.certna.org)   - Use host names if possible. (Ex: apex-prd.certna.org or reports.certna.org)
-  - Last resort, use IP addresses. (Static IPs will be retired on Auguust 2,2025.) +  - Last resort, use IP addresses. 
-    - The IP of our cloud WAF is not Static. A list of possible ranges is below+
  
 The preceding list is sorted in order of preference. The preceding list is sorted in order of preference.
Line 32: Line 31:
  
 **Note 2:** Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificates. The CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expired. Further, during the APEX installation/update process, the code-signing certificate is validated. The lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functions. It is important that your firewall team take this into consideration. **Note 2:** Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificates. The CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expired. Further, during the APEX installation/update process, the code-signing certificate is validated. The lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functions. It is important that your firewall team take this into consideration.
 +
 +=== Workstation Support ===
  
 In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support. In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support.
Line 43: Line 44:
  
  
-**Note 3:** Support for Teams meetings and screensharing is also required for remote support of the APEX software and client installation+**Note 3:** Support for Teams meetings and screensharing is also required for remote support of the APEX software.  
  
-==== Cloud WAF IP Ranges ==== 
-    * 20.140.48.68/30 
-    * 20.140.56.68/30 
-    * 20.140.64.68/30 
-    * 20.140.72.68/30 
-    * 20.140.77.113/32 
-    * 20.140.147.200/29 
-    * 20.140.151.73/32 
-    * 20.140.151.74/31 
-    * 20.140.152.48/30 
-    * 20.141.10.208/29 
-    * 20.141.12.33/32 
-    * 20.141.12.34/31 
-    * 20.141.16.158/32 
-    * 20.141.18.104/29 
-    * 20.141.19.32/29 
-    * 20.159.108.84/30 
-    * 52.127.49.64/30 
-    * 52.181.33.42/32 
-    * 52.181.33.44/32 
-    * 52.181.33.46/32 
-    * 52.181.33.48/32 
-    * 52.181.33.50/32 
-    * 52.181.33.52/32 
-    * 52.181.33.54/32 
-    * 52.181.33.56/32 
-    * 52.182.32.230/32 
-    * 52.182.33.4/32 
-    * 52.182.33.6/32 
-    * 52.182.33.8/32 
-    * 52.182.33.10/32 
-    * 52.182.33.12/32 
-    * 52.182.33.14/32 
-    * 52.182.33.48/32 
-    * 52.227.226.250/32 
-    * 52.227.227.12/32 
-    * 52.227.227.23/32 
-    * 52.227.227.25/32 
-    * 52.227.227.29/32 
-    * 52.227.227.31/32 
-    * 52.227.227.33/32 
-    * 52.227.227.35/32 
-    * 52.235.253.120/29 
-    * 52.243.152.68/32 
-    * 52.243.155.57/32 
-    * 52.243.156.34/32 
-    * 52.243.156.157/32 
-    * 52.243.156.164/32 
-    * 52.243.156.166/32 
-    * 52.243.156.209/32 
-    * 52.243.156.212/32 
-    * 52.244.34.47/32 
-    * 52.244.34.118/32 
-    * 52.244.34.125/32 
-    * 52.244.34.127/32 
-    * 52.244.34.129/32 
-    * 52.244.34.131/32 
-    * 52.244.34.133/32 
-    * 52.244.34.135/32 
-    * 52.244.239.112/30 
-    * 52.245.153.184/29 
-    * 2001:489a:3103::5a0/123 
-    * 2001:489a:3103::7c0/123 
-    * 2001:489a:3203::5e0/123 
-    * 2001:489a:3303::5a0/123 
-    * 2001:489a:3303::7c0/123 
-    * 2001:489a:3403::5e0/123 
-    * 2001:489a:3604::5a0/123 
-    * 2001:489a:3604::7c0/123 
guides/firewall_settings.1750366282.txt.gz · Last modified: by greg.dapkus