Firewall configuration for Enterprise Agents

Last updated: Wed Nov 28 13:59:51 GMT 2018

Problem

What firewall rules are required to allow an Enterprise Agent to execute tests, report data to the ThousandEyes platform, and access necessary infrastructure services such as the Domain Name Service (DNS) or the Network Time Protocol (NTP)?

Solution

Create rules to allow communication as follows.

Protocol

Port

Destination

Direction1

Description

TCP

53

*

outbound

DNS Server tests

UDP

53

*

outbound

DNS queries

TCP

80

*

outbound

Web tests

UDP

123

NTP servers

outbound

NTP time synchronization

TCP

443

*

outbound

Web tests

TCP or UDP

5060

*

outbound

SIP Server tests

ICMP

n/a

*

outbound2

ICMP-based Network Layer Agent to Server tests, Path Visualization

UDP

As per Server Port field on Advanced Settings tab of the Voice Layer's RTP Stream Test.

Default = 49152

*

inbound/outbound

Voice Layer Metrics

TCP and UDP

As per Server Port field on Advanced Settings tab of the Agent to Agent Test

Default = 49153

*

inbound/outbound

Agent to Agent tests

TCP

443

192.150.160.0/24 AND
208.185.7.0/24

outbound

All Enterprise Agents,
connections to ThousandEyes collector

TCP

443

sc1.thousandeyes.com,
c1.thousandeyes.com,
data1.agt.thousandeyes.com,
crashreports.thousandeyes.com

outbound

All Enterprise Agents,
connections to ThousandEyes collector
(same as above, for domain-based firewalls)

TCP

9119 and 9120

ntrav.thousandeyes.com

outbound

NAT traversal6 for TCP-based Agent to Agent tests

TCP and UDP

9119 and 9120

ntrav.thousandeyes.com

outbound

NAT traversalfor UDP-based Agent to Agent tests

TCP

443

hub.docker.com

outbound

Docker-based Agents (install only)

TCP

 80 and 443

yum.thousandeyes.com OR apt.thousandeyes.com

outbound

All Enterprise Agents3
 

TCP

80

archive.ubuntu.com

outbound

Virtual Appliance and Ubuntu-based Linux package Agents

TCP

80

archive.canonical.com

outbound

Virtual Appliance and Ubuntu-based Linux package Agents that use Adobe Flash (optional)

TCP

443

cdn.redhat.com

outbound

RedHat Enterprise Linux-based Linux package Agents4

TCP

80

mirror.centos.org and mirrorlist.centos.org

outbound

CentOS-based Linux package Agents4

TCP

80

linuxdownload.adobe.com

outbound

RedHat Enterprise Linux-based and CentOS-based Linux package Agents that use Adobe Flash (optional)

TCP

8998

127.0.0.1

inbound

BrowserBot5
 


Additionally, if a customer desires remote management connections that traverse a firewall, then the following connections may need to be allowed.

ProtocolPortDestinationDirection1Description
TCP22Enterprise AgentinboundSecure Shell (SSH)7
TCP80Enterprise AgentinboundVirtual Appliance management7
TCP443Enterprise AgentinboundVirtual Appliance management (HTTPS)7

 

Notes

  1. Direction assumes dynamic or stateful packet filtering (pseudo-stateful, in the case of stateless protocols like UDP and ICMP) which would permit the returning packets automatically. If your firewalling or filtering device uses static packet filters, you must create rules in both directions of the communication.

  2. For the Path Visualization layer, be certain that your routers and firewalls do not block ICMP time-to-live (TTL) exceeded messages (ICMP type 11) returning to the Enterprise Agent (inbound direction) if you want Path Visualization beyond your router or firewall.  Both packet filtering rules and NAT rules (if NAT is used) will need to allow for ICMP TTL exceeded messages from the target to the Enterprise Agent.

    Additionally, under certain circumstances path tracing may not work properly, such as when the Identification field in the IP headers of packets sent from the Agent to the target is modified by the firewall.  This has been observed with certain NAT devices, such as Apple Airport wireless gateways.

  3. Enterprise Agents automatically perform periodic updates.  Ubuntu-based systems (including Virtual Appliance-based and Docker-base Agents) use the apt.thousandeyes.com repository for ThousandEyes-specific packages; Red Hat and CentOS-based systems use the yum.thousandeyes.com repository for ThousandEyes-specific packages. For more information on addressing of these repositories, consult the ThousandEyes Knowledge Base article Static IP addresses for ThousandEyes repositories.

  4. General Linux repositories for RedHat and CentOS can vary depending on the environment.  Check your system's /etc/yum.repos.d for the full list of repositories that may need to be given access via http or https. These sites may be CDN-based. If your firewall or filtering device cannot dynamically resolve a hostname for a filter rule, you may need to manually determine the IP addresses periodically using a tool such as dig or nslookup, and update the filter rule.

  5. If the Browserbot package for Enterprise Agents has been installed (used by the Page Load and the Web Transaction test types) then the Agent process will try to make a connection to the Browserbot, which listens on port 8998/TCP of the loopback interface (normally 127.0.0.1).  Some host-based Linux-based firewall software, such as iptables, require that you explicitly allow loopback-based connections.

  6. If Behind a NAT is checked on the Enterprise Agent's Settings page.  For more information, see the ThousandEyes Knowledge Base article NAT Traversal for Agent to Agent Tests.

  7. The Virtual Appliance Enterprise Agents listen on port 22 TCP (SSH) and ports 80/443 TCP (Virtual Appliance web administration interface). Enterprise Agents installed using the Linux package method do not have these services installed by ThousandEyes.  See Knowledge Base article How to set up the Virtual Appliance for more information.  Depending on your organization’s security policy, access to these ports may be allowed or blocked by default.  If you wish to manage the Virtual Appliance with a remote connection which traverses firewalling or filtering devices, access to these ports must be allowed.