I want to send push notifications to devices through the Apple push service server (APNS). Now the APNS requires an unproxied connection to them with some ports open.
To quote Apple from this link - Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 2195.
Now the security team is asking why we need to open both inbound and outbound when we will only sending (outwards) the request to APNS.
Now I am no networking guy. My basic web brain tells me we will be sending a POST request (outwards as seen from my server) to APNS, and this POST request will have a response. For this response, I will need to open inbound traffic for that same port i.e. 2195. Am i right?
I think your network is using Statefull/ZBF (Zone Based Firewall). for getting the response of a request you need to open both inbound and outbound requests. the firewall for this port should configured on "Inspection" that lets both inbound and outbound traffic.
Related
I am trying to switch the rest calls from ReadyAPI to our application with AMQP messaging. There is an add-on for ReadyAPI that has the AMQP steps but I need a connection to, I presume, the service bus.
I tried using the service bus as the host name with port: 5671 and 5672 but it gives me an error. Any ideeas how would I connect these two?
Thanks!
Follow the below points to fix your issue.
I think this is due to the internal company firewall restriction which blocks all the traffic on port 5671 and 5672.
So i will recommend you to set your TCP proxy HAProxy on VM.
This TCP proxy configured in such a way that which route
all incoming traffic on a specific port azure service end point.
You can change the end point using connection.setHostname("");
You should also change your port number from 5671 to 8080 in ClientConstants.
After doing all this traffic will route to TCP proxy endpoint instead of service bus as firewall blocked all traffic on 5671 port.
For More about this you can follow the official Microsoft Documentation.
I am really not clear what outbound(egress) and inbound(ingress) traffic means. I have two theories
inbound just specifies that the origin is outside and target inside i.e. HTTP round trip to some VM hosted web is ingress, the response with HTTP 200 status goes the same established route back
inbound is anything from internet and outbound is anything to internet. So HTTP roundtrip to azure VM is ingress and also egress (HTTP response), both of which can have different route(in case of asymmetric routing.
My question is if the VM does not have route back to internet, will it serve properly the HTTP or the response cannot reach the originator in internet?
Inbound traffic originates from outside the network, while outbound
traffic originates inside the network.
My question is if the VM does not have route back to internet, will it serve properly the HTTP or the response cannot reach the originator in internet?
Assuming you have a web server running on it, you just need to configure on firewall rules to enable inbound / outbound traffic for port 80 and 443
I want to secure my web server vm to limit mainly to 443 and 3389 ports strictly. I denied everything else both outbound and inbound in the NSG for the web vm. But I can't rdp after doing so. When I relax the NSG to allow all outbound, then rdp starts working. My question is what outbound ports and protocols the rdp service needs to be opened in nsg beside 3389?
thesushil: In my case it turns out, I just needed to add an outbound rule to allow Azure AD communication over http and https, because I have azure AD authentication enabled. But I think the answer below would be helpful to others.
Be default, the RDP server listens on TCP port 3389 and UDP port 3389. Read wiki. You also could change the listening port for remote desktop.
If you want to secure your Azure VM limit to 443 and 3389 ports, you can add inbound port rules like this to only allow your client-specific IP address to access your Azure VM.
Also, please note that If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port. Read https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules
Network security group security rules are evaluated by priority using
the 5-tuple information (source, source port, destination, destination
port, and protocol) to allow or deny the traffic. A flow record is
created for existing connections. Communication is allowed or denied
based on the connection state of the flow record. The flow record
allows a network security group to be stateful. If you specify an
outbound security rule to any address over port 80, for example, it's
not necessary to specify an inbound security rule for the response to
the outbound traffic. You only need to specify an inbound security
rule if communication is initiated externally. The opposite is also
true. If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port.
Existing connections may not be interrupted when you remove a security
rule that enabled the flow. Traffic flows are interrupted when
connections are stopped and no traffic is flowing in either direction,
for at least a few minutes.
Hope it helps.
I have many IoT clients that will soon be in the field. I want some way to have full access to the Device Portal currently on port 8080 without it being publicly exposed.
My thoughts are to develop a management server that accepts connections from multiple clients with keep alive. The connection from the IoT could be net sockets but that is open for feedback.
The management server would show the connection status of each IoT device. It would have the functionality to launch a browser session with the connected IoT device. The IoT device would serve the local Device Portal:8080 through the socket to the management servers browser session. Interaction from the management servers browser session would be transmitted back through the socket and in turn interact with the Device Portal.
I have looked over information for a few days and can’t find examples of website interaction through sockets. I request your feedback on such an approach and also ask is there are any open source projects that may assist in getting to this goal.
Thank you
Have a look at https://openport.io. It does exactly what you ask.
A socket is just a software representation of a TCP connection. Ports would still be required. At least 1 port anyway. If you are accessing all those devices on the same network, you can use a reverse proxy or a VPN for external access into your network and those devices. Always use an SSL cert or IPsec Tunnel for the Proxy or VPN connection. If you open up your firewall on 80 and/or 443 to your Apache web server, apache could redirect to the backed 8080 port. Alternatively, OpenVPN could be used to give you access to the entire network by just opening port 1154 and setting up the configurations. If using OpenVPN, you would still route to the device portal on 8080, as usual, using your internal IP or host name.
If all your devices are on the same network, the nice thing about using VPN to get in is that you can connect to OpenVPN on your cell phone and then connect via SSH with an app like Termius on IOS, or any other SSH capable IOS App to your IoT device, and get things done quickly; like rebooting IoT devices, setting permissions, checking logs on the go.
Lastly, if your planning to pay for Azure, you could do that, I guess ($$$)
https://azure.microsoft.com/en-us/pricing/details/iot-hub/
What do you suggest as the best way to protect your web servers IP address for outgoing requests? I'm already using Cloudflare for inbound requests but if my web server (nodejs) is making outbound connections for sending webhooks or something, I would prefer not to expose my origins IP. I have a firewall set up to prevent any connections inbound not coming from Cloudflare but I don't want my IP to expose where I'm hosted only to have my datacenter receive a DDoS.
There actually aren't any good articles I can find anywhere regarding protecting your IP with outbound connections.
Two thoughts:
1) Set up a second datacenter containing proxy servers and route outbound web server traffic through the proxy servers.
2) Set up a webhook queue, send webhooks to the queue and have servers in a 2nd datacenter work the queue.
Ideas?
I have worked at my company with a number of models over the years, including both ones that you listed. We started out using a queue that were available to web hook processors on remote data centers, but we transitioned over to a model that had less emphasis on queues, and instead simplified it; an originating server chooses one of the available notification/web hook senders, that in turns calls the web hook subscriber. The sender also takes care of buffering, resending, alerting and aging of messages.
For the purpose of protecting your IP address, it depends on a number of variables. In our case, we acquire additional IP address ranges for the senders, but you can achieve your goal by having the proxy hosted on AWS or similar.
Why would you want to do this? Your inbound requests are already dropped if they aren't from cloudflare.