Firewall requirements

Edit online

Firewall (on the Console machine)

Open the following ports on the Console machine:

  • For the Web UI, allow inbound connections for HTTP or HTTPS Web access (for example, TCP/80, TCP/443).
  • Allow outbound connections for SSH (to be used for node administration) on a non-default, configurable TCP port (for example, TCP/33001).
  • Allow an outbound connection for TCP/9092 to allow Console to connect with nodes through the Node API
  • Allow an outbound connection for TCP/40001 and an inbound connection for TCP/4406 to allow Console to connect with legacy nodes.

Firewall (on the node machines)

  • To ensure that your server is secure, allow inbound connections for SSH on TCP/33001 (or on another non-default, configurable TCP port), and disallowing inbound connections on TCP/22. If you have a legacy customer base using TCP/22, you can allow inbound connections on both ports. For details on securing your individual Aspera transfer server product, review the corresponding user manuals.
  • Allow inbound connections for FASP transfers, which use UDP/33001 by default, although the server may also choose to run FASP transfers on another port.
  • For current nodes and legacy nodes that have been converted to current nodes, allow an inbound connection on TCP 9092.
  • For legacy nodes (unconverted), allow an inbound connection for Aspera Central (for example, TCP/40001).
  • For legacy nodes (unconverted), allow an outbound connection for logging to Console on TCP/4406.
Note: No servers are listening on UDP ports.
When an Aspera client initiates a transfer, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow Aspera's FASP protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent FASP transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent FASP transfers, allow inbound traffic from UDP/33001 to UDP/33010.