Configuring the firewall

HSTS requires access through specific ports. If you cannot establish the connection, review your local corporate firewall settings and remove the port restrictions.

Firewall configuration for consumption-based entitlements

If your transfer server operates with a consumption-based entitlement and not with a license, you must ensure that the Aspera License Entitlement Engine (ALEE) can communicate with the Aspera metering and billing system. Configure your firewall to allow outbound traffic on TCP port 443, and ensure to allow outbound access to api.ibmaspera.com by domain name in your firewall instead of specifying individual IP addresses. This action prevents that when the IP addresses get periodically changed, the communication is not interrupted and you can keep using your transfer server.

HSTS

Configure your firewall to allow the following ports:

  • Inbound TCP/22 or other TCP port set for SSH connections: The port for SSH connections.
    Important: Run the SSH server on a nondefault port to ensure that your server remains secure from SSH port scan attacks. This allows inbound SSH connections on TCP/33001 and disallows inbound connections on TCP/22. For instructions on how to change your SSH port, see Configuring the SSH Server.

    If you have a customer with a previous version base that uses TCP/22, then you can allow inbound connections on both ports. See Configuring the SSH Server for instructions.

    The firewall on the server side must allow the open TCP port to reach HSTS. No servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens up an SSH session to the SSH server on the designated TCP port and negotiates the UDP port for the data transfer.

  • Inbound UDP/33001: The port for FASP transfers, which uses UDP/33001 by default, although the server might also choose to run FASP transfers on another port.
  • Inbound TCP 8443 or 8080: The port for HTTP fallback. If only HTTP/S is used, you only need to open 8443. If only HTTP is used, you must open 8080. For more information on configuring HTTP fallback ports, see Ascp command reference.
  • Local firewall: If you have a local firewall on your server, like iptables, verify that it is not blocking your SSH and FASP transfer ports, such as TCP/UDP 33001. If you are using Vlinks, you need to allow the Vlink UDP port for multicast traffic, which uses 55001 by default. For additional information on setting up Vlinks, see Controlling bandwidth usage with virtual links from the command line.

Remote client machines

Typically, consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP, and no configuration is required for Aspera transfers. In the special case of firewalls blocking direct outbound connections, usually with proxy servers for web browsing, the following ports must be allowed:
  • Outbound TCP/33001: Allow outbound connections from the Aspera client on the TCP port. By default, port TCP/33001 is used to connect to a Windows server, or on another non-default port for other server operating systems.
  • Outbound UDP/33001 or a range if required: Allow outbound connections from the Aspera client on the FASP UDP port. 33001 by default.
  • Local firewall: If you have a local firewall on the client, such as iptables ipfw, verify that it is not blocking your SSH and FASP transfer ports. Such as TCP/UDP 33001.
Important: Multiple concurrent clients cannot connect to a Windows Aspera server on the same UDP port. Similarly, multiple concurrent clients that are using two or more user accounts cannot connect to a macOS Aspera server on the same UDP port. If you are connecting to these servers, you must allow a range of outbound connections from the Aspera client that were opened incrementally on the server side, starting at UDP/33001. For example, you might need to allow outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.