IBM Support

Firewall Considerations

Question & Answer


Question

Firewall Considerations

Answer

Description

Architecturally, an Aspera server runs one SSH server on a configurable TCP port (22 by default, but often customers use port 33001). The firewall on the server side must allow this one TCP port to reach the Aspera server.

No servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data will travel. By default, Aspera clients and servers are configured to use UDP port 33001.

After the session initiation step, both the client and the server will send and receive UDP traffic on the negotiated port. To allow the UDP session to start, the firewall on the Aspera server side must allow port UDP 33001 to reach the Aspera server.

Concurrent Transfer Considerations

On Unix Aspera servers with multiple concurrent clients, concurrent transfers will share the same UDP port.

On Windows Aspera servers with multiple concurrent clients, the operating system does not allow Aspera'sfaspprotocol to reuse the same UDP port for multiple connections. Therefore, the firewall on the server side must allow a range of UDP ports, for example 33001 through 33100, to reach the Aspera server. Incoming client connections will automatically increment to use the next available port in the range.

In case of BSD OS (like Isilon OneFS) for Aspera servers that have multiple concurrent clients utilizing two or more user accounts the OS does not allow the Aspera fasp protocol to reuse the same UDP port. Conversely one UDP port can be opened if only one account is being used for transfers. Thus if you have multiple concurrent clients utilizing multiple user accounts and your Aspera server runs on Isilon OneFS then you must allow inbound connections on a range of UDP ports where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port which is UDP/33001 by default. For example to allow 10 concurrent fasp transfers that are using two or more user accounts allow inbound traffic from UDP/33001 to UDP/33010.

In the case of point to point deployments of Aspera products the end-points accepting incoming connections act as servers and therefore must configure their firewalls to allow TCP port 22 and UDP port 33001 to access the Aspera machine (both TCP and UDP ports being configurable).

Firewall Configuration Summary

Aspera transfers use one TCP port for session initialization and control and one UDP port for data transfer. The TCP port is usually either 22 (default port for SSH) or 33001 and the UDP port is by default 33001.

Client / Server installations

Server side firewall

  • Allow inbound connections to the server on the TCP port
  • Allow inbound connections to the server on the UDP port
    For Windows servers only allow a range of ports large enough to cover the number of potential concurrent clients for example 33001 through 33020 for 20 concurrent. This is needed because Windows doesn't allow UDP port sharing.
  • Allow outbound connections from the server on the TCP port
  • Allow outbound connections from the server on the UDP port (or range of ports for Windows servers).

Client side firewall

Typical: Consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP. There is no configuration required for Aspera transfers in this case.

Special: In the case of corporate firewalls disallowing direct outbound connections typically using proxy servers for web browsing:

  • Allow outbound connections from the Aspera client on the TCP port.
  • Allow outbound connections from the Aspera client on the UDP port.

Example: Point to Point installation

Consider two Aspera computers: A and B. A initiates the transfer (we call A client) and B accepts an incoming connection (we call B server). The client and server designations are given by the computer initiating the Aspera transfers regardless of the direction of the transfer (upload or download).

A's firewall

Typical: Consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP. There is no configuration required for Aspera transfers in this case.

Special:In the case of corporate firewalls disallowing direct outbound connections typically using proxy servers for web browsing:

  • Allow outbound connections to B on the TCP port.
  • Allow outbound connections to B on the UDP port.
  • Allow either:
    • inbound UDP traffic responding to the outbound UDP (this is default on most firewalls)
      or
    • inbound UDP traffic on port 33001 (on non-standard firewall configurations)

B's firewall

  • Allow inbound connections from A on the TCP port.
  • Allow inbound and outbound UDP connections to B on the UDP port.
    ?

For A and B to act as both client and servers you would need A and B's firewalls to:

  • Allow outbound connections to the peer on the TCP port
  • Allow inbound connections from the peer on the TCP port
  • Allow inbound and outbound UDP connections to the peer on the UDP port.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
08 December 2018

UID

ibm10746389