Network and Firewall connections
This diagram depicts a typical deployment in a small environment where LiquidFiles has been deployed in a DMZ using the private ip address 10.0.2.10. We have one internal network of 10.0.1.0/24 and one firewall that is also the default gateway (default router) for all networks.
The following table outlines the network connections that the LiquidFiles requires to operate (IP addresses assumed to be as in the network diagram above).
|Protocol / Function||source||destination||port||description|
|http(s)||any||10.0.2.10||80 & 443||http and https is allowed from anywhere. This is how all files are uploaded and downloaded and all normal user interaction is via http or https.|
|DNS||10.0.2.10||DNS server||53 (UDP)||The appliance needs DNS to function properly.|
|10.0.2.10||any / email relay server||25||The appliance needs to send emails, either via an email relay server or directly to the Internet.|
|updates||10.0.2.10||any||80 & 443||The appliance downloads updates over http and https.|
|admin||10.0.1.0/24||10.0.2.10||222||Use specific management ip's if you can for ssh access to the appliance.|
|LDAP||10.0.2.10||LDAP server||389/636||If LDAP authentication is enabled, the appliance needs connections to the LDAP server.|
|NTP||10.0.2.10||any / ntp server||123 (UDP)||If NTP time synchronisation is enabled, if NTP pool authentication is enabled the destination needs to be any.|
|Emaildrop||any||10.0.2.10||25||If you have enabled Emaildrops.|
|FTPdrop (FTP)||any||10.0.2.10||21, 44000-44100||If you have configured FTPdrops and wish to use FTP.|
|FTPdrop (SFTP/SCP)||any||10.0.2.10||22||If you have configured FTPdrops and wish to use SFTP/SCP.|
In most cases, if deployed behind a firewall or similar, you will also need to configure the firewall for address translation — translating a public address to the private 10.0.2.10 address. You will also mostly certain need to configure DNS so that a published DNS points to the public ip address of the Filetransfer appliance.
Restricting outgoing http/https
Some companies wish to limit outgoing ip access from a certain ip address instead of enable outgoing http and https for any external ip address. Unfortunately that's not really possible since LiquidFiles is using download mirrors for a few functions and these change from time to time.
If it makes things easier in your environment, you can configure a Proxy in Admin → System → Network and that will make all outgoing connections use the proxy instead of going direct.
If you don't have or want to use a proxy, you will need to enable unrestricted outgoing connections on TCP port 80 (http) and TCP port 443 (https) from the LiquidFiles system towards the Internet for LiquidFiles to operate properly. With a proxy, the proxy needs to permit unrestrcted outgoing connections on TCP port 80 (http) and 443 (https).
The following is a list of all connections performed by LiquidFiles during normal operation:
- License and LiquidFiles update checking by connecting to https://license.liquidfiles.com.
- LiquidFiles updates are downloaded using https from the Amazon S3 cloud. (Amazon does not specify their IP address ranges for S3, these are most likely not static as data centers are added to the Amazon AWS cloud space).
- When Remote support is enabled it's using TCP Port 443 for connection to access.liquidfiles.com (please note that we use port 443 becuase it's often already opened, but we are not using https so if you check for valid https using an ips or content inspection firewall the support connection will likely fail).
- System updates are downloaded from a range of CentOS download mirrors, EPEL download mirrors & Amazon S3 using https.
- ClamAV updates are downloaded from a range of randomized http servers around the world.
- If geolocation/maps integration has been enabled (it's enabled on default in Admin → Settings), it will use connections to https://geoip.liquidfiles.com for ip based geolocation lookups.