Internet Connections Part II - Detailed Firewall Information: Overview
- Detailed Firewall Information: Overview
- Protocols
- Server Subnets
- Port Numbers
- DNS
- Registration vs. subsequent connections
- SOCKS-Compliant Proxy Servers
- Other Proxy Firewalls
- Packet filtering firewalls
Detailed Firewall Information: Overview
The ABC Connected/PC software communicates with the Iron Mountain secure Data Centers using the standard TCP/IP protocol.
Connections are initiated from the backup software on your computer or inside the firewall. Connections are NEVER initiated from the outside.
The program can work with all types of firewalls, including packet-filtering, circuit-filtering, SOCKS-compliant Proxy or Mapped Proxy firewalls. For most firewalls, some configuration of the firewall is needed. If your network requires explicit connection to the firewall to initiate outgoing connections, the ABC Connected/PC software must be configured for your firewall. You can configure it yourself using our client software configuration tool.
The requirements for running ABC Connected/PC service are consistent with security best practices. They do not create an opening for incoming connections, and outgoing connections can be limited to specific ports at specific known IP addresses. As an added security measure, all data is Triple-DES encrypted before leaving your PC; it remains encrypted though transmission, and is stored encrypted at the Telstra secure Data Centers.
The following information is useful for configuring a firewall to permit outgoing connections to the Telstra Data Center servers.
Protocols
TCP/IP is used. There is no use of UDP or ICMP.
Back to Detailed Firewall Information
Server Subnets
Each user's ABC Connected/PC software connects to a primary and an alternate server in order to provide high availability. Currently, all servers reside in the subnet 216.229.146.0/24 and in the subnet 216.229.150.0/24. The ABC Connected/PC software must have access to both these subnets. Should these addresses change in the future, notice will be given to allow firewall changes and the ABC Connected/PC software can be automatically updated with the new addresses.
Port Numbers
All Telstra servers listen for client requests on a well-known port number: 16384. The ABC Connected/PC software always establishes a TCP/IP session with port 16384 on the server.
DNS
The ABC Connected/PC software connects to a server using the server's IP address, not its name. Therefore, name resolution and access to a name server are not required.
Registration vs. subsequent connections
The ABC Connected/PC software is configured to connect to one of a pair of registration server addresses (primary and alternate) when it is used for the first time. The registration process assigns a server address pair (primary and alternate) for all subsequent uses.
SOCKS-Compliant Proxy Servers
The ABC Connected/PC software can be configured to connect out through a SOCKS proxy server. The IP address (or the DNS) of the proxy server and the port number on which it listens for connections must be known in order to configure the backup software. SOCKS is designed to allow outgoing connections and responses back to those connections, but to prevent other incoming packets. This is consistent with the ABC Connected/PC software. If your SOCKS proxy server has been set up with additional restrictions on outgoing connections, it is necessary to include Iron Mountain's subnets in the permitted destinations.
When prompted by the ABC Connected/PC setup program to select a Firewall option, select the, "Use SOCKS proxy firewall" radio button and enter your proxy server information.
Note: The default setting for SOCKS TCP Port is 1080.
Other Proxy Firewalls
In order for the ABC Connected/PC software to be used with an application-based proxy firewall server, the firewall must be set to permit outbound TCP connections for a generic application. Mapped firewalls require a separate port on the firewall for each different destination address.
The IP addresses that must be mapped will appear when you attempt to run the client software, or can be seen by selecting Options/Connection.../Firewall in the client software. The destination port number is always 16384. The firewall administrator may choose any available port numbers on the firewall. Finally, the ABC Connected/PC software must be configured with the IP address or the DNS of the firewall and the firewall port numbers that were chosen.
When prompted by the ABC Connected/PC software to select a Firewall option, select the, "Use proxy firewall server(s)" radio button. Then enter the firewall mapping that was configured on your firewall: Enter the IP Address or DNS of your firewall into the "Firewall IP address" field; for both Secure Data Centers enter the port numbers chosen by the firewall administrator.
Packet filtering firewalls
The following is a summary of rules that must be applied to the firewall software or hardware in order to enable ABC client-server protocol. (All the rules are described from the 'firewall's point of view.')
Permit TCP/IP outbound to port 16384 to subnets 12.159.133.0-63 (12.159.133.0/26) and 66.151.228.0-255 (66.151.228.0/24).
If your firewall requires you to explicitly permit the response packets to come back, do so by permitting TCP/IP inbound to ports 1024-5000 from the subnets listed above, for an already-established connection. It is NOT necessary to permit a connection originating from outside the firewall.
We do not utilize UDP or ICMP.
IMPORTANT: If your question is not answered in the FAQs, please complete a Support Request
Contact - Special Offer - Management - Sitemap
