Administration Guides

Eyeglass Ports Requirements , Scalability Limits and Phone Home Requirements

Home



Eyeglass Ports Requirements

PortProtocolDirection

Eyeglass

Release

Product Requires the ports openFunction
Operating System Open Suse 15.1 



It is customer responsibility to patch the operating system and allow Internet repository access for automatic patching.  The OS is not covered by the support agreement.
DNS port 53 UDPDNS

Eyeglass --> DNS server

Eyeglass --> GroupNet DNS configured on all clusters

 AllFunctional DNS is a requirement for multiple validations needed for failover and Failover Readiness
Phone Home Monitoring TLS 443TCP TLS 1.2 Eyeglass appliance --> Internet 

AllDR Monitoring service remote monitoring OR phone home remote log upload for support and health checks for Ransomware Defender, Easy Auditor and Performance Auditor products.  See phone home Internet ports that need to be opened below
NTP 123UDPEyeglass appliance --> NTP server in your environment
AllTime sync should use same NTP as the clusters.  Should always disable vmware host VM time sync option.
SMTP 25TCPEyeglass appliance --> Mail server in your environment 
AllEmail of alarms from Eyeglass to your mail server
OS Repo for Security patches 80 httpTCP Eyeglass appliance --> open suse mirror repositories 
All 
  1. URL to allow security updates http://download.opensuse.org
  2. NOTE: Security patches come directly from open suse and requires the appliance to have access to download the patches and apply on the weekly schedule. 
HTTPS over port 8080TCP TLS 1.2
Eyeglass appliance  Isilon/PowerScale cluster
AllREST API is authenticated using the service account created here.  Authenticatio uses Isilon session authentiation method.
SSH port 22AES Eyeglass appliance Isilon/PowerScale cluster
AllSSH access for some CLI commands
NFS TCP, UDP 111, 2049  (in some environments UDP 300))TCP & UDPEyeglass appliance Isilon/PowerScale Cluster
Ransomware Defender, Easy Auditor, Performance Auditor Audit Data Ingestion
Syslog for ECA clusters to send logs to Eyeglass using port 5514 TCPECA clusters   Eyeglass Appliance
Ransomware Defender, Easy Auditor, Performance Auditor
Syslog (non standard port) used to send ECA cluster VM logs to Eyeglass for support logs (enabled in Eyeglass can be disabled, if no ECA deployed).
HTTPS 443  TCP TLS 1.2 AES - unsigned certificate
admin pc browser   appliance
AllSecures client to browser access.
target port 80 destination random TCP source port on the browseronly used to redirect to 443 , can be blocked if neededadmin pc browser →  appliance
All (optional)

If connection on ip address port 80 is made a http 301,302 redirect is returned on port 80 to switch the browser to https and url https:/x.x.x.x/eyeglass.

NOTE: No services run on port 80 and this is only used to redirect to port 443 HTTPS

https 2011 websocketTCP TLS 1.2 AES
admin pc browser →   appliance    > 2.5.7 update 1 not requiredDRWebsocket for real-time appliance to browser updates (redirected to 2012).
2012 TLS websocketTCP TLS 1.2 AES
admin pc browser →   appliance  > 2.5.7 update 1 not required
DRWebsocket for real-time appliance to browser updates (redirected to 2012).
2013 TLS websocket TCP TLS 1.2 AES
admin pc browser →   appliance  > 2.5.7 update 1 not required
Easy AuditorWebsocket for Easy Auditor wiretap feature (only required if this product is installed).
2014 TLS websocket (new Performance Auditor)TCP TLS 1.2 AES
admin pc browser →   appliance  
> 2.5.7 update 1 not required
Performance Auditor Websocket for Performance Auditor application (only required if this product is licensed and installed).
SSH 22    TCP AES admin pc workstation   appliance  
All secure shell access.
Proxy login SMB 2 (only) 445TCPappliance  → Isilon/PowerScale 
> 2.5.7 SMB3 supported with encryption
AllUsed to authenticate to AD through Isilon/PowerScale using standard Microsoft SMB authentication request for Role based login proxy interface. 
SMB Security Guard Ransomware Defender SMB TCP 445 SMB2 onlyTCPappliance  → Isilon/PowerScale  > 2.5.7 SMB3 supported with encryption 
Ransomware DefenderUsed by Ransomware Defender (if licensed) to simulate ransomware attack automation.
SMB Robo Audit Easy Auditor SMB TCP 445 SMB2 onlyTCPappliance  → Isilon/PowerScale 
> 2.5.7 SMB3 supported with encryption 
Easy AuditorUsed by Easy Auditor to test audit health for audit data ingestion and database health automation (if licensed).
Dual DNS DelegationUDPappliance port 53 UDP DNS --> Groupnet(x) DNS servers
DRThis is new in 2.5.6 or later and requires Eyeglass to be able to access the Groupnet DNS servers to validate Dual DNS delegation is configured correctly. The OS DNS is not used since the DNS that must be configured correctly is used by Isilon/PowerScale itself.

Eyeglass Support and Phonehome Whitelist URL's 

 PC Browser Upload and support site usage URL whitelist for full access to (support.superna.net)

  1. https://*.zopim.com (your pc browser --> Internet, Internet --> your pc browser)
  2. https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)
  3. https://support.superna.net (your pc browser --> Internet, Internet --> your pc browser)
  4. https://supernahelp.zendesk.com (your pc browser --> Internet, Internet --> your pc browser)
  5. https://cloudapps.supernaeyeglass.com (your pc browser --> Internet)


Download software and download license keys from support.superna.net

  1. https://software.supernaeyeglass.com (your pc browser <-- Internet)
  2. https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)



Phone Home Remote Monitoring Test Internet URL Steps


Overview - faster more efficient support, enables proactive response without your involvement)

How to test firewall port access to required URL's

  1. SSH to Eyeglass appliance as admin user
  2. type admin password ( default: 3y3gl4ss)
  3. Execute below command to test get command:
    wget https://na-static-phonehome.supernaeyeglass.com 
  4. Execute below command to test post command:
    curl -X POST -k http://na-static-phonehome.supernaeyeglass.com
  5. Send us the output of Step #3 and #4.
  6. Done.
  7. The Monitoring service requires the following URL's allowed
    1. https://cloudapps.supernaeyeglass.com (appliance to internet)
    2. Note: Superna has made the IP change for this URL therefore please whitelist IP address 35.244.217.10
    3. https://na-static-phonehome.supernaeyeglass.com (appliance to internet) IP address 35.207.34.234


Phone Home Message Flow

  1. After Phone Home is enabled the following message flow is described below.
    1. NOTE: No inbound firewall rules need to be open from the Internett are required .
    2. NOTE: No data is collected other than support logs that can be created in the About Icon Backup tab and is uploaded to support through the support if Phone Home is disabled.  
    3. NOTE: No remote control functionality is possible with the phone home feature
    4. NOTE: No PHI data of any kind is collected in support data
    5. NOTE: if configured a proxy device can be used to reach the Internet.
    6. NOTE: url or IP based firewall information is provided on this page
  2. Eyeglass Appliance, Golden Copy or Search & Recover product appliance phone home actions
    1. After initial enable of Phone home from the About Icon a registration request is sent via HTTPS POST to https://na-static-phonehome.supernaeyeglass.com that includes the appliance appliance ID, Appliance version information.
    2. Twice per 24 hours a hear beat is sent via an HTTPS POST to https://na-static-phonehome.supernaeyeglass.com  that updates the portal that the appliance is still alive and running. 
    3. Once per 5 minutes (random time within the 5 minutes) the appliances will send HTTPS GET request to the https://na-static-phonehome.supernaeyeglass.com url  to see if remote log upload request has been requested.
      1. If no request to upload logs, no actions are taken and phone home sleeps until next log upload request 5 minute window.
      2. If a request to upload logs is returned from the HTTPS GET request, the appliance will generate support logs zip file and then HTTPS POST the zip file to this url https://cloudapps.supernaeyeglass.com 


Eyeglass Proxy Login Message Flow between Eyeglass VM and Isilon/PowerScale

  1. Eyeglass browser  https --> Eyeglass VM
  2. Eyeglass VM --> SMB2 standard Microsoft authentication request sent to Isilon/PowerScale ip address used to add cluster to Eyeglass. 
  3. Isilon/PowerScale sends authentication request to AD to validate password.
  4. Eyeglass --> sends rest api to Isilon/PowerScale requesting AD group membership for User X from login request.
  5. Isilon/PowerScale returns Authentication request to Eyeglass VM.
  6. Isilon/PowerScale returns list of AD groups the user is a member of in AD.
  7. Eyeglass compares AD groups to Role based Access configuration to determine permissions in Eyeglass and displays Icons based on this security evaluation process.
  8. User desktop loads based on role configured.


Eyeglass Scalability Limits and Appliance Memory Minimum Requirements

Scaling Limit AreaTested Scaling Limits Notes
Number of Managed Clusters 1 appliance22
contact Support for  RAM requirement
SyncIQ Policies All clusters

> 100 --> 64GB

> 200 --> 84 GB

Access Zones 

> 10  --> 32GB

> 30 --> 64GB

> 50 --> 84 GB

Requires 32G-84G RAM 
Failover job limitations100 policies selected in a single failoverRequires 64G RAM
total object count (shares + exports + quotas)

< 5 000 --> 16 GB

5000 --> 10 000 32GB to 40GB

> 10 000 --> 64 GB

> 20 000 --> 84GB

Clusters added to the appliance

4 --> 32GB

4 - 8 clusters --> 64GB

> 10 64GB - 84 GB 

Performance Auditor Review the requirements above and if none apply, Eyeglass requires minimum 32 GB RAM when Performance Auditor is licensedMinimum 32GB
Concurrent administrators 3 or more

Number of current logged in administrators to Eyeglass GUI using RBAC or not using RBAC

Add 8 GB ram to above requirements

 

© Superna LLC