Administration Guides

Eyeglass Ports Requirements , Scalability Limits and Phone Home Requirements

Home



Eyeglass Ports Requirements

PortProtocolDirectionProduct Requires the ports openFunction
Operating System Open Suse 15.1 


It is customer responsibility to patch the operating system and allow Internet repository access for automatic patching.  The OS is not covered by the support agreement.
Phone Home Monitoring TLS 443TCP TLS 1.2 Eyeglass appliance --> Internet 
AllDR Monitoring service remote monitoring OR phone home remote log upload for support and health checks for Ransomware Defender, Easy Auditor and Performance Auditor products.  See phone home Internet ports that need to be opened below
NTP 123UDPEyeglass appliance --> NTP server in your environmentAllTime sync should use same NTP as the clusters.  Should always disable vmware host VM time sync option.
SMTP 25TCPEyeglass appliance --> Mail server in your environment AllEmail of alarms from Eyeglass to your mail server
OS Repo for Security patches 80 httpTCP Eyeglass appliance --> open suse mirror repositories All 
  1. URL to allow security upddates http://download.opensuse.org
  2. NOTE: Security patches come directly from opensuse and requires the appliance to have access to download the patches and apply on the weekly schedule. 
HTTPS over port 8080TCP TLS 1.2
Eyeglass appliance  Isilon/PowerScale clusterAllREST API is authenticated using the service account created here.  Authenticatio uses Isilon session authentiation method.
SSH port 22AES Eyeglass appliance Isilon/PowerScale clusterAllSSH access for some CLI commands
NFS TCP, UDP 111, 2049 TCP & UDPEyeglass appliance Isilon/PowerScale ClusterRansomware Defender, Easy Auditor, Performance Auditor Audit Data Ingestion
Syslog for ECA clusters to send logs to Eyeglass using port 5514 TCPECA clusters   Eyeglass ApplianceRansomware Defender, Easy Auditor, Performance Auditor
Syslog (non standard port) used to send ECA cluster VM logs to Eyeglass for support logs (enabled in Eyeglass can be disabled, if no ECA deployed).
HTTPS 443  TCP TLS 1.2 AES - unsigned certificate
admin pc browser   applianceAllSecures client to browser access.
target port 80 destination random TCP source port on the browseronly used to redirect to 443 , can be blocked if neededadmin pc browser →  applianceAll (optional)

If connection on ip address port 80 is made a http 301,302 redirect is returned on port 80 to switch the browser to https and url https:/x.x.x.x/eyeglass.

NOTE: No services run on port 80 and this is only used to redirect to port 443 HTTPS

https 2011 websocketTCP TLS 1.2 AES
admin pc browser →   appliance    DRWebsocket for real-time appliance to browser updates (redirected to 2012).
2012 TLS websocketTCP TLS 1.2 AES
admin pc browser →   appliance  DRWebsocket for real-time appliance to browser updates (redirected to 2012).
2013 TLS websocket TCP TLS 1.2 AES
admin pc browser →   appliance  Easy AuditorWebsocket for Easy Auditor wiretap feature (only required if this product is installed).
2014 TLS websocket (new Performance Auditor)TCP TLS 1.2 AES
admin pc browser →   appliance  
Performance Auditor Websocket for Performance Auditor application (only required if this product is licensed and installed).
SSH 22    TCP AES admin pc workstation   appliance  All secure shell access.
Proxy login SMB 2 (only) 445TCPappliance  → Isilon/PowerScale 
AllUsed to authenticate to AD through Isilon/PowerScale using standard Microsoft SMB authentication request for Role based login proxy interface. 
SMB Security Guard Ransomware Defender SMB TCP 445 SMB2 onlyTCPappliance  → Isilon/PowerScale  Ransomware DefenderUsed by Ransomware Defender (if licensed) to simulate ransomware attack automation.
SMB Robo Audit Easy Auditor SMB TCP 445 SMB2 onlyTCPappliance  → Isilon/PowerScale 
Easy AuditorUsed by Easy Auditor to test audit health for audit data ingestion and database health automation (if licensed).
Dual DNS DelegationUDPappliance port 53 UDP DNS --> Groupnet(x) DNS serversDRThis is new in 2.5.6 or later and requires Eyeglass to be able to access the Groupnet DNS servers to validate Dual DNS delegation is configured correctly. The OS DNS is not used since the DNS that must be configured correctly is used by Isilon/PowerScale itself.

Eyeglass Support and Phonehome Whitelist URL's 

 PC Browser Upload and support site usage URL whitelist for full access to (support.superna.net)

  1. https://*.zopim.com (your pc browser --> Internet, Internet --> your pc browser)
  2. https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)
  3. https://support.superna.net (your pc browser --> Internet, Internet --> your pc browser)
  4. https://supernahelp.zendesk.com (your pc browser --> Internet, Internet --> your pc browser)
  5. https://cloudapps.supernaeyeglass.com (your pc browser --> Internet)


Download software and download license keys from support.superna.net

  1. https://storage.googleapis.com (your pc browser <-- Internet)
  2. https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)



Phone Home Remote Monitoring Test Internet URL Steps


Overview - faster more efficient support, enables proactive response without your involvement)

How to test firewall port access to required URL's

  1. SSH to Eyeglass appliance as admin user
  2. type admin password ( default: 3y3gl4ss)
  3. Execute below command to test get command:
    wget https://http://na-static-phonehome.supernaeyeglass.com 
  4. Execute below command to test post command:
    curl -X POST -k http://na-static-phonehome.supernaeyeglass.com
  5. Send us the output of Step #3 and #4.
  6. Done.
  7. The Monitoring service requires the following URL's allowed
    1. https://cloudapps.supernaeyeglass.com (appliance to internet)
    2. Note: Superna has made the IP change for this URL therefore please whitelist IP address 35.244.217.10
    3. https://na-static-phonehome.supernaeyeglass.com (appliance to internet) IP address 35.207.34.234


Phone Home Message Flow

  1. After Phone Home is enabled the following message flow is described below.
    1. NOTE: No inbound firewall rules need to be open from the Internett are required .
    2. NOTE: No data is collected other than support logs that can be created in the About Icon Backup tab and is uploaded to support through the support if Phone Home is disabled.  
    3. NOTE: No remote control functionality is possible with the phone home feature
    4. NOTE: No PHI data of any kind is collected in support data
    5. NOTE: if configured a proxy device can be used to reach the Internet.
    6. NOTE: url or IP based firewall information is provided on this page
  2. Eyeglass Appliance, Golden Copy or Search & Recover product appliance phone home actions
    1. After initial enable of Phone home from the About Icon a registration request is sent via HTTPS POST to https://http://na-static-phonehome.supernaeyeglass.com that includes the appliance appliance ID, Appliance version information.
    2. Twice per 24 hours a hear beat is sent via an HTTPS POST to https://http://na-static-phonehome.supernaeyeglass.com  that updates the portal that the appliance is still alive and running. 
    3. Once per 5 minutes (random time within the 5 minutes) the appliances will send HTTPS GET request to the https://http://na-static-phonehome.supernaeyeglass.com url  to see if remote log upload request has been requested.
      1. If no request to upload logs, no actions are taken and phone home sleeps until next log upload request 5 minute window.
      2. If a request to upload logs is returned from the HTTPS GET request, the appliance will generate support logs zip file and then HTTPS POST the zip file to this url https://cloudapps.supernaeyeglass.com 


Eyeglass Proxy Login Message Flow between Eyeglass VM and Isilon/PowerScale

  1. Eyeglass browser  https --> Eyeglass VM
  2. Eyeglass VM --> SMB2 standard Microsoft authentication request sent to Isilon/PowerScale ip address used to add cluster to Eyeglass. 
  3. Isilon/PowerScale sends authentication request to AD to validate password.
  4. Eyeglass --> sends rest api to Isilon/PowerScale requesting AD group membership for User X from login request.
  5. Isilon/PowerScale returns Authentication request to Eyeglass VM.
  6. Isilon/PowerScale returns list of AD groups the user is a member of in AD.
  7. Eyeglass compares AD groups to Role based Access configuration to determine permissions in Eyeglass and displays Icons based on this security evaluation process.
  8. User desktop loads based on role configured.


Eyeglass Scalability Limits and Appliance Memory Minimum Requirements

Scaling Limit AreaTested Scaling Limits Notes
Number of Managed Clusters 1 appliance22
contact Support for  RAM requirement
Number of shares replicated (total across all clusters)15,000Requires 16G RAM
Number of Exports replicated (total across all clusters)10, 000Requires 16G RAM
Number of NFS aliases    replicated (total across all clusters)10, 000Requires 16G RAM
Number of Quotas replicated (total across all clusters)

20, 000

> 20 000

Requires 16G RAM

> 20 000 32-64G RAM

SyncIQ Policies All clusters> 100Requires 32G-64G RAM
Failover job limitations100 policies selected in a single failoverRequires 32G RAM
Failover job total object count (shares + exports + quotas)

> 10,000

or > 50 000

Requires 32G RAM

Requires 64G RAM

Clusters added to the appliance

4

4 - 8 clusters

> 8 

Requires 32G RAM

Requires 64G RAM

Contact Support

 

Copyright Superna LLC