Administration Guides
Eyeglass Ports Requirements , Scalability Limits and Phone Home Requirements
Home
- Eyeglass Ports Requirements
- Eyeglass Support and Phonehome Whitelist URL's
- PC Browser Upload and support site usage URL whitelist for full access to ( support.superna.net)
- Download software and download license keys from support.superna.net
- Phone Home Remote Monitoring Test Internet URL Steps
- Phone Home Message Flow
- Eyeglass Proxy Login Message Flow between Eyeglass VM and Isilon/PowerScale
- Eyeglass Scalability Limits and Appliance Memory Minimum Requirements
Eyeglass Ports Requirements
| Port | Protocol | Direction | Eyeglass Release | Product Requires the ports open | Function |
| Operating System Open Suse 15.1 | It is customer responsibility to patch the operating system and allow Internet repository access for automatic patching. The OS is not covered by the support agreement. | ||||
| DNS port 53 UDP | DNS | Eyeglass --> DNS server Eyeglass --> GroupNet DNS configured on all clusters | All | Functional DNS is a requirement for multiple validations needed for failover and Failover Readiness | |
| Phone Home Monitoring TLS 443 | TCP TLS 1.2 | Eyeglass appliance --> Internet | All | DR Monitoring service remote monitoring OR phone home remote log upload for support and health checks for Ransomware Defender, Easy Auditor and Performance Auditor products. See phone home Internet ports that need to be opened below. | |
| NTP 123 | UDP | Eyeglass appliance --> NTP server in your environment | All | Time sync should use same NTP as the clusters. Should always disable vmware host VM time sync option. | |
| SMTP 25 | TCP | Eyeglass appliance --> Mail server in your environment | All | Email of alarms from Eyeglass to your mail server | |
| OS Repo for Security patches 80 http | TCP | Eyeglass appliance --> open suse mirror repositories | All |
| |
| HTTPS over port 8080 | TCP TLS 1.2 | Eyeglass appliance → Isilon/PowerScale cluster | All | REST API is authenticated using the service account created here. Authentication uses Isilon session authentication method. | |
| SSH port 22 | AES | Eyeglass appliance → Isilon/PowerScale cluster | All | SSH access for some CLI commands | |
| NFS TCP, UDP 111, 2049 (in some environments UDP 300) | TCP & UDP | ECA → Isilon Cluster | Ransomware Defender, Easy Auditor, Performance Auditor | Audit Data Ingestion | |
| 9090 | TCP | Eyeglass → ECA clusters | 2.5.8 update 1 | Ransomware Defender, Easy Auditor, Performance Auditor | Prometheus Database for event stats |
| Syslog for ECA clusters to send logs to Eyeglass using port 5514 | TCP | ECA clusters → Eyeglass Appliance | Ransomware Defender, Easy Auditor, Performance Auditor | Syslog (non standard port) used to send ECA cluster VM logs to Eyeglass for support logs (enabled in Eyeglass can be disabled, if no ECA deployed). | |
| HTTPS 443 | TCP TLS 1.2 AES - unsigned certificate | admin pc browser → appliance | All | Secures client to browser access. | |
| target port 80 → destination random TCP source port on the browser | only used to redirect to 443 , can be blocked if needed | admin pc browser → appliance | All (optional) | If connection on ip address port 80 is made a http 301,302 redirect is returned on port 80 to switch the browser to https and url https:/x.x.x.x/eyeglass. NOTE: No services run on port 80 and this is only used to redirect to port 443 HTTPS | |
| https 2011 websocket | TCP TLS 1.2 AES | admin pc browser → appliance | > 2.5.7 update 1 not required | DR | Websocket for real-time appliance to browser updates (redirected to 2012). |
| 2012 TLS websocket | TCP TLS 1.2 AES | admin pc browser → appliance | > 2.5.7 update 1 not required | DR | Websocket for real-time appliance to browser updates (redirected to 2012). |
| 2013 TLS websocket | TCP TLS 1.2 AES | admin pc browser → appliance | > 2.5.7 update 1 not required | Easy Auditor | Websocket for Easy Auditor wiretap feature (only required if this product is installed). |
| 2014 TLS websocket (new Performance Auditor) | TCP TLS 1.2 AES | admin pc browser → appliance | > 2.5.7 update 1 not required | Performance Auditor | Websocket for Performance Auditor application (only required if this product is licensed and installed). |
| SSH 22 | TCP AES | admin pc workstation → appliance | All | secure shell access. | |
| Proxy login SMB 2 (only) 445 | TCP | appliance → Isilon/PowerScale | > 2.5.7 SMB3 supported with encryption | All | Used to authenticate to AD through Isilon/PowerScale using standard Microsoft SMB authentication request for Role based login proxy interface. |
| SMB Security Guard Ransomware Defender SMB TCP 445 SMB2 only | TCP | appliance → Isilon/PowerScale | > 2.5.7 SMB3 supported with encryption | Ransomware Defender | Used by Ransomware Defender (if licensed) to simulate ransomware attack automation. |
| SMB Security Guard Ransomware Defender SMB for TCP 9021 https | TCP | appliance → ECS | > 2.5.9 with S3 over HTTPS | Defender for ECS | Used by Defender for ECS to simulate ransomware attack automation. |
| SMB Robo Audit Easy Auditor SMB TCP 445 SMB2 only | TCP | appliance → Isilon/PowerScale | > 2.5.9 SMB3 supported with encryption | Easy Auditor | Used by Easy Auditor to test audit health for audit data ingestion and database health automation (if licensed). |
| Dual DNS Delegation | UDP | appliance port 53 UDP DNS --> Groupnet(x) DNS servers | DR | This is new in 2.5.6 or later and requires Eyeglass to be able to access the Groupnet DNS servers to validate Dual DNS delegation is configured correctly. The OS DNS is not used since the DNS that must be configured correctly is used by Isilon/PowerScale itself. | |
| Internet Control Message Protocol | ICMP | appliance --> Powerscale | All | If for any reason ICMP is disabled, or PMTUD is not supported, this causes OneFS to default the MTU to 536 bytes, which typically leads to performance degradation. |
Eyeglass Support and Phonehome Whitelist URL's
PC Browser Upload and support site usage URL whitelist for full access to (support.superna.net)
- https://*.zopim.com (your pc browser --> Internet, Internet --> your pc browser)
- https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)
- https://support.superna.net (your pc browser --> Internet, Internet --> your pc browser)
- https://supernahelp.zendesk.com (your pc browser --> Internet, Internet --> your pc browser)
https://cloudapps.supernaeyeglass.com (your pc browser --> Internet)
Download software and download license keys from support.superna.net
- https://software.supernaeyeglass.com (your pc browser <-- Internet)
- https://licenses.supernaeyeglass.com (your pc browser --> Internet, Internet --> your pc browser)
Phone Home Remote Monitoring Test Internet URL Steps
Overview - faster more efficient support, enables proactive response without your involvement)
How to test firewall port access to required URL's
- SSH to Eyeglass appliance as admin user
- type admin password ( default: 3y3gl4ss)
- Execute below command to test get command:
wget https://na-static-phonehome.supernaeyeglass.com - Execute below command to test post command:
curl -X POST -k http://na-static-phonehome.supernaeyeglass.com - Send us the output of Step #3 and #4.
- Done.
- The Monitoring service requires the following URL's allowed
- https://cloudapps.supernaeyeglass.com (appliance to internet)
- Note: Superna has made the IP change for this URL therefore please whitelist IP address 35.244.217.10
- https://na-static-phonehome.supernaeyeglass.com (appliance to internet) IP address 35.207.34.234
Phone Home Message Flow
- After Phone Home is enabled the following message flow is described below.
- NOTE: No inbound firewall rules need to be open from the Internet are required .
- NOTE: No data is collected other than support logs that can be created in the About Icon Backup tab and is uploaded to support through the support if Phone Home is disabled.
- NOTE: No remote control functionality is possible with the phone home feature
- NOTE: No PHI data of any kind is collected in support data
- NOTE: if configured a proxy device can be used to reach the Internet.
- NOTE: url or IP based firewall information is provided on this page
- Eyeglass Appliance, Golden Copy or Search & Recover product appliance phone home actions
- After initial enable of Phone home from the About Icon a registration request is sent via HTTPS POST to https://na-static-phonehome.supernaeyeglass.com that includes the appliance appliance ID, Appliance version information.
- Twice per 24 hours a heart beat is sent via an HTTPS POST to https://na-static-phonehome.supernaeyeglass.com that updates the portal that the appliance is still alive and running.
- Once per 5 minutes (random time within the 5 minutes) the appliances will send HTTPS GET request to the https://na-static-phonehome.supernaeyeglass.com url to see if remote log upload request has been requested.
- If no request to upload logs, no actions are taken and phone home sleeps until next log upload request 5 minute window.
- If a request to upload logs is returned from the HTTPS GET request, the appliance will generate support logs zip file and then HTTPS POST the zip file to this url https://cloudapps.supernaeyeglass.com
Eyeglass Proxy Login Message Flow between Eyeglass VM and Isilon/PowerScale
- Eyeglass browser https --> Eyeglass VM
- Eyeglass VM --> SMB2 standard Microsoft authentication request sent to Isilon/PowerScale ip address used to add cluster to Eyeglass.
- Isilon/PowerScale sends authentication request to AD to validate password.
- Eyeglass --> sends rest api to Isilon/PowerScale requesting AD group membership for User X from login request.
- Isilon/PowerScale returns Authentication request to Eyeglass VM.
- Isilon/PowerScale returns list of AD groups the user is a member of in AD.
- Eyeglass compares AD groups to Role based Access configuration to determine permissions in Eyeglass and displays Icons based on this security evaluation process.
- User desktop loads based on role configured.
Eyeglass Scalability Limits and Appliance Memory Minimum Requirements
© Superna Inc