1.3. Network Requirements
The ASGARD components use the ports in the following chapters. For a detailed and up to date list of our update and licensing servers, please visit https://www.nextron-systems.com/resources/hosts/.
1.3.1. ASGARD Agent
Description |
Port |
Source |
Destination |
|---|---|---|---|
Agent to Server communication |
443/tcp |
ASGARD Agent |
Broker / ASGARD |
Retrieve certificate |
443/tcp |
ASGARD Agent |
Lobby |
Warning
Your agents will always try to contact your ASGARD directly, and if this fails, they will try the Lobby or Brokers. If you are deploying agents with a broker network configuration in your internal network, and they can contact the ASGARD directly, they will not be able to get a valid certificate from your Lobby. This is not an issue if your Lobby is exposed to the internet and your agents will be able to request a certificate once they are connecting from the open internet.
If your Lobby is not exposed to the internet, the agents must not be able to contact your ASGARD directly, but rather your Lobby. To do this, you have to ensure your agents will not be able to communicate directly with your ASGARD, but only directly with the Lobby and a Broker (e.g. your ASGARD sits behind an internal Broker and can not be reached directly).
It is important to remember that your agents need a valid certificate from your Lobby, otherwise the Broker connection can not be established. This "onboarding phase" is happening once during the initial communication, so that your agents can get their unique key material for the secure channel within the broker network. For more information on how the Lobby operates, see the chapter Using the Lobby.
The following priorities of servers your agents try to connect to are in place:
Server |
Priority |
Info |
|---|---|---|
ASGARD |
1 |
Always highest priority |
Lobby |
2 |
If agent has no Broker Certificate |
Broker |
3 |
If agent has Broker Certificate |
1.3.2. Gatekeeper
Description |
Port |
Source |
Destination |
|---|---|---|---|
- Statistics |
12000/tcp |
Gatekeeper |
Lobby |
- Statistics |
12000/tcp |
Gatekeeper |
Broker |
Create secure tunnel per client |
12001-1200x/tcp (x = CPU count of Broker) |
Gatekeeper |
Broker |
Note
Your Gatekeeper is receiving the root CA certificate, client certificates and CRL from the Lobby. Those are then being transmitted to the all Brokers via the Gatekeeper, to keep an up to date state of allowed and revoked agents.
1.3.3. ASGARD
Description |
Port |
Source |
Destination |
|---|---|---|---|
- Backend management of Gatekeeper, Broker and Lobby - Agent communication |
12000/tcp |
ASGARD |
Gatekeeper |
1.3.4. Management Workstation
Description |
Port |
Source |
Destination |
|---|---|---|---|
CLI administration |
22/tcp |
Workstation |
Broker |
CLI administration |
22/tcp |
Workstation |
Gatekeeper |
CLI administration |
22/tcp |
Workstation |
Lobby |
Web administration |
9443/tcp |
Workstation |
Lobby |
1.3.5. Internet
The Broker Network components are configured to retrieve updates from the following remote systems.
Description |
Port |
Source |
Destination |
|---|---|---|---|
Product and system updates |
443/tcp |
Gatekeeper, Lobby, Broker |
update3.nextron-systems.com |
NTP |
123/udp |
Gatekeeper, Lobby, Broker |
0.debian.pool.ntp.org [4] |
NTP |
123/udp |
Gatekeeper, Lobby, Broker |
1.debian.pool.ntp.org [4] |
NTP |
123/udp |
Gatekeeper, Lobby, Broker |
2.debian.pool.ntp.org [4] |
All proxy systems should be configured to allow access to these URLs without TLS/SSL interception. (ASGARD uses client-side SSL certificates for authentication). It is possible to configure a proxy server, username and password during the setup process of the ASGARD platform. Only BASIC authentication is supported (no NTLM authentication support).
1.3.6. DNS
All the components need to have a resolvable FQDN.
Brokers facing the open internet need to be resolvable with a public FQDN and IP Address, so make sure to configure the necessary A-Records before setting up an external facing Broker and/or Lobby.