Firewall Considerations

The AM/AMM requires ports in the firewall to be open in order to function correctly. The sections below provide information on which ports need to be open and what their purpose is.

Notes:

• All firewall rules must be stateful.

Deployment Diagram

Source Host/Network	Destination Host/Network	Protocol/Port	Service	Notes
AM/AMM Users
AM/AMM Administrator Workstation	AM/AMM Server	TCP 2222	SSH for Admin access to CLI
AM/AMM User Workstation	AM/AMM Server	TCP 443	HTTPS
AM/AMM User Workstation	maps.googleapis.com maps.google.com www.google.com	TCP 443	Geolocation Srevices	Map-based reporting and services
AM/AMM System
AM/AMM Server	DNS Server	UDP 53	DNS
AM/AMM Server	NTP Server	UDP 123	NTP
AM/AMM Server	SMTP Server	TCP 25	Mail relay service for system alerts
AM/AMM Server	LDAP Server	TCP 636 or 389	Secure LDAP Integration
AM/AMM Server	maps.googleapis.com	TCP 443	Geolocation Services	Geocoding events/reports
AM/AMM Server	repo.airlink.com	TCP 443	Ability to update your on-premise AMM repository for router firmware updates	(Optional) Alternatively, firmware packages can be manually downloaded from Source and uploaded to the AM/AMM
Optional High Availability Feature (Primary/Secondary Servers)
AM/AMM Server peer 1	AM/AMM Server peer 2	UDP 5404, 5405	Corosync
AM/AMM Server peer 1	AM/AMM Server peer 2	TCP 2224,3121,21064	Pacemaker
AM/AMM Server peer 1	AM/AMM Server peer 2	TCP 2222	SSH
AM/AMM Server peer 1	AM/AMM Server peer 2	TCP 80	Public Key Exchange
AM/AMM Server peer 1	AM/AMM Server peer 2	TCP 3306	MySQL replication
AM/AMM Server peer 1	AM/AMM Server peer 2	ICMP-Ping	HA Heartbeat signal
MG90 Routers
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	UDP 1194-1197	Management TUnnel SSL VPN
AM/AMM User Workstation	AM/AMM Server	TCP 5900-6000	(Optional) Access Console and Total Reach for MGOS
ALEOS Routers (MP,RV,GX,LX,LS)
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 8083	HTTPS
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	UDP 1190-1193	Management Tunnel SSL VPN
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 44900	AirLink Application Framework (AAF) communication to AM/AMM
AirLink OS routers (XR, RX55 Wi-Fi Plus)
AirLink OS router Networks (or 0.0.0.0/0)	AM/AMM Server	UDP 5684	LwM2M bootstrap service
AirLink OS router Networks (or 0.0.0.0/0)	AM/AMM Server	UDP 5686	LwM2M device management service
AirLink OS router Networks (or 0.0.0.0/0)	AM/AMM Server	UDP 1198	Management Tunnel SSL VPN
AirLink OS router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 443	HTTPS
Additional Requirements for MGOS gateways if Management Tunnel is not used (***Not common***)
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	ICMP	Ping	Only required if the AM/AMM server will be used as a WAN monitor target for deployed routers, and can potentially be locked down to specific address ranges
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 20-21 TCP 49152-49252	FTP	Device to server log file FTP (Passive)
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 9987	SFTP	Device to server batchlogger log SFTP
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 80	Software download	Required for router software download from AM/AMM server if the management tunnel is not in use
MGOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP/UDP 1501	Messages	Device to server messages
Additional Requirements for ALEOS routers if Management Tunnel is not used (***Not common***)
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 80	Software download	Required for ALEOS router software download from AM/AMM server
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 20-21 TCP 49152-49252	FTP	Required if using Uploadlog for log file (FTP) upload
ALEOS Router Networks (or 0.0.0.0/0)	AM/AMM Server	TCP 8082	HTTP	Required for ALEOS router communication to server (MSCI)
Remote Access for Implementation and Support (Optional)
AM/AMM Server	cproxy1.airlink.com cproxy2.airlink.com	UDP 1194	Reverse Proxy SSL VPN