Appliance Firewall Rules | Keyfactor Docs

This document describes the network services offered by the appliance.

Service	Interface	Direction	Protocol	Destination Port	Comment
EJBCA
EJBCA CA web	APP, MGMT	in	HTTPS	443	http[s]://{hostname}/ejbca/adminweb
EJBCA RA web	APP, MGMT	in	HTTPS	80, 443	http[s]://{hostname}/ejbca/ra
EJBCA documentation	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/doc
EJBCA CRL distribution	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/publicweb/webdist/certdist?cmd=[crl\|deltacrl]&issuer={subjectDn}
EJBCA CA certificate distribution	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/publicweb/certificates/search.cgi
EJBCA healthcheck	APP,MGMT	in	HTTP, HTTPS	80, 443	http://{hostname}/ejbca/publicweb/healthcheck/ejbcahealth http://{hostname}/ejbca/publicweb/healthcheck/vastatus
EJBCA web service API	APP, MGMT	in	HTTPS	443	https://{hostname}/ejbca/ejbcaws/ejbcaws?wsdl
EJBCA OCSP responder	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/publicweb/status/ocsp
EJBCA SCEP	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/publicweb/apply/scep/[{alias}/]pkiclient.exe
EJBCA CMP	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/publicweb/cmp[/{alias}]
EJBCA ACME	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname]/ejbca/acme/[{alias}/]
EJBCA EST	APP, MGMT	in	HTTPS	443	https://{hostname}/ejbca/.well-known/est/[{alias}/]
EJBCA REST API	APP; MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/ejbca/ejbca-rest-api
SCT submission	APP	out	HTTPS	configurable	CT log server configured in EJBCA's system configuration.
DNS lookups	APP	out	DNS	configurable	DNS server configured in EJBCA. Used for ACME domain validation and CAA.
Peer systems	APP	out (from CA), in (to RA and VA)	HTTPS	443	https://{hostname}/ejbca/peer/v1
EJBCA LDAP publisher	APP	out	HTTP, HTTPS	configurable	LDAP server configured in EJBCA.
EJBCA AD publisher	APP	out	HTTP, HTTPS	configurable	AD server configured in EJBCA.
EJBCA SCP publisher	APP	out	SSH	22	SSH server configured in EJBCA.
Syslog	APP	out	syslog	514	UDP towards remote syslog host
Cluster Sync	APP	in/out	GRE	n/a	Cluster Sync over GRE encapsulation
NFS	MGMT	out	NFS3		TCP, NFS for Backup & updates
Network Time Protocol	MGMT?	out	NTP	123	UDP, Network Time Protocol
Network Management	APP, MGMT	in	SNMP	161	TCP, SNMP get (no traps)
SignServer
SignServer administration web	APP, MGMT	in	HTTPS	443	http[s]://{hostname}/signserver/adminweb
SignServer public web	APP, MGMT	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/signserver
Time monitoring	APP	out	NTP	53	NTP server configured in the Time Monitor worker.
SignServer web service API	APP, MGMT	in	HTTPS	443	https://{hostname}/signserver/AdminWSService/AdminWS https://{hostname}/signserver/ClientWSService/ClientWS
SignServer healthcheck	APP, MGMT	in	HTTP, HTTPS	80, 443	http://{hostname}/signserver/healthcheck/signserverhealth
Timestamping	APP	in	HTTP, HTTPS	80, 443	http[s]://{hostname}/signserver/process?workerId={workerId}
Certificate renewal using peer systems	APP	in	HTTPS	443	https://{hostname}/ejbca/peer/v1
Appliance
Cluster communication	APP	out, in	GRE	N/A	If clustering is used.
WebConf	MGMT	in	HTTPS	443	https://{hostname}/webconf
NTP	MGMT	out	UDP	123	If NTP is enabled in WebConf.
SNMP	APP, MGMT	in	SNMP v2 SNMP v3	161	SNMP get (no traps)
Syslog shipping	APP, MGMT	out	UDP	514	If syslog shipping is enabled in WebConf.
DNS	APP	out	DNS	53	If DNS is enabled in WebConf.
SSH	MGMT	in	SSH v2	22	If SSH is enabled in WebConf.
Backups	MGMT	out	NFS v3/v4	111, 2049
Email notifications	APP	out	SMTP	25	Only if DNS is enabled and email notifications are used in EJBCA.

SNMP get (no traps)