Inhaltsverzeichnis

Network specifications and connection paths

The following overview shows the ports and protocols that are required for TightGate-Pro to be operated in the network. The internal firewall (packet filter or layer 3 switch) shown must be provided by the operator.

tgp_handbuch.jpg

Firewall settings

TightGate-Pro is generally intended for operation in a demilitarised zone (DMZ). It must be ensured that client computers in the internal network only connect to TightGate-Pro via the designated ports. Furthermore, direct Internet access by bypassing TightGate-Pro must be prevented using suitable firewalls or packet filters.

Connection paths that are not absolutely necessary for the proper operation of TightGate-Pro are marked as "optional" and should be deactivated if the functionality realised via them is not required.

Outgoing connections

For UDP connections, associated UDP response packets in the opposite direction must also be enabled.

Sender Destination Protocol Port(s) Remark Optional
TightGate-ProInternetTCP80, 443 or specific proxy portAccess for HTTP(S) connections to the Internet. If a proxy is connected upstream, the connection to the proxy must be enabled.
TightGate-Prom-privacy Update server TCP 22 or 443 or proxy SSH access via port 443 or 22 to update server of m-privacy GmbH
Attention: See also the configuration settings for the update.
TightGate-ProInternetUDP80, 443, 1024:65535Requests from WebRTC services such as Webex or Zoom. Webmeeting services may require additional network shares. These may vary depending on the application. X
TightGate-ProspecificUDP123Requests to time servers X
TightGate-ProspecificTCP + UDP53Requests to name servers X
TightGate-ProspecificTCP25Further authorisations required if e-mail services are to be used via TightGate-Pro:
POP3: 110 - POP3/SSL: 995
IMAP4: 143 - IMAP4/SSL: 993
X
TightGate-ProspecificTCP + UDP88Communication with Active Directory X
TightGate-ProspecificTCP389,636
3268,3269
Communication with Active Directory (LDAP / LDAPS)
Queries to determine a global catalogue
X
TightGate-ProspecificTCP21, 22Direct access to server via FTP, SFTP/SSH X
TightGate-ProspecificTCP + UDP 514, 2514, 3514Configurable ports for sending syslog messages to central syslog servers . for sending syslog messages to central syslog servers. (Syslog / RELP / RELPTLS) X
TightGate-ProspecificTCP
UDP
3389, 1494, 80, 443
1604
RDP or CITRIX server incoming and outgoing X

Incoming connections (LAN)

Originator Destination Protocol Port(s) Remark Optional
Clients
(workstation PC)
TightGate-Pro TCP 5900 TLS-encrypted connection of the TightGate-Viewers to TightGate-Pro.
Clients
(workstation PC)
TightGate-Pro TCP 22 SFTP-encrypted connection to use the file lock of TightGate-Pro. X
Administration networkTightGate-Pro TCP222
2222
22222
SSH access for the administration of TightGate-Pro. One of the ports can be set. If none of the ports is selected, administrative access is via port 22. X

Incoming connections (DMZ/Internet)

Sender Destination Protocol Port(s) Remark Optional
Internal DNS service TightGate-Pro Cluster system UDP
TCP
53 These ports are only to be released if a TightGate-Pro cluster is used. For responses that exceed the packet size of UDP, TCP port 53 must be released. X
Monitoring with SNMP TightGate-Pro UDP 161 SNMP requests X
Monitoring with NRPE TightGate-Pro TCP 5666 Access from ZenTiV or other NRPE-based monitoring systems X