Upgrading Software through a Firewall

Symptoms 

Your organization has a tight security policy that mandates a firewall which blocks any external traffic, including that from your SoftNAS deployments to/from the outer world. This is preventing receipt of necessary updates.   

Purpose 

The purpose of this document is to outline the steps required to maintain access to the required IPs for SoftNAS updates without compromising the tight security requirements of organizational policy. More details on our latest releases for SoftNAS can be found in the Buurst® SoftNAS 5 Release Notes.

Note:Buurst recommends a reboot of your system be performed prior to performing a system upgrade. This ensures that the upgrade is performed on a stable system.  

Note: In addition to this KB; If you are upgrading a HA pair please refer to the link here Maintenance Mode and Upgrading SNAP HA™ pair on SoftNAS 5

 
Warning: If putting only one node into maintenance mode, synchronization need not occur. If both HA nodes need to be placed into maintenance, a forced synchronization will need to occur. 

Resolution 

Our goal here, as mentioned, is to translate the mirroring system to a fixed URL or set of URLs that we can use when configuring any firewall. If you have already installed SoftNAS, in a secure VPC and are unable to open HTTP traffic to the outside world to proceed with the following steps 

  1. Please whitelist port 443 for the following domains/IP addresses: 

    # softnas.com IP: 54.88.117.35/32  
    # mirror.softnas.com IP: 52.86.152.91/32

    Only outgoing access to the above domain names/IP addresses to port 443 is required. For example, to allow access on a level of AWS and/or Azure Network Security Group, only 2 outgoing ALLOW rules are required, while no new inbound rules are required.

  2. Please whitelist outgoing TCP for the following domain/IP address:

    # my.nalpeiron.com IP: 184.106.60.185/32
     
    Please note that the IP addresses might change over time. For example, the previous version of this document had a different IP address for mirror.softnas.com.  At the same time, we are committed to using the same domain names softnas.com and mirror.softnas.com and as such whitelisting of the domain names instead of IP addresses is preferable. 
     
  3. Next, you can test the above changes by running the commands below and if your firewall is properly configured you should be able to get some feedback as the screenshot below: 
     
    # curl -khttps://softnas.com/  
    # curl -k https://mirror.softnas.com/

    # curl -k https://my.nalpeiron.com/




  4. If step 2 was successful, please head over to Storage Center → Settings Software updates to begin the upgrade process. If not please check your firewall and network traffic and try step 2 again.