Configuring Ports and Security Groups for SoftNAS and SoftNAS Platinum features

Owned by Former user (Deleted)
Last updated: Nov 29, 2020
7 min read





FlexFiles Lift and Shift

In addition to the standard ports required for a basic SoftNAS® configuration (namely SSH and HTTPS - see TCP/UDP ports required for accessing SoftNAS volumes for more details),  FlexFiles and Lift and Shift™ require the following ports to be configured: 



Port

Traffic Type

8081Data transfer port for FlexFiles Lift and Shift™. The target node requires an 8081 port configured with a source node IP address configured with 32 ports (For example: 54.214.15.155/32).
9443Web UI port for viewing FlexFiles. This port requires a 9443 port to be configured with a source node IP address of the instance running the browser used to view StorageCenter™, also configured with 32 ports. (For example: 54.214.15.125/32)
8443For viewing FlexFiles. This port requires the IP address for the device running the browser used to view Storage Center (i.e. 192.154.13.12/32).

Note: For VMware clients,  the same ports would need to be configured according to the on-premise server environment in your organization. 


For best results, configure both source and target nodes with both ports 8081 and 9443, and allow traffic from both source and target IP to these ports.

Sample AWS Security Group 



Note: You will need to either create security groups for both source and target nodes, or create one security group that addresses the needs of each source and target and apply it to each. The source node must allow the above defined traffic from the target node IP address. The target node must allow the above defined traffic from the source node IP address. If more than one source node is being configured, (such as a "many to one" configuration) each source node must be represented in the Security Group Rules, and vice versa. 


Sample Azure Security Group

Set up Inbound Security Rules

  1. Under Settings, select Inbound Security Rule, and create a rule. First, add a priority and name the rule according to a standardized naming convention. We suggest something like “Web_UI_{TargetNode}”. Open port 9443 for Protocol TCP activity for the target node, using their Public IP with an address range of 32 (i.e. 52.162.241.245/32).
  2. Add a second Inbound Security Rule, again adding a priority, and providing a name (such as "Data_{TargetNode}") This time, open Port 8081 for Protocol TCP activity for the target node, using their Public IP with an address range of 32 (i.e. 52.162.241.245/32).
  3. Finally, add a third Inbound Security Rule. Again, add a priority and provide a name (such as “FlexFile_{SourceNode1}”). This time open Port 8443 for Protocol TCP activity for the device used to access SoftNAS’ StorageCenter (i.e. 196.257.67.231/32).

    Note: Opening identical inbound security rules for the same ports using the source node IP in addition to the above inbound rules has been known to speed up later configuration steps.

Set up Outbound Security Rule

For the outbound security rule, the same process is followed - add a priority, and name the rule according to your naming convention (suggested name is "Any_Out_{Target_Node}"). For the outbound rule, open a port range of 0-65535 for TCP activity for the target node, using its public IP with an address range of 32. (i.e., 52.162.121.88/32)


Note: You will need to create security groups for both source and target nodes. The source node must allow the above defined traffic from the target node IP address. The target node must allow the above defined traffic from the source node IP address. If more than one source node is being configured, (such as a "many to one" configuration) each source node must be represented in the Security Group Rules, and vice versa. 




SoftNAS® UltraFast (Platinum only)

SoftNAS® UltraFast™ uses UDP and TCP/IP to transfer data between two SoftNAS instances. It provides a high speed tunnel between two nodes, regardless of geographical distance. By implementing UltraFast™ endpoints on each separate node, it provides an on-ramp to accelerate data through the tunnel to the other node, and an offramp to facilitate data out of the tunnel, optimizing speed on both ends.

One instance serves as the “Source” instance and the other is the “Target” instance. The Source instance is responsible for connecting to the Target instance, but both the Source and Target instance are able to send data to each other using the UltraFast Storage Accelerator. The following network ports must be open for UltraFast to be able to function:

On the source instance (Outgoing):

TCP Port (Service)

Protocol

443

HTTPS

8888

UDP (UltraFast™)

8888

TCP(UltraFast™speedtest, optional)


Note: Port defaults can be changed if required for firewall compliance or other reasons.


Note: TCP connection is optional, but is recommended in order for our users to see the value provided by SoftNAS® UltraFast™. The TCP port serves to provide a real-time speedtest comparison against UltraFast traffic, allowing you to measure the value added by UltraFast™.


Note: The source can be behind a NAT masquerading router. When the NAT translation occurs, the responses will be delivered to the public IP address of the source instance. 




On the second instance (Incoming/Receiving):

TCP Port (Service)

Protocol

443

HTTPS (mirror of source)

8888

UDP (UltraFast™)

8888

TCP(UltraFast™speedtest, optional)


Note: Ports can be reconfigured on the destination side as well.

Note: NAT Configuration on the target node is very possible, but requires Destination NAT Rules configured. Configuring destination side NAT rules will not be covered in this guide.



Refer to SoftNAS' Ports and Security Group documentation  for other ports that should be opened for management functionality, such as for features including SnapReplicate™, SNAP HA™, and storage protocols such as NFS, CIFS, iSCSI, or AFP.


AWS Configuration

For Amazon EC2 Target instances, configure a security group that allows for incoming TCP/443, UDP/8888, and TCP/8888 from the public IP address of the Source instance. For Amazon EC2 Source instances, configure a security group that allows for incoming TCP/8888 from the public IP address of the Target instance.

Azure Configuration

For Azure instances, the same general configuration applies - a security group must be configured that allows incoming TCP/443, UDP/8888 and TCP/8888 from the public IP address of the source instance, and for incoming TCP/443 and TCP/8888 traffic from the public IP of the target address. In Azure, the primary difference is that it is possible to combine both TCP and UDP traffic to port 8888 to a single rule, by allowing any traffic to that port.

Firewalls, Gateway and Router Configuration

Firewall, Gateway and Router configuration is beyond the scope of this guide, simply due to the number of different solutions available. Vendor documentation should provide you the information needed to configure your on-premise instances to send and receive data with UltraFast™ . If you are not receiving the expected throughput, there could be configuration issues with internet gateways, routers or firewalls.

When using network address translation (NAT) or virtual private network (VPN) technologies between the Source and Target instance there are additional configuration steps that may be required, depending on vendor and configuration.

One setting within many firewalls that may require particular attention is what is typically referred to as  "UDP flooding" or "Traffic Shaping". Consult your device vendor's documentation for such items, and ensure that you provide exceptions for the UDP communications path between your two UltraFast™ instances that do not excessively throttle end-to-end UDP throughput. UltraFast™ makes strong use of both TCP and UDP, and if one is throttled, performance will be impacted.


To leverage both key features of SoftNAS® Platinum (UltraFast™ and FlexFiles Architect™), make sure your network security group or firewall are configured with the complete list of ports below:

Port

Traffic Type

TCP-8081Data transfer port for FlexFiles™/Lift and Shift™. The target node requires an 8081 port configured with a source node IP address configured with 32 ports (For example: 54.214.15.155/32).
TCP- 9443Web UI port for viewing FlexFiles. This port requires a 9443 port to be configured with a source node IP address of the instance running the browser used to view StorageCenter™, also configured with 32 ports. (For example: 54.214.15.125/32)
TCP-8443For viewing FlexFiles. This port requires the IP address for the device running the browser used to view Storage Center (your current computer IP address).
UDP- 8888UltraFast™ Traffic. This port must be configured on both source and target node.
TCP-8888UltraFast Speedtest Traffic. (optional) If you want to perform speed tests for your UltraFast™ configuration, this port must be configured on both Source and Target node.

Note: For VMware clients,  the same ports would need to be configured according to the on-premise server environment in your organization.