Firewall Exceptions

Owned by Daniel Rehner
Last updated: Aug 16, 2018 by nsaboe@eab.com
2 min read

Firewall Exceptions

GradesFirst is a hosted web application which utilizes a number of different servers including:

  • Web servers to handle application requests
  • SFTP servers to handle file uploads for imports
  • WebDAV servers to handle “Free/busy” integration with Outlook calendars.

To help avoid network issues when users are accessing GradesFirst through a web browser, FTP client, or Outlook connection, please add firewall exceptions for the IP addresses of GradesFirst’s servers:

50.17.180.63

50.17.249.45

107.20.216.127

174.129.194.223

174.129.201.72

174.129.211.84

184.72.241.94

184.73.244.179

174.129.16.170

174.129.17.142

174.129.17.36

54.243.252.185

23.21.97.237

23.23.242.93

23.23.105.138

54.243.231.217

184.73.226.62

50.19.250.171

107.22.239.98

54.175.192.83

54.174.162.85

174.129.252.242

54.166.195.212

54.225.99.45

34.237.21.71

34.234.160.70

34.203.100.56

34.197.254.160

34.228.172.36

184.73.213.211

107.21.109.42

Please open these ports for all IP addresses listed: 80, 443, 636. Ports 80 and 443 cover standard HTTP and HTTPS traffic. Port 636 should cover LDAP authentication. For 184.73.226.62, which is our SFTP server, please also open ports 22 and 1025 through 65535. Port 22 is the control port for SFTP. Any port in the range of 1025 through 65535 can be used for data transfer. This list has been updated, so please check to see if you have any other IP addresses listed for GradesFirst. If so, please remove them.

Why do I have to add so many firewall exceptions for LDAP authentication?

For scalability and redundancy, the GradesFirst application runs on multiple web servers. When users access GradesFirst, each request is routed through a load balancer to one of these web servers. The individual web server then makes a request to the LDAP server to authenticate the user. Because each web server needs to communicate with the LDAP server, the IP address of each web server needs to be added to your firewall exception list.

Why do these IP addresses cover such a broad IP space?

Each of these IP addresses is an AWS (Amazon Web Services) Elastic IP. Each was individually purchased from Amazon, which is why they are not in narrower space.

TCP Traffic Firewall Exception

GradesFirst makes use of WebSockets. For browsers like IE 9 and below that do not support WebSockets, similar functionality is achieved by falling back to using Adobe Flash. To achieve this result, Flash requires that traffic be allowed on TCP port 843. If you have locked down TCP traffic, please be sure to add a firewall exception to allow TCP traffic for *.amazonaws.com and *.pusherapp.com on port 843.