Firewall Exceptions
Firewall Exceptions
GradesFirst is a hosted web application which utilizes a number of different servers including:
- Web servers to handle application requests
- SFTP servers to handle file uploads for imports
- WebDAV servers to handle “Free/busy” integration with Outlook calendars.
To help avoid network issues when users are accessing GradesFirst through a web browser, FTP client, or Outlook connection, please add firewall exceptions for the IP addresses of GradesFirst’s servers:
50.17.180.63
50.17.249.45
107.20.216.127
174.129.194.223
174.129.201.72
174.129.211.84
184.72.241.94
184.73.244.179
174.129.16.170
174.129.17.142
174.129.17.36
54.243.252.185
23.21.97.237
23.23.242.93
23.23.105.138
54.243.231.217
184.73.226.62
50.19.250.171
107.22.239.98
54.175.192.83
54.174.162.85
174.129.252.242
54.166.195.212
54.225.99.45
34.237.21.71
34.234.160.70
34.203.100.56
34.197.254.160
34.228.172.36
184.73.213.211
107.21.109.42
Please open these ports for all IP addresses listed: 80, 443, 636. Ports 80 and 443 cover standard HTTP and HTTPS traffic. Port 636 should cover LDAP authentication. For 184.73.226.62, which is our SFTP server, please also open ports 22 and 1025 through 65535. Port 22 is the control port for SFTP. Any port in the range of 1025 through 65535 can be used for data transfer. This list has been updated, so please check to see if you have any other IP addresses listed for GradesFirst. If so, please remove them.
Why do I have to add so many firewall exceptions for LDAP authentication?
For scalability and redundancy, the GradesFirst application runs on multiple web servers. When users access GradesFirst, each request is routed through a load balancer to one of these web servers. The individual web server then makes a request to the LDAP server to authenticate the user. Because each web server needs to communicate with the LDAP server, the IP address of each web server needs to be added to your firewall exception list.
Why do these IP addresses cover such a broad IP space?
Each of these IP addresses is an AWS (Amazon Web Services) Elastic IP. Each was individually purchased from Amazon, which is why they are not in narrower space.
TCP Traffic Firewall Exception
GradesFirst makes use of WebSockets. For browsers like IE 9 and below that do not support WebSockets, similar functionality is achieved by falling back to using Adobe Flash. To achieve this result, Flash requires that traffic be allowed on TCP port 843. If you have locked down TCP traffic, please be sure to add a firewall exception to allow TCP traffic for *.amazonaws.com and *.pusherapp.com on port 843.