Configuring the Firewall

Product	Firewall Configuration
Enterprise Server	An Aspera server runs one SSH server on a configurable TCP port (33001 by default). Important: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port. Your firewall should be configured as follows: Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details. Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port. If you have a local firewall on your server (like `Windows Firewall`), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001). The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur. For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera fasp protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. *For example, to allow 10 concurrent fasp* transfers, allow inbound traffic from UDP/33001 to UDP/33010.**
Connect Server	An Aspera server runs one SSH server on a configurable TCP port (33001 by default). Important: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port. Your firewall should be configured as follows: Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details. Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port. If you have a local firewall on your server (like `Windows Firewall`), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001). For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443). For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g. TCP/80, TCP/443). The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur. For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera fasp protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. *For example, to allow 10 concurrent fasp* transfers, allow inbound traffic from UDP/33001 to UDP/33010.**
Client	The following bullet points provide basic information for configuring your firewall to allow Aspera file transfers. Note that the outbound connection for SSH may differ based on your organization's unique network settings. Although TCP/22 is the default setting, please refer to your IT Department for questions related to which SSH port(s) are open for file transfer. Please also consult your specific Operating System's help documentation for specific instructions on configuring your firewall. If your client host is behind a firewall that does not allow outbound connections, you will need to allow the following: Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by default, when connecting to a Windows server, or on another non-default port for other server operating systems). Allow outbound connections from the Aspera client on the fasp UDP port (33001, by default). If you have a local firewall on your server (like `Windows Firewall`), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).

Enterprise Server

An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

Important: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port.

Your firewall should be configured as follows:

Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details.
Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port.
If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).

The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera fasp protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent fasp transfers, allow inbound traffic from UDP/33001 to UDP/33010.

Connect Server

An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

Important: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port.

Your firewall should be configured as follows:

Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details.
Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port.
If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).
For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443).
For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g. TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera fasp protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent fasp transfers, allow inbound traffic from UDP/33001 to UDP/33010.

Client

The following bullet points provide basic information for configuring your firewall to allow Aspera file transfers. Note that the outbound connection for SSH may differ based on your organization's unique network settings. Although TCP/22 is the default setting, please refer to your IT Department for questions related to which SSH port(s) are open for file transfer. Please also consult your specific Operating System's help documentation for specific instructions on configuring your firewall. If your client host is behind a firewall that does not allow outbound connections, you will need to allow the following:

Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by default, when connecting to a Windows server, or on another non-default port for other server operating systems).
Allow outbound connections from the Aspera client on the fasp UDP port (33001, by default).
If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).