Configuring the Firewall

Your Aspera transfer product requires access through the ports listed below. If you cannot establish the connection, review your local corporate firewall settings and remove the port restrictions accordingly.

Connect Server

Configure your firewall to allow the following ports:

  • Inbound TCP/22 (or other TCP port set for SSH connections): The port for SSH connections.
    Important: Aspera strongly recommends running the SSH server on a non-default port (allowing inbound SSH connections on TCP/33001, and disallowing inbound connections on TCP/22) to ensure that your server remains secure from SSH port scan attacks. For instructions on how to change your SSH port, see Securing Your SSH Server.

    If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing Your SSH Server for details.

    The firewall on the server side must allow the open TCP port to reach the Aspera server. No servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

  • Inbound UDP/33001 (or a range, if required, see below): The port for FASP transfers, which use UDP/33001 by default, although the server may also choose to run FASP transfers on another port.
  • Inbound and outbound TCP/8080 and TCP 8443 (or other TCP ports set for HTTP/HTTPS fallback): The ports for the HTTP Fallback Server. If only HTTP or HTTPS is used, you need to open only that port. For more information on configuring HTTP fallback ports, see Configuring HTTP and HTTPS Fallback.
  • Inbound TCP/80 and TCP/443: The ports for the Web UI, for HTTP and/or HTTPS Web access. If only HTTP or HTTPS is used, you only need to open that port.
  • Local firewall: If you have a local firewall on your server (like iptables), verify that it is not blocking your SSH and FASP transfer ports (such as TCP/UDP 33001). If you are using Vlinks, you will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional information on setting up Vlinks, see Setting Up Virtual Links (Command Line).

When a range of UDP ports is required: For Aspera servers that have multiple concurrent clients utilizing two or more user accounts, Solaris does not allow the Aspera FASP protocol to reuse the same UDP port. Conversely, one UDP port can be opened if only one account is being used for transfers. Thus, if you have multiple concurrent clients and your Aspera server runs on Solaris, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent FASP transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent FASP transfers, allow inbound traffic from UDP/33001 to UDP/33010.

Remote Client Machines

Typically, consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP, and no configuration is required for Aspera transfers. In the special case of firewalls blocking direct outbound connections, usually with proxy servers for web browsing, the following ports must be allowed:
  • Outbound TCP/33001: Allow outbound connections from the Aspera client on the TCP port (TCP/33001 by default, when connecting to a Windows server, or on another non-default port for other server operating systems).
  • Outbound UDP/33001 (or a range, if required): Allow outbound connections from the Aspera client on the FASP UDP port (33001, by default).
  • Local firewall: If you have a local firewall on the client (such as iptables), verify that it is not blocking your SSH and FASP transfer ports (such as TCP/UDP 33001).
Important: Multiple concurrent clients cannot connect to a Windows Aspera server on the same UDP port. Similarly, multiple concurrent clients that are utilizing two or more user accounts cannot connect to a Mac OS X, FreeBSD, or Isilon Aspera server on the same UDP port. If connecting to these servers, you will need to allow a range of outbound connections from the Aspera client (that have been opened incrementally on the server side, starting at UDP/33001). For example, you may need to allow outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.