Your Aspera transfer product requires access through the ports listed below. If you cannot
establish the connection, review your local corporate firewall settings and remove the
port restrictions accordingly.
Configure your firewall to allow the following ports:
- Inbound TCP/33001 (or other
TCP port set for SSH connections): The port for SSH connections.
strongly recommends running the SSH server on a non-default port (allowing
inbound SSH connections on TCP/33001, and disallowing inbound connections on
TCP/22) to ensure that your server remains secure from SSH port scan
attacks. For instructions on how to change your SSH port, see Securing Your SSH Server
If you have a legacy
customer base utilizing TCP/22, then you can allow inbound connections on
both ports. Please refer to the topic Securing Your SSH Server for
The firewall on the server side must allow the open TCP port
to reach the Aspera server. No servers are listening on UDP ports. When a
transfer is initiated by an Aspera client, the client opens an SSH session
to the SSH server on the designated TCP port and negotiates the UDP port
over which the data transfer will occur.
- Inbound UDP/33001 (or a range, if required, see
below): The port for FASP transfers, which use UDP/33001 by
default, although the server may also choose to run FASP transfers on another
- Local firewall: If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking
your SSH and FASP transfer ports (such as TCP/UDP 33001). If you are using
Vlinks, you will need to allow the Vlink UDP port (55001, by default) for
multicast traffic. For additional information on setting up Vlinks, see Controlling Bandwidth Usage with Virtual Links (GUI).
When a range of UDP ports is
For Aspera servers that have multiple concurrent clients, the
Windows operating system does not allow the Aspera FASP protocol to reuse the
same UDP port for multiple connections. Thus,
if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports,
where the range of ports is equal to the maximum number of concurrent FASP transfers
expected. These UDP ports should be opened incrementally from the base port, which
is UDP/33001, by default. For example, to allow 10 concurrent FASP transfers, allow
inbound traffic from UDP/33001 to UDP/33010.
Remote Client Machines
Typically, consumer and business firewalls allow direct outbound
connections from client computers on TCP and UDP, and no configuration is
required for Aspera transfers. In the special case of firewalls blocking direct
outbound connections, usually with proxy servers for web browsing, the following
ports must be allowed:
- Outbound TCP/33001: Allow outbound connections from the Aspera client
on the TCP port (TCP/33001 by default, when connecting to a Windows server,
or on another non-default port for other server operating systems).
- Outbound UDP/33001 (or a range, if
required): Allow outbound connections from the Aspera client on
the FASP UDP port (33001, by default).
- Local firewall: If you have a local firewall on the client (such as Windows Firewall), verify that it is not blocking your SSH and
FASP transfer ports (such as TCP/UDP 33001).
concurrent clients cannot connect to a Windows Aspera server on the same UDP
port. Similarly, multiple concurrent clients that are utilizing two or more user
accounts cannot connect to a Mac OS X, FreeBSD, or Isilon Aspera server on the
same UDP port. If connecting to these servers, you will need to allow a range of
outbound connections from the Aspera client (that have been opened incrementally
on the server side, starting at UDP/33001). For example, you may need to allow
outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections
are allowed by the server.