Firewall Settings

An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

Your firewall should be configured as follows:

• To ensure that your server is secure, Aspera strongly recommends allowing inbound connections for SSH on TCP/33001 (or on another non-default, configurable TCP port), and disallowing inbound connections on TCP/22. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports.
• Allow inbound connections for FASP transfers, which use UDP/33001 by default, although the server may also choose to run FASP transfers on another port.
• If you have a local firewall on your server (such as Windows Firewall), verify that it is not blocking your SSH and FASP transfer ports (TCP/UDP 33001).
• For the Faspex application, allow inbound connections for HTTP and/or HTTPS Web access (TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server. No servers listen on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port for the data transfer.

For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera FASP protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent FASP transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent FASP transfers, allow inbound traffic from UDP/33001 to UDP/33010.