Configuring the Firewall

Your Aspera transfer product requires access through the ports listed in the table below. If you cannot establish the connection, review your local corporate firewall settings and remove the port restrictions accordingly.

Product	Firewall Configuration
Connect Server	An Aspera server runs one SSH server on a configurable TCP port (22 by default). IMPORTANT NOTE: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port. Your firewall should be configured as follows: Allow inbound connections for SSH, which is on TCP/22 by default, or on another non-default, configurable TCP port. To ensure that your server is secure, Aspera strongly recommends allowing inbound connections for SSH on TCP/33001, and disallowing inbound connections on TCP/22. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details. Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port. If you have a local firewall on your server (like `ipfw`), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001). For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443). For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g. TCP/80, TCP/443). The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur. For Aspera servers that have multiple concurrent clients utilizing two or more user accounts, Mac OS X (10.6+) does not allow the Aspera fasp protocol to reuse the same UDP port. Conversely, one UDP port can be opened if only one account is being used for transfers. Thus, if you have multiple concurrent clients utilizing multiple user accounts and your Aspera server runs on Mac OS X (10.6+), then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. *For example, to allow 10 concurrent fasp* transfers that are using two or more user accounts, allow inbound traffic from UDP/33001 to UDP/33010.**
Client	Typically, consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP. There is no configuration required for Aspera transfers in this case. In the special case of firewalls disallowing direct outbound connections, typically using proxy servers for Web browsing, the following configuration applies: Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by default, when connecting to a Windows server, or on another non-default port for other server operating systems). Allow outbound connections from the Aspera client on the fasp UDP port (33001, by default). If you have a local firewall on your server (like `ipfw`), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001). IMPORTANT NOTE: Multiple concurrent clients cannot connect to a Windows Aspera server on the same UDP port. Similarly, multiple concurrent clients that are utilizing two or more user accounts cannot connect to a Mac OS X or FreeBSD Aspera server on the same UDP port. If connecting to these servers, you will need to allow a range of outbound connections from the Aspera client (that have been opened incrementally on the server side, starting at UDP/33001). For example, you may need to allow outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.

Product

Firewall Configuration

Connect Server

An Aspera server runs one SSH server on a configurable TCP port (22 by default).

IMPORTANT NOTE: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server for detailed instructions on changing your SSH port.

Your firewall should be configured as follows:

Allow inbound connections for SSH, which is on TCP/22 by default, or on another non-default, configurable TCP port. To ensure that your server is secure, Aspera strongly recommends allowing inbound connections for SSH on TCP/33001, and disallowing inbound connections on TCP/22. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server for details.
Allow inbound connections for fasp transfers, which use UDP/33001 by default, although the server may also choose to run fasp transfers on another port.
If you have a local firewall on your server (like ipfw), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).
For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443).
For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g. TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server. Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients utilizing two or more user accounts, Mac OS X (10.6+) does not allow the Aspera fasp protocol to reuse the same UDP port. Conversely, one UDP port can be opened if only one account is being used for transfers. Thus, if you have multiple concurrent clients utilizing multiple user accounts and your Aspera server runs on Mac OS X (10.6+), then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent fasp transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default. For example, to allow 10 concurrent fasp transfers that are using two or more user accounts, allow inbound traffic from UDP/33001 to UDP/33010.

Client

Typically, consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP. There is no configuration required for Aspera transfers in this case. In the special case of firewalls disallowing direct outbound connections, typically using proxy servers for Web browsing, the following configuration applies:

Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by default, when connecting to a Windows server, or on another non-default port for other server operating systems).
Allow outbound connections from the Aspera client on the fasp UDP port (33001, by default).
If you have a local firewall on your server (like ipfw), verify that it is not blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).

IMPORTANT NOTE: Multiple concurrent clients cannot connect to a Windows Aspera server on the same UDP port. Similarly, multiple concurrent clients that are utilizing two or more user accounts cannot connect to a Mac OS X or FreeBSD Aspera server on the same UDP port. If connecting to these servers, you will need to allow a range of outbound connections from the Aspera client (that have been opened incrementally on the server side, starting at UDP/33001). For example, you may need to allow outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.

IMPORTANT NOTE: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), then you will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional information on setting up Vlinks, please refer to the topic Setting Up Virtual Links.

Product

Version

Revision

Configuring the Firewall