Help Universe

Guide:

Network Prerequisites.

ITBIaaS Network Prerequisite Guidelines for Onboarding.

To ensure smooth access to ITBIaaS hosted on our AWS EC2 infrastructure, please review and ensure the following network configurations are met before onboarding. This document highlights key network prerequisites related to FTP, SSO, Logon, Proxy, and Firewall configurations.

Make sure these configurations are applied to your Security Content Management (SCM), Network Firewalls, and Intrusion Detection Systems (IDS).

 

1. FTP/FTPS/SFTP Access Prerequisites

When using FTP/FTPS to retrieve or send files, please ensure the following settings are configured to avoid connectivity issues.

  • Required Ports:

    • Port 20 and 21 for FTP.

    • Port 22 for SFTP.

    • Port 990 for FTPS.

  • Passive Mode: If passive mode is used, ensure that the range 53000–54000 is open on your firewall.

  • Windows: PowerShell Command to Test FTP/FTPS Ports:

    Test-NetConnection -ComputerName "{domain}.smtdata.com" -Port {port}

  • MacOS: Bash Command to Test FTP/FTPS Ports:

    nc -vz {domain}.smtdata.com {port}

  • Upload Test: You can test transfer of files by setting up e.g. FileZilla to upload to our servers using the credentials exposed on the portal under the ITBI settings.

2. SSO (Single Sign-On) Access Prerequisites

To ensure successful authentication via SSO, please check the following:

  • Required Ports:

    • Ensure Port 443 (HTTPS) is open to allow secure traffic towards the login system.

  • Firewall Allowlisting: Add the following domains and IP addresses to your firewall allowlist to enable SSO authentication:

    • https://auth.smtdata.co – this is the ITBI Identity Provider solution initiating the SSO connections

    • Enterprise SSO provider, this is your login system, for example Entra ID. Traffic to this should already be allowed

  • AD Group Mapping: Ensure that you have been in contact with our support team to map your AD groups to our internal groups

  • Windows: PowerShell Command to Test HTTPS Port:

    Test-NetConnection -ComputerName "auth.smtdata.co" -Port 443

  • MacOS: Bash Command to Test HTTPS Port:

    nc -vz auth.smtdata.co 443

3. ITBIaaS Logon Prerequisites (Non-SSO)

For clients accessing ITBIaaS without SSO, proper DNS and network configuration is essential.

  • DNS Resolution: Ensure your DNS settings are configured to resolve the ITBIaaS login page.

  • Windows: PowerShell Command to Test DNS Resolution:

    Resolve-DnsName "{domain}.itbi.com"

  • MacOS: Bash Command to Test DNS Resolution:

    dig {domain}.itbi.com

  • Required Ports:

    • Port 443 (HTTPS) must be open to allow access to the ITBIaaS logon page.

  • Firewall Allowlisting: Add the ITBIaaS login domain to your firewall allowlist to ensure access:

4. Proxy Configuration Prerequisites

If your network uses a proxy server, please ensure the following configurations are in place to avoid issues during initial connections to ITBIaaS, especially the Targit client version check.

  • Version Check: The Targit Windows client performs an initial version check with our Targit server when it connects. During this process, the client compares the version installed on your workstation with the version available on the server. If the server has a newer version, the client will automatically initiate an update to match. This version check occurs at the very start of the connection and does not involve any user authentication; authentication happens after the version check is complete. If your proxy policy requires user authentication for internet access, it may block this initial version check, potentially causing connection issues.

 

  • Windows: PowerShell Command to Display Proxy Configuration:

    netsh winhttp show proxy

  • MacOS: Bash Command to Display Proxy Configuration:

    networksetup -listallnetworkservices

    networksetup -getwebproxy {proxy_network}

  • Windows: PowerShell Command to Test Proxy Access to Targit Client:

    Test-NetConnection -ComputerName "{domain}.smtdata.com" -Port 1301

  • MacOS: Bash PowerShell Command to Test Proxy Access to Targit Client:

    nc -vz {domain}.smtdata.com 1301

5. Firewall Configuration Prerequisites

To ensure uninterrupted access to ITBIaaS services hosted on AWS EC2, please configure your firewall as follows:

  • Required Ports:

    • Port 443 (HTTPS) must be open for secure access to the ITBIaaS platform.

  • DNS name allow-listing: Please allowlist the following DNS names that host ITBIaaS services. Please note that {domain} and {region} will be made available to you while onboarding:

    • https://smtdata.com/*

    • https://{domain}.smtdata.com/* – please note that binary content is expected here and should also be added to your exemption list

    • https://auth.smtdata.co/*

    • https://apigw-{region}.smtdata.co/*

    • https://api-{region}.smtdata.co/*

  • Network elements: The embedded TARGIT solution in the portal requires several .dll files to be present to show reports. Firewall have been seen to shutdown such elements, like System.Xml.XPath.XDocument.dll. Ensure the firewall allows these .dll extensions to load correctly. Using the network overview in the development tool of your browser, you can identify any potential blocked elements.

  • Geo-Blocking: Verify that any geo-blocking settings on your firewall allow traffic from AWS EC2 servers in the regions where ITBIaaS is hosted.

  • Windows: PowerShell Command to Test Firewall Ports:

    Test-NetConnection -ComputerName "{domain}.smtdata.com" -Port 443

  • MacOS: Bash Command to Test Firewall Ports:

    nc -vz {domain}.smtdata.com 443

  • Deliveries from ITBI: If you are receiving data from an ITBI service, you need to allowlist our elastic IPs within the AWS region. Contact the support team to receive the region-specific IPs

6. Intrusion Detection Systems (IDS) Prerequisites

Ensure that your Intrusion Detection Systems do not mistakenly flag ITBIaaS traffic as suspicious. Follow the steps below to ensure smooth data transmission.

  • Allowlist ITBIaaS Traffic
    To minimize false positives, ensure that trusted ITBIaaS traffic is allowlisted. While it is generally not feasible to provide a fixed list of IP addresses due to AWS’s extensive range of elastic IPs, there are certain scenarios where static IPs can be applied.

    • Static IP Exceptions: For specific use cases, such as FTP uploads or traffic routed through our backend NATs, static IPs may be available. If you require a list of IPs for these services, please contact our support team for assistance.

  • Fine-tune IDS Rules: Adjust your IDS rules to recognize legitimate traffic from ITBIaaS servers and prevent unnecessary packet drops.

7. Identifying the Root Cause After Meeting Network Prerequisites

Even after ensuring all network prerequisites are met, certain issues may still be difficult to identify. To effectively troubleshoot these network problems, it’s important to pinpoint where the issue lies. We recommend performing the following four tests to help locate the root cause:

  1. Personal machine on a private network

  2. Personal machine on a corporate network

  3. Corporate machine on a private network

  4. Corporate machine on a corporate network

Summary

By ensuring these network prerequisites are met, you will minimize connectivity issues and have a smoother experience during ITBIaaS onboarding.

If you need further assistance with specific configurations or troubleshooting, please contact our support team after performing Step 7.

Support

For technical specifications and questions, as well as guidelines and prerequisites please contact:

support@smtdata.com