How to configure firewall policy for Globus Connect Personal

Globus Connect Personal is designed to work automatically with typical firewall settings. However, very strict firewall policies—​specifically, those that block outbound connections—​will foil this behavior. The table below lists the specific outbound TCP and UDP ports that must be open for Globus Connect Personal to work. Coordinate with your network or security administrator to open these ports.

Port # Open rule Used for

TCP 2223

Outbound to 54.237.254.192/29 (IPv4)[1] and 2600:1f28:14:4::/62 (IPv6)[1]

Control channel with the Globus Transfer service, plus obtaining certificates during initial setup.

TCP 50000-51000

Outbound to Any

Data channel for transfers with Globus Connect Server endpoints.

UDP 32768-65535 (ephemeral)

Outbound to Any

Data channel for transfers with other Globus Connect Personal endpoints.[2]

UDP 19302

Outbound to Any

Connect to STUN server when setting up a session with another Globus Connect Personal endpoint.[2] Normally this will be the stun.l.google.com Google STUN server.

TCP 443

Outbound to auth.globus.org[3], 54.237.254.192/29 (IPv4)[1], and 2600:1f28:14:4::/62 (IPv6)[1]

Globus Auth login, and Globus Transfer and Auth REST API. Used only during setup.

Outbound to downloads.globus.org[3]

Installer package download and update checks.

Outbound to app.globus.org[3]

Required when following in-app web links to the Globus Web App.


1. The provided IP addresses for the Globus Transfer service are subject to change. We strive to keep the IP block stable, but if changes are expected, information will be published on the Globus blog and email will be sent to the Globus discussion list.
2. See our FAQ for user requirements for transfers between Globus Connect Personal endpoints.
3. A hostname is provided because these services are hosted by AWS CloudFront or behind an AWS ELB, and IP addresses are subject to change without notice.