Impact of Restricting GCSv5.4 Firewall Policy

It is possible to run a Globus Connect Server (GCS) v5.4 endpoint using a more restrictive firewall policy than what is described in our GCSv5.4 Installation Guide. However, doing so will result in a partial loss of functionality and will complicate deployment. Due to the diverse use cases and security requirements of the many organizations using the Globus software and service, the trade-offs between functionality and ease of deployment versus tighter security requirements may make using more restrictive firewall policy acceptable for some sites. Although we strongly recommend that sites configure firewall policy for their GCSv5.4 deployments as discussed in our GCSv5.4 Installation Guide, this document will help you understand the issues and trade-offs involved if you must use a more restrictive firewall policy.

The recommended firewall policy for a GCSv5.4 deployment is for the system hosting the endpoint to be open inbound and outbound to all TCP traffic on port 443 and ports 50000 to 51000. The GCS software actively listens on TCP port 443 for GridFTP control channel connections and connections to the GCS Manager service. TCP ports 50000 to 51000 are used for the data channel path over which data flows between Globus endpoints during transfers. However, unlike port 443, there are no GCS processes actively listening on ports 50000 - 51000. Connections on the data channel are initiated only at the start of a data transfer task and are closed at the completion of the transfer. Ports are picked out of that range and used only as needed for inbound data transfers, and are not otherwise listened on by GCS. This is important because it means that not all 1001 ports are actively listening, which substantially changes the security posture.

If you have further questions about how to configure firewall policy for your GCS deployment, please contact Globus support.

The Globus Transfer service must be able to establish a control channel connection to the GridFTP service on your endpoint. These control channel connections will be initiated by Globus Transfer hosts and - by default - must be able to connect to local port 443 on the system hosting your endpoint. The hosts will have IP addresses belonging to the CIDR blocks given in the table below.

If the Globus service cannot establish this control channel connection, then your endpoint cannot function. It is possible to configure a custom port for GridFTP control channel traffic using the --gridftp-control-channel-port option for the globus-connect-server endpoint update command. In such a case, the Globus service hosts must be able to connect to the system hosting your endpoint on that custom port. Please understand that the --gridftp-control-channel-port option discussed above has no effect on the port used by the GCS Manager service.

Your endpoint’s GCS Manager service listens on local port 443. Any system that cannot initiate a connection to your system on local port 443 will be unable to communicate with your GCS Manager service. A user of a system must be able to directly connect to your endpoint’s GCS Manager service to do things such as:

Users whose workstations are not able to initiate a connection to local port 443 on the system hosting your endpoint will not be able to do any of the above.

Collections on your endpoint can be configured to allow HTTPS upload/download functionality. This allows your endpoint’s users to directly upload or download files to/from your collections via an https client - such as their browser. For this functionality to work, a user’s system must be able to initiate connections to local port 443 on the system hosting your endpoint. Users whose workstations are not able to initiate a connection to local port 443 on the system hosting your endpoint will not be able to perform HTTPS uploads/downloads with your collections.

If you are using the default GridFTP control channel port of 443 and you configure firewall/network policy in such a way that doesn’t permit the Transfer CIDR blocks to initiate connections to local port 443 on the system hosting your endpoint, then your endpoint will not function. If you have configured a custom GridFTP control channel port then your endpoint will not work unless firewall/network policy permits the Transfer CIDR blocks to initiate connections to that custom local port on the system hosting your endpoint.

If you configure firewall/network policy in such a way that excludes (some) user client systems from being able to initiate connections to local port 443 on the system hosting your endpoint, then users of such excluded systems will be unable to connect to your endpoint’s GCS manager - with consequences as discussed above. Such excluded users will also be unable to conduct HTTPS uploads/downloads with your collections as discussed above.

To install or update the GCS software on your system, it is necessary to be able to access the Globus repo. The Globus repo is accessible via AWS Cloudfront, and these connections will be made outbound to remote port 443 on the Cloudfront hosts. If these connections are blocked, then you will not be able to install or update the GCS software.

The GCS software must be able to communicate with the Globus service to be able to operate. The Globus service is hosted in AWS. GCS will connect to the various parts of the Globus service via outbound connections to remote port 443 on Globus service nodes in AWS. If these connections are blocked, then your endpoint will not function.

The GCS software must be able to communicate with the AWS AppSync service to store and retrieve your endpoint config and to sync endpoint config among multiple nodes in a multi-node endpoint. GCS will connect to the AWS AppSync service via outbound connections to remote port 443 on the AWS AppSync nodes. If these connections are blocked, then your endpoint will not function.

To ensure that the Globus service, AWS Cloudfront, and AWS AppSync are accessible from the system hosting your endpoint, you’ll need to configure firewall policy so as to whitelist outbound connections from the system hosting your endpoint to remote port 443 for the AWS IP range. Amazon documents the IP ranges used by AWS here.

If your endpoint is configured to use any Premium Storage Connector that uses cloud based storage (e.g. Google Drive, Azure blob, etc.), then the GCS software must be able to communicate with the systems that host that cloud based storage service. GCS will connect to the systems hosting the cloud based storage service via outbound connections to remote port 443 on that storage service’s nodes. If these connections are blocked, then any storage gateway you have configured to use a storage connector for a blocked storage service will not function. If you want to whitelist a particular storage service provider, then you need to contact them directly to see if they can provide you with an IP range you can use to configure your firewall policy. Globus cannot provide this information.

In order for remote endpoints to initiate a data channel connection to your endpoint, they must be able to connect inbound to the local 50000 - 51000 port range on your system. Any endpoint that is unable to do so will not be able to initiate a data channel connection with your endpoint. Any Globus Connect Server endpoint that is unable to initiate a data channel connection with your endpoint will be unable to conduct transfers with your endpoint where your endpoint is the destination endpoint. Any Globus Connect Personal endpoint that is unable to initiate a data channel connection with your endpoint will be unable to conduct transfers with your endpoint at all.

If you configure firewall/network policy so as to block the 50000 - 51000 port range inbound completely, your endpoint will be unable to act as the destination endpoint in any transfer with any Globus Connect Server endpoint, and it will be unable to conduct any transfers with any Globus Connect Personal endpoints at all.

If you configure firewall/network policy so as to block the 50000 - 51000 port range inbound for all but some allowed IP range(s), your endpoint will be unable to act as the destination endpoint in any transfer with any Globus Connect Server endpoint whose DTNs are outside of that range, and it will be unable to conduct any transfers with any Globus Connect Personal endpoints hosted on a system outside of that range. Globus doesn’t manage the IP addresses of the endpoints which run the Globus software or use the Globus service, and we are unable to provide lists of such endpoint IP addresses.

In order for your endpoint to initiate a data channel connection to a remote endpoint, it must be able to connect outbound to the remote 50000 - 51000 port range on the node(s) hosting the remote endpoint. If your endpoint is not able to initiate such a connection with a remote endpoint, then it cannot initiate a data channel connection with that endpoint. If your endpoint is not able to initiate a data channel connection to a given remote Globus Connect Server endpoint, then your endpoint cannot act as the source endpoint in any transfer with that remote endpoint.

If you configure firewall/network policy so as to block the 50000 - 51000 port range outbound completely, your endpoint will be unable to act as the source endpoint in any transfer with any Globus Connect Server endpoint.

If you configure firewall/network policy so as to block the 50000 - 51000 port range outbound for all but some allowed IP range(s), your endpoint will be unable to act as the source endpoint in any transfer with any Globus Connect Server endpoint whose DTNs are outside of that range. Globus doesn’t manage the IP addresses of the endpoints which run the Globus software or use the Globus service, and we are unable to provide lists of such endpoint IP addresses.