Firewall configuration
The Stratodesk Virtual Appliance comes with a host firewall similar to any other contemporary server system. It is based on Linux' iptables mechanism and will filter inbound packets and allow only packets to selected services go through.
Firewall configuration
Log in to the appliance web console, and go to "Firewall" to see this screen:
The actual configuration is straightforward and consists of fixed allow/deny rules. Turning the firewall off means to allow ALL access.
The default configuration for new setups is to allow all selected services except the two "Legacy Center" services. If you experience problems with older client versions that may not Announce as expected, consider opening these ports up until things work, then set the URL Prefix correctly and finally turn the services off.
The two Legacy Center services refer to the original NoTouch Center ports 8080 and 8443. With the Reverse proxy it is not necessary to expose them to the outside world. For older installations it may be necessary though, either because the URL Prefix contains an 8080 or 8443 number or clients are too old to automatically try 80/443.
Firewall notes
The firewall "allow" rules include a rule for "related and established" traffic. That means, if you switch for example from Allow to Deny, open connections will not be interrupted. This will manifest in two things, for instance.
- If you have a continuous ping running, it will not stop. However, if you interrupt it after changing to "deny", and start a new ping, the new ping will not go through.
- If you disable the WWW port you are currently connecting to, your browser session will continue for a while. However, if you close the browser tab after changing to "deny", and then go the same URL again, it will not work any more.
Hint: Do not set everything to "deny" at once. If you play with the firewall settings, leave at least SSH open for recovery (see below). You will lock yourself out permanently if you disable ALL these services. If you do so, you will have to scrap the Virtual Appliance or undergo a complicated unsupported boot-loader-modification-procedure inside your hypervisor console. Don't do it.