Summary

A diagram and a table with a list of all the external Tachyon communication ports. Useful, if needed, for network and device firewalls.

Connections diagram


On this page:

Firewall requirements for a Single-Server Installation

The following table lists firewall requirements for a single-server installation where Tachyon Master Stack and Response Stack are installed on the same server. The table assumes a remote SQL Server hosting TachyonMaster and TachyonResponses databases.Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

Firewalls normally protect against incoming traffic from remote devices, however the table below also includes outgoing connections. The table does not include internal communications within the Server.

In addition to but not included in the table are various ports that Tachyon uses to communicate with Microsoft services, including Certificate Services and Active Directory. The Authentication service and Coordinator Workflow service query AD for email details; the Authentication service and the Consumer API query AD for security details.

If 1E Nomad Agent is being used by Tachyon Agent on Windows computers, it has additional port requirements of its own, which are not changed by Tachyon. Nomad connects to the Tachyon Background Channel.

Port requirements are not provided here for Tachyon Agent Shopping and WakeUp modules.

There may be additional requirements if the environment has had default security settings changed.

DevicePortProtocolDirectionUsageConfigurable

Tachyon Server (Master Stack)

TCP 443HTTPSIncoming

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated.

Tachyon Server (Response Stack)

TCP 443HTTPSIncoming

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing

The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated.

The push messaging port is determined by relevant Push Messaging Services.

Optional. Required only if users of supported mobile devices have installed the Tachyon App. After installation, the App is used to register the mobile device for the user, which needs to be approved by a Tachyon Permissions AdministratorThe user will receive an authentication code as a push notification each time that user attempts to run an action.

The port used to connect to the 1E Cloud License Service is not configurable.

Tachyon Server (Response Stack)

TCP 4000WebSocketSecure (wss)Incoming

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

If the Switch port is changed after deploying Agents then the corresponding Switch port must be updated in each Agent's configuration file.

Additional Switches can be installed using different ports, but this is a Complex Configuration.

Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.

Tachyon Server (Master Stack)

TCP 25SMTPOutgoing

Yes.

In this version of Tachyon, SMTP Authentication is not configurable using the Server installer. The default is anonymous authentication. However, it can be changed post-installation. See Changing the SMTP Host configuration in Tachyon Server post-installation tasks for details of changing the SMTP configuration and disabling email notifications.

Tachyon Server (Master Stack)

TCP 1433TDSOutgoing

Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_MASTER.

Tachyon Server (Response Stack)

TCP 1433TDSOutgoing
  • Tachyon Web Site application pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).

Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_RESPONSES.

SQL Server (TachyonMaster database)

TCP 1433TDSIncoming

Yes. In the Database Servers panels in Tachyon Setup . A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_MASTER .

SQL Server (TachyonResponses database)

TCP 1433TDSIncoming
  • Tachyon Web Site application. pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).

Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_RESPONSES.

Tachyon Agents

TCP 4000WebSocket Secure (wss)Outgoing

Yes. See Agent installer property SWITCH.

Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number.

Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.

Tachyon Agents

TCP 443HTTPSOutgoing

Yes, during installation. See Agent installer property BACKGROUNDCHANNELURL.

Tachyon Consoles

TCP 443HTTPSOutgoingAnything other than port 443 requires the port number to be included in the browser URL when connecting to the Tachyon Explorer and Admin portal.

Tachyon App

TCP 443HTTPSOutgoing

The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated.

Firewall requirements between Tachyon Servers

The following table lists firewall requirements when using Response Stacks that are remote from the Master Stack, that are additional to the ports required for a Single-Server.

DevicePortProtocolDirectionUsageConfigurable

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing

Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

The Consumer API connection to the Core is only used for remote Response Stacks.

Tachyon Server (Response Stack)

TCP 443HTTPSIncoming
  • Tachyon Coordinator Workflow service on the remote Master Stack connecting to the Core on a remote Response Stack
  • Consumer API on the remote Master Stack connecting to the remote Background Channel on a remote Response Stack
  • Consumer API on the remote Master Stack connecting to the Core on a remote Response Stack

Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT.

The Consumer API connection to the Core is only used for remote Response Stacks.

Tachyon Server (Master Stack)

TCP 3901WebSocket (ws)Incoming
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
  • Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack

Yes, but please contact 1E for advice.

Tachyon Server (Response Stack)

TCP 3901WebSocket (ws)Outgoing
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
  • Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

SQL Server (TachyonMaster database)

TCP 1433TDSIncoming
  • Tachyon Web Site Core application pool on a remote Response Stack communicating directly with the Tachyon Master database

Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_MASTER.

Tachyon Server (Response Stack)

TCP 1433TDSOutgoing
  • Tachyon Web Site Core application pool communicating directly with the remote Tachyon Master database

Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port.

See Server installer property SQLSERVER_MASTER.

Firewall requirements when hosting a Tachyon Switch and Background Channel in a DMZ

The following table lists the subset of ports needed when hosting Tachyon Switch and Background Channel components on a DMZ Server to support devices external to the network. Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

If the server is a domain joined server it needs to be able to access Microsoft services, including Certificate Services and Active Directory. If the server is not domain joined (a workgroup server) you will need to manually install its Web Server certificate.

In both cases you will also need to ensure that the server is able to validate the certificate, including accessing the certificate's remote CRL Distribution Point.

The following table does not cover port requirements when using ADFS and SAML tokens to authenticate clients. In this documentation we just provide details of the simplest option, which uses certificates for client authentication. For details of how to configure Tachyon to support the more complex implementations, please contact 1E.

DevicePortProtocolDirectionUsageConfigurable

DMZ Server

TCP 443HTTPSIncoming

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

DMZ Server

TCP 443HTTPSOutgoing
  • The Switch forwards compressed responses from the Internet-facing Tachyon Agents to the Core on the Response Stack

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

DMZ Server

TCP 3901WebSocket (ws)Outgoing
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
 Yes, but please contact 1E for advice.

DMZ Server

TCP 4001

TCPIncoming
  • A prompt from the Core on the Response Stack to each Switch on the DMZ Server

If the value for the Switch Port has been changed, the Port you need to open should be the Switch Port + 1.

DMZ Server

TCP 4000WebSocket Secure (wss)Incoming
  • Internet-facing Tachyon Agent requesting instructions from and sending compressed responses to the Tachyon Switch

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

Additional Switches can be installed using different ports, but this is a Complex Configuration.

Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.

DMZ Server

TCP 80

HTTPOutgoing
  • See note above about accessing the certificate's remote CRL Distribution Point.

Tachyon Server (Response Stack)

TCP 443HTTPSIncoming
  • The Core receives compressed responses forwarded by the Switch

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

Tachyon Server (Response Stack)

TCP 4001TCPOutgoing
  • The Core on the Response Stack prompts each Switch on the DMZ Server

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

If the value for the Switch Port has been changed the Port you need to open should be the Switch Port + 1.

Additional Switches can be installed using different ports, but this is a Complex Configuration.

Tachyon Server (Master Stack)

TCP 3901WebSocket (ws)Incoming
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

Internet-facing Tachyon Agents

TCP 443HTTPSOutgoingYes, during installation. See Agent installer property BACKGROUNDCHANNELURL.

Internet-facing Tachyon Agents

TCP 4000WebSocket Secure (wss)Outgoing
  • Internet-facing Tachyon Agent requests instructions from and sends compressed responses to the Tachyon Switch

Yes. See Agent installer property SWITCH.

Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number.

Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.

Internal Server communications

The following is a list of ports used within the Tachyon Server, and not listed in the Single-Server table above, and as such should not affect firewall requirements. Some of these are listed in the DMZ table above.

PortProtocolUsageConfigurable
TCP 3900WebSocket (ws)
  • Tachyon Switch registering with the Switch Host

Yes, post-installation, but not recommended. Contact 1E for advice.

The following may be configured during installation.



TCP 3901WebSocket (ws)
TCP 4001TCP
TCP 443HTTPS
TCP 80HTTP
  • Tachyon Switch forwarding responses to the Core Internal (fast) - but a Switch on a DMZ server will use 443 HTTPS instead.
TCP 8080HTTPS