Communication Ports

Firewall requirements for a Single-Server Installation

The following table lists firewall requirements for a single-server installation where Tachyon Master Stack and Response Stack are installed on the same server. The table assumes a remote SQL Server hosting TachyonMaster and TachyonResponses databases.Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

Firewalls normally protect against incoming traffic from remote devices, however the table below also includes outgoing connections. The table does not include internal communications within the Server.

In addition to but not included in the table are various ports that Tachyon uses to communicate with Microsoft services, including Certificate Services and Active Directory. The Authentication service and Coordinator Workflow service query AD for email details; the Authentication service and the Consumer API query AD for security details.

If 1E Nomad Agent is being used by Tachyon Agent on Windows computers, it has additional port requirements of its own, which are not changed by Tachyon. Nomad connects to the Tachyon Background Channel.

Port requirements are not provided here for Tachyon Agent Shopping and WakeUp modules.

There may be additional requirements if the environment has had default security settings changed.

Device	Port	Protocol	Direction	Usage	Configurable
Tachyon Server (Master Stack)	TCP 443	HTTPS	Incoming	Console browser connections to the Explorer Web portal (Explorer and Admin). Console browser connections to the Consumer API. Consumer connections to the Consumer API (for external Consumers). Tachyon App (mobile device) connections to the Registration service. Registration service connections to the Authentication service (for remote Registration servers).	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT. The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated.
Tachyon Server (Response Stack)	TCP 443	HTTPS	Incoming	Tachyon Agent retrieving Agent resources from the Background Channel.	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT.
Tachyon Server (Master Stack)	TCP 443	HTTPS	Outgoing	Tachyon Authentication service connections to Push Messaging Services. Tachyon Coordinator Workflow service contacting the 1E Cloud License Service via Internet connection.	The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated. The push messaging port is determined by relevant Push Messaging Services. Optional. Required only if users of supported mobile devices have installed the Tachyon App. After installation, the App is used to register the mobile device for the user, which needs to be approved by a Tachyon Permissions Administrator. The user will receive an authentication code as a push notification each time that user attempts to run an action. The port used to connect to the 1E Cloud License Service is not configurable.
Tachyon Server (Response Stack)	TCP 4000	WebSocketSecure (wss)	Incoming	Tachyon Agent receiving instructions from and sending compressed responses to the Tachyon Switch.	Switch ports are not configurable using the Server installer. A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database. If the Switch port is changed after deploying Agents then the corresponding Switch port must be updated in each Agent's configuration file. Additional Switches can be installed using different ports, but this is a Complex Configuration. Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.
Tachyon Server (Master Stack)	TCP 25	SMTP	Outgoing	Tachyon Authentication service sending two-factor authentication emails. Tachyon Coordinator Workflow service sending workflow emails.	Yes. In this version of Tachyon, SMTP Authentication is not configurable using the Server installer. The default is anonymous authentication. However, it can be changed post-installation. See Changing the SMTP Host configuration in Tachyon Server post-installation tasks for details of changing the SMTP configuration and disabling email notifications.
Tachyon Server (Master Stack)	TCP 1433	TDS	Outgoing	Tachyon Web Site application pools (Consumer API) communicating with SQL Server. Tachyon Coordinator Workflow service communicating with SQL Server. Tachyon Authentication service communicating with SQL Server.	Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_MASTER.
Tachyon Server (Response Stack)	TCP 1433	TDS	Outgoing	Tachyon Web Site application pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).	Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_RESPONSES.
SQL Server (TachyonMaster database)	TCP 1433	TDS	Incoming	Tachyon Web Site application pools (Authentication service, Consumer API, Core and Core Internal) communicating with SQL Server. Tachyon Coordinator Workflow service communicating with SQL Server. Tachyon Authentication service communicating with SQL Server. Tachyon Web Site application pools (Core) communicating with SQL Server.	Yes. In the Database Servers panels in Tachyon Setup . A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_MASTER .
SQL Server (TachyonResponses database)	TCP 1433	TDS	Incoming	Tachyon Web Site application. pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).	Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_RESPONSES.
Tachyon Agents	TCP 4000	WebSocket Secure (wss)	Outgoing	Tachyon Agent receiving instructions from and sending compressed responses to the Tachyon Switch.	Yes. See Agent installer property SWITCH. Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number. Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.
Tachyon Agents	TCP 443	HTTPS	Outgoing	Tachyon Agent retrieving Agent resources from the Background Channel.	Yes, during installation. See Agent installer property BACKGROUNDCHANNELURL.
Tachyon Consoles	TCP 443	HTTPS	Outgoing	Browsers connection to the Explorer Web portal (Explorer and Admin). Browsers connection to the Consumer API.	Anything other than port 443 requires the port number to be included in the browser URL when connecting to the Tachyon Explorer and Admin portal.
Tachyon App	TCP 443	HTTPS	Outgoing	Tachyon App (mobile device) connections to the Registration service.	The Tachyon App, also known as Tachyon Auth mobile app, is deprecated and will be removed in a future release of Tachyon. As a consequence, the Registered mobile phones administration page is also deprecated.

Firewall requirements between Tachyon Servers

The following table lists firewall requirements when using Response Stacks that are remote from the Master Stack, that are additional to the ports required for a Single-Server.

Device	Port	Protocol	Direction	Usage	Configurable
Tachyon Server (Master Stack)	TCP 443	HTTPS	Outgoing	Tachyon Coordinator Workflow service connections to the Core on a remote Response Stack Consumer API connections to the remote Background Channel on a remote Response Stack Consumer API connections to the Core on a remote Response Stack	Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT. The Consumer API connection to the Core is only used for remote Response Stacks.
Tachyon Server (Response Stack)	TCP 443	HTTPS	Incoming	Tachyon Coordinator Workflow service on the remote Master Stack connecting to the Core on a remote Response Stack Consumer API on the remote Master Stack connecting to the remote Background Channel on a remote Response Stack Consumer API on the remote Master Stack connecting to the Core on a remote Response Stack	Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT. The Consumer API connection to the Core is only used for remote Response Stacks.
Tachyon Server (Master Stack)	TCP 3901	WebSocket (ws)	Incoming	Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack	Yes, but please contact 1E for advice.
Tachyon Server (Response Stack)	TCP 3901	WebSocket (ws)	Outgoing	Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack	Yes, but please contact 1E for advice.
SQL Server (TachyonMaster database)	TCP 1433	TDS	Incoming	Tachyon Web Site Core application pool on a remote Response Stack communicating directly with the Tachyon Master database	Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_MASTER.
Tachyon Server (Response Stack)	TCP 1433	TDS	Outgoing	Tachyon Web Site Core application pool communicating directly with the remote Tachyon Master database	Yes. In the Database Servers panels in Tachyon Setup. A SQL Server instance can be installed using a non-standard port. See Server installer property SQLSERVER_MASTER.

Firewall requirements when hosting a Tachyon Switch and Background Channel in a DMZ

The following table lists the subset of ports needed when hosting Tachyon Switch and Background Channel components on a DMZ Server to support devices external to the network. Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

If the server is a domain joined server it needs to be able to access Microsoft services, including Certificate Services and Active Directory. If the server is not domain joined (a workgroup server) you will need to manually install its Web Server certificate.

In both cases you will also need to ensure that the server is able to validate the certificate, including accessing the certificate's remote CRL Distribution Point.

The following table does not cover port requirements when using ADFS and SAML tokens to authenticate clients. In this documentation we just provide details of the simplest option, which uses certificates for client authentication. For details of how to configure Tachyon to support the more complex implementations, please contact 1E.

Device	Port	Protocol	Direction	Usage	Configurable
DMZ Server	TCP 443	HTTPS	Incoming	Internet-facing Tachyon Agent retrieving Agent resources from the Background Channel Background Channel receiving Agent resources from the Consumer API on the Master Stack	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT.
DMZ Server	TCP 443	HTTPS	Outgoing	The Switch forwards compressed responses from the Internet-facing Tachyon Agents to the Core on the Response Stack	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT.
DMZ Server	TCP 3901	WebSocket (ws)	Outgoing	Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack	Yes, but please contact 1E for advice.
DMZ Server	TCP 4001	TCP	Incoming	A prompt from the Core on the Response Stack to each Switch on the DMZ Server	If the value for the Switch Port has been changed, the Port you need to open should be the Switch Port + 1.
DMZ Server	TCP 4000	WebSocket Secure (wss)	Incoming	Internet-facing Tachyon Agent requesting instructions from and sending compressed responses to the Tachyon Switch	Switch ports are not configurable using the Server installer. A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database. Additional Switches can be installed using different ports, but this is a Complex Configuration. Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.
DMZ Server	TCP 80	HTTP	Outgoing	See note above about accessing the certificate's remote CRL Distribution Point.
Tachyon Server (Response Stack)	TCP 443	HTTPS	Incoming	The Core receives compressed responses forwarded by the Switch	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT.
Tachyon Server (Master Stack)	TCP 443	HTTPS	Outgoing	The Consumer API on the Master Stack sends Agent resources to the Background Channel	Yes, during installation. In the Website Configuration panel in Tachyon Setup. See Server installer property HTTPSIISPORT.
Tachyon Server (Response Stack)	TCP 4001	TCP	Outgoing	The Core on the Response Stack prompts each Switch on the DMZ Server	Switch ports are not configurable using the Server installer. A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database. If the value for the Switch Port has been changed the Port you need to open should be the Switch Port + 1. Additional Switches can be installed using different ports, but this is a Complex Configuration.
Tachyon Server (Master Stack)	TCP 3901	WebSocket (ws)	Incoming	Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack	Yes, but please contact 1E for advice.
Internet-facing Tachyon Agents	TCP 443	HTTPS	Outgoing	Internet-facing Tachyon Agent retrieves Agent resources from the Background Channel	Yes, during installation. See Agent installer property BACKGROUNDCHANNELURL.
Internet-facing Tachyon Agents	TCP 4000	WebSocket Secure (wss)	Outgoing	Internet-facing Tachyon Agent requests instructions from and sends compressed responses to the Tachyon Switch	Yes. See Agent installer property SWITCH. Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number. Agents initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Agent.

Internal Server communications

The following is a list of ports used within the Tachyon Server, and not listed in the Single-Server table above, and as such should not affect firewall requirements. Some of these are listed in the DMZ table above.

Port

Protocol

Usage

Configurable

TCP 3900

WebSocket (ws)

Tachyon Switch registering with the Switch Host

Yes, post-installation, but not recommended. Contact 1E for advice.

The following may be configured during installation.

TCP 443	HTTPSIISPORT (Website Configuration)
TCP 80	IISPORT (Website Configuration)
TCP 8080	WORKFLOWWEBPORT

TCP 3901

WebSocket (ws)

Tachyon Web Site Consumer API application pool requesting instrumentation data
Tachyon Web Site Core application pool sending instrumentation data
Tachyon Web Site Core Internal application pool sending instrumentation data
Tachyon Coordinator Workflow service sending instrumentation data
Tachyon Switches sending instrumentation data

TCP 4001

TCP

Tachyon Core forwarding workflow commands to the Tachyon Switch

TCP 443

HTTPS

Tachyon Switch retrieving instruction definitions from the Core
Tachyon Coordinator Workflow service connections to the Core
Tachyon Coordinator Workflow service connections to the Authentication service
Registration service connections to the Authentication service
Consumer API connections to the Authentication service
Consumer API connections to the Background Channel
Consumer API connections to the Tachyon Coordinator Workflow service

TCP 80

HTTP

Tachyon Switch forwarding responses to the Core Internal (fast) - but a Switch on a DMZ server will use 443 HTTPS instead.

TCP 8080

HTTPS

Tachyon Web Site Consumer API application pool issuing workflow commands to the Tachyon Coordinator Workflow service

Page tree

Publish this draft for everyone to see.

Other users have edits for this page:

Permanently discard changes to this page.

This cannot be undone.

Contents

Communication Ports

Summary

Connections diagram

Firewall requirements for a Single-Server Installation

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

Tachyon Server (Master Stack)

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

SQL Server (TachyonMaster database)

SQL Server (TachyonResponses database)

Tachyon Agents

Tachyon Agents

Tachyon Consoles

Tachyon App

Firewall requirements between Tachyon Servers

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

SQL Server (TachyonMaster database)

Tachyon Server (Response Stack)

Firewall requirements when hosting a Tachyon Switch and Background Channel in a DMZ

DMZ Server

DMZ Server

DMZ Server

DMZ Server

DMZ Server

DMZ Server

Tachyon Server (Response Stack)

Tachyon Server (Master Stack)

Tachyon Server (Response Stack)

Tachyon Server (Master Stack)

Internet-facing Tachyon Agents

Internet-facing Tachyon Agents

Internal Server communications