Summary

Diagrams and tables with all the external Tachyon communication ports. Useful, if needed, for network and device firewalls.

Please refer to Tachyon Architecture for architecture diagrams.

Connections diagram

The diagram below shows Tachyon connections. It does not show connections for other 1E products (Nomad, WakeUp or Shopping).

On this page:

Firewall requirements for a Single-Server

The following table lists firewall requirements for a single-server where Tachyon Master Stack and Response Stack are installed on the same server. The table assumes a remote SQL Server hosting TachyonMaster and TachyonResponses databases. Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

Firewalls normally protect against incoming traffic from remote devices, however the table below also includes outgoing connections. The table does not include internal communications within the Server.

In addition to but not included in the table are various ports that Tachyon uses to communicate with Microsoft services, including Certificate Services and Active Directory. The Coordinator Workflow service queries AD for email details; the Consumer API query AD for security details.

Port requirements are not provided here for Nomad, Shopping and WakeUp modules of the 1E Client.  Only the ports used by the Tachyon client feature of the 1E Client are listed.

If 1E Nomad module is being used by the Tachyon client on Windows computers, it has additional port requirements of its own, which are not changed by Tachyon.

Additional ports may be required if Tachyon instructions need to connect to non-Tachyon content sources.

There may be additional requirements if the environment has had default security settings changed.

Tachyon Servers

DevicePortProtocolDirectionUsageConfigurable

Tachyon Server (Master Stack)

TCP 443HTTPSIncoming
  • Console browser connections to the Tachyon Portal UI
  • Console browser connections to the SLA Platform UI

  • Consumer connections to the Consumer API
  • Consumer connections to the SLA Platform API

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Tachyon Server installer properties: HTTPSIISPORT.

See SLA Platform installer properties: IIS_HTTPS_PORT.

Tachyon Server (Master Stack)

TCP 80HTTPIncoming
  • Console browser connections to the 1E Catalog UI
  • Consumer connections to the Catalog API 
  • Consumer connections to the SLA Platform API

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See 1E Catalog installer properties: IISPORT.


Tachyon Server (Response Stack)

TCP 443HTTPSIncoming
  • Tachyon client retrieving content from the Background Channel.

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Tachyon Server installer properties: HTTPSIISPORT.

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing
  • Tachyon Coordinator service contacting the 1E Cloud License Service via Internet connection.
  • 1E Catalog Update service contacting the 1E Cloud Catalog Service via Internet connection.
The port used to connect to the 1E Cloud Services is not configurable.

Tachyon Server (Master Stack)

TCP 6002WebSocket (ws)Incoming Outgoing
  • Integrate Agent service connecting to the Integrate Manager Web API to get connector jobs

Yes, configurable after installation.

Integrate Agent component is not shown on the diagram, and installation on remote systems is not supported.

Tachyon Server (Response Stack)

TCP 4000WebSocketSecure (wss)Incoming
  • Tachyon client (feature of 1E Client) receiving instructions from and sending compressed responses to the Tachyon Switch.

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

If the Switch port is changed after deploying 1E Clients (with Tachyon features enabled) then the corresponding Switch port must be updated in each Client's configuration file.

Tachyon clients initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Tachyon clients.

Tachyon Server (Master Stack)

TCP 25SMTPOutgoing
  • Tachyon Coordinator service sending two-factor authentication emails.
  • Tachyon Coordinator service sending workflow emails.

Yes.

In this version of Tachyon, SMTP Authentication is not configurable using the Server installer. The default is anonymous authentication. However, it can be changed post-installation. For details of changing the SMTP configuration and disabling email notifications, please refer to Tachyon Server post-installation tasks: Changing the SMTP Host configuration.

Tachyon Server (Master Stack)

TCP 1433TDSOutgoing
  • Tachyon Web Site application pools (Portal, Consumer API) communicating with SQL Server.
  • SLA Platform Web Site application pools (Admin, CoreExternal, Platform) communicating with SQL Server.
  • Tachyon Coordinator service communicating with SQL Server.
  • Catalog services and application pool communicating with SQL Server.
  • 1E Catalog Update service communicating with SQL Server.

Not configurable from Setup.

In the Database Servers panel in Tachyon Setup you can select a SQL Server instance. The instance can be installed using a non-standard port.

However, selecting an instance that uses a non-standard port will not change the port used by the Tachyon Installer, and installation will fail. If you require the use of a non-standard port on a Default SQL Server instance, contact 1E for guidance on a manual workaround.

If using a Named Instance that is set to its default configuration where the server automatically chooses a random port (or if you manually configured the instance to use a fixed port), then the SQL Browser service needs to be enabled to let the Tachyon Server determine the port in use. You will need to open UDP port 1434 used by the SQL Browser.

See Tachyon Server installer properties: SQLSERVER_MASTER.

Tachyon Server (Response Stack)

TCP 1433TDSOutgoing
  • Tachyon Web Site application pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).

Not configurable from Setup. See the comments above for the Tachyon Server (Master Stack).

See Tachyon Server installer properties: SQLSERVER_RESPONSES.

SQL Server (TachyonMaster database)

TCP 1433TDSIncoming
  • Tachyon Web Site application pools (Consumer API, Portal) communicating with SQL Server.
  • Tachyon Coordinator service communicating with SQL Server.
  • Tachyon Web Site application pools (Core) communicating with SQL Server.

Not configurable from Setup. See the comments above for the Tachyon Server (Master Stack).

See Tachyon Server installer properties: SQLSERVER_MASTER.

SQL Server (TachyonResponses database)

TCP 1433TDSIncoming
  • Tachyon Web Site application pools (Core and Core Internal) communicating with SQL Server (mainly uncompressed responses).

Not configurable from Setup. See the comments above for the Tachyon Server (Master Stack).

See Tachyon Server installer properties: SQLSERVER_RESPONSES.

Tachyon clients

Tachyon clients

TCP 4000WebSocket Secure (wss)Outgoing
  • Tachyon client receiving instructions from and sending compressed responses to the Tachyon Switch.

Yes. See Tachyon client settings: SWITCH.

Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number.

Tachyon clients initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the Tachyon client.

Tachyon clients

TCP 443HTTPSOutgoing
  • Tachyon client retrieving content from the Background Channel.

Yes, during installation. See Tachyon client settings: BACKGROUNDCHANNELURL.

Browsers

TCP 443HTTPSOutgoing
  • Browsers connection to the Tachyon Portal (Explorer, Settings and other applications).
  • Browsers connection to the SLA Platform UI.
  • Browsers connection to the Consumer API.
Anything other than port 443 requires the port number to be included in the browser URL when connecting to the Tachyon Portal, API or SLA Platform UI.

Browsers

TCP 80HTTPOutgoing
  • Console browser connections to the 1E Catalog UI
Anything other than port 80 requires the port number to be included in the browser URL when connecting to the 1E Catalog UI.

Firewall requirements for a remote Catalog Web Server

The following table lists firewall requirements when the Catalog Web Server is on a different server to the Tachyon Server. This can happen if Tachyon Server is installed in an environment that already has a 1E Catalog server installed to support Applicaion Migration or AppClarity.

DevicePortProtocolDirectionUsageConfigurable

Tachyon Server (Master Stack)

TCP 80HTTPOutgoing
  • Consumer connections to the Catalog API 
Yes, requires manual configuration of Tachyon Server if not using default port 80.

Catalog Server

TCP 80HTTPIncoming
  • Console browser connections to the 1E Catalog UI
  • Consumer connections to the Catalog API 
Yes, during installation. See 1E Catalog installer properties: IISPORT.

Catalog Server

TCP 443HTTPSOutgoing
  • 1E Catalog Update service contacting the 1E Cloud Catalog Service via Internet connection.
The port used to connect to the 1E Cloud Services is not configurable.

Catalog Server

TCP 1433TDSOutgoing
  • Catalog services and application pool communicating with SQL Server.
  • 1E Catalog Update service communicating with SQL Server.

Yes, during installation. See 1E Catalog installer properties: SQLSERVER.

SQL Server

(1E Catalog database)

TCP 1433TDSIncoming
  • 1E Catalog application pool communicating with SQL Server.
  • 1E Catalog Update service communicating with SQL Server.
Yes, during configuration of the SQL Server instance.

Browsers

TCP 80HTTPOutgoing
  • Console browser connections to the 1E Catalog UI

Yes, during installation. See 1E Catalog installer properties: IISPORT.

Firewall requirements for a remote Tachyon Response Stack


The following table lists firewall requirements when using a Tachyon Response Stack that is remote from the Tachyon Master Stack, that are additional to the ports required for a Single-Server. Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

DevicePortProtocolDirectionUsageConfigurable

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing
  • Tachyon Coordinator Workflow service connections to the Core on a remote Response Stack
  • Consumer API connections to the remote Background Channel on a remote Response Stack
  • Consumer API connections to the Core on a remote Response Stack

Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

The Consumer API connection to the Core is only used for remote Response Stacks.

Tachyon Server (Response Stack)

TCP 443HTTPSIncoming
  • Tachyon Coordinator Workflow service on the remote Master Stack connecting to the Core on a remote Response Stack
  • Consumer API on the remote Master Stack connecting to the remote Background Channel on a remote Response Stack
  • Consumer API on the remote Master Stack connecting to the Core on a remote Response Stack

Yes, during installation of the Response Stack. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT.

The Consumer API connection to the Core is only used for remote Response Stacks.

Tachyon Server (Master Stack)

TCP 3901WebSocket (ws)Incoming
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
  • Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

Tachyon Server (Response Stack)

TCP 3901WebSocket (ws)Outgoing
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
  • Tachyon Web Site Core application pool sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

SQL Server (TachyonMaster database)

TCP 1433TDSIncoming
  • Tachyon Web Site Core application pool on a remote Response Stack communicating directly with the Tachyon Master database

Not configurable from Setup.

In the Database Servers panel in Tachyon Setup you can select a SQL Server instance. The instance can be installed using a non-standard port.

However, selecting an instance that uses a non-standard port will not change the port used by the Tachyon Installer, and installation will fail. If you require the use of a non-standard port on a Default SQL Server instance, contact 1E for guidance on a manual workaround.

If using a Named Instance that is set to its default configuration where the server automatically chooses a random port (or if you manually configured the instance to use a fixed port), then the SQL Browser service needs to be enabled to let the Tachyon Server determine the port in use. You will need to open UDP port 1434 used by the SQL Browser.

See Server installer property SQLSERVER_MASTER.

Tachyon Server (Response Stack)

TCP 1433TDSOutgoing
  • Tachyon Web Site Core application pool communicating directly with the remote Tachyon Master database

Not configurable from Setup. See the comments above for SQL Server (TachyonMaster database).

See Server installer property SQLSERVER_MASTER.

Firewall requirements for a Tachyon DMZ Server


The following table lists the subset of ports needed when hosting Tachyon Switch and Background Channel components on a DMZ Server to support devices external to the network. Each Tachyon component described in the table has at least one output and/or input. For each Tachyon component with an output there is a matching input.

If the server is a domain joined server it needs to be able to access Microsoft services, including Certificate Services and Active Directory. If the server is not domain joined (a workgroup server) you will need to manually install its Web Server certificate.

In both cases you will also need to ensure that the server is able to validate the certificate, including accessing the certificate's remote CRL Distribution Point.

The following table does not cover port requirements when using ADFS and SAML tokens to authenticate clients. In this documentation we just provide details of the simplest option, which uses certificates for client authentication. For details of how to configure Tachyon to support the more complex implementations, please contact 1E.

DevicePortProtocolDirectionUsageConfigurable

DMZ Server

TCP 443HTTPSIncoming
  • Internet-facing Tachyon client retrieving content from the Background Channel
  • Background Channel receiving content from the Consumer API on the Master Stack

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

DMZ Server

TCP 443HTTPSOutgoing
  • The Switch forwards compressed responses from the Internet-facing Tachyon client devices to the Core on the Response Stack

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

DMZ Server

TCP 3901WebSocket (ws)Outgoing
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

DMZ Server

TCP 4001TCPIncoming
  • A prompt from the Core on the Response Stack to each Switch on the DMZ Server

If the value for the Switch Port has been changed, the Port you need to open should be the Switch Port + 1.

DMZ Server

TCP 4000WebSocket Secure (wss)Incoming
  • Internet-facing Tachyon client requesting instructions from and sending compressed responses to the Tachyon Switch

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

Clients initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the client.

DMZ Server

TCP 80HTTPOutgoing
  • See note above about accessing the certificate's remote CRL Distribution Point.

Tachyon Server (Response Stack)

TCP 443HTTPSIncoming
  • The Core receives compressed responses forwarded by the Switch

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

Tachyon Server (Master Stack)

TCP 443HTTPSOutgoing
  • The Consumer API on the Master Stack sends content to the Background Channel

Yes, during installation. In the Website Configuration panel in Tachyon Setup.

See Server installer property HTTPSIISPORT

Tachyon Server (Response Stack)

TCP 4001TCPOutgoing
  • The Core on the Response Stack prompts each Switch on the DMZ Server

Switch ports are not configurable using the Server installer.

A Switch port can be changed post-installation, by configuring the value in the Port column for the relevant Switch in the SwitchConfiguration table in the Tachyon Master database.

If the value for the Switch Port has been changed the Port you need to open should be the Switch Port + 1.

Tachyon Server (Master Stack)

TCP 3901WebSocket (ws)Incoming
  • Tachyon Switches sending instrumentation data to the Instrumentation module in the Coordinator on the Master Stack
Yes, but please contact 1E for advice.

Internet-facing Tachyon clients

TCP 443HTTPSOutgoing
  • Internet-facing Tachyon client retrieves content from the Background Channel
Yes, during installation. See Tachyon client settings: BACKGROUNDCHANNELURL.

Internet-facing Tachyon clients

TCP 4000WebSocket Secure (wss)Outgoing
  • Internet-facing Tachyon client requests instructions from and sends compressed responses to the Tachyon Switch

Yes. See Tachyon client settings: SWITCH.

Anything other than port 4000 requires a Tachyon Server with a Switch using the same port number.

Clients initiate and maintain a WebSocket Secure connection to a Switch, which the Switch uses to communicate back to the client.

Internal Server communications

The following is a list of ports used within the Tachyon Server, and not listed in the Single-Server table above, and as such should not affect firewall requirements. Some of these are listed in the DMZ table above.

PortProtocolUsageConfigurable
TCP 3900WebSocket (ws)
  • Tachyon Switch registering with the Switch Host

Yes, post-installation, but not recommended. Contact 1E for advice.

The following may be configured during installation.

TCP 443HTTPSIISPORT (Website Configuration)
TCP 80IISPORT  (Website Configuration)
TCP 8081WORKFLOWWEBPORT
TCP 6002INTEGRATE_REST_PORT



TCP 3901WebSocket (ws)
  • Tachyon Web Site Consumer API application pool requesting instrumentation data
  • Tachyon Web Site Core application pool sending instrumentation data
  • Tachyon Web Site Core Internal application pool sending instrumentation data
  • Tachyon Coordinator Workflow service sending instrumentation data
  • Tachyon Switch sending instrumentation data
TCP 4001TCP
  • Tachyon Core forwarding workflow commands to the Tachyon Switch
TCP 443HTTPS
  • Tachyon Switch retrieving instruction definitions from the Core
  • Tachyon Coordinator Workflow service connections to the Core
  • Consumer API connections to the Background Channel
  • Consumer API connections to the Tachyon Coordinator Workflow service
TCP 80HTTP
  • Tachyon Switch forwarding responses to the Core Internal (fast) - but a Switch on a DMZ server will use 443 HTTPS instead.
TCP 8081HTTPS
  • Tachyon Web Site Consumer API application pool issuing workflow commands to the Tachyon Coordinator Workflow service 
TCP 6002HTTP
  • Integrate Agent service connecting to the Integrate Manager Web API to get connector jobs.