Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Globus Connect Server FIrewall Exceptions on 443

16 views
Skip to first unread message

Joshua Brown

unread,
Mar 4, 2025, 1:09:24 PMMar 4
to Discuss
Hi,

I'm trying to understand in a little bit more detail why, there is a requirement to have port 443 open to bidirectional any traffic for a GCS. Is there any way to reduce the scope of the allowed IP addresses to a set of IP addresses that are white listed?

best,

Joshua

Joshua Brown

unread,
Mar 4, 2025, 1:27:57 PMMar 4
to Discuss, Joshua Brown

Is the requirement for any on port 443 to allow control traffic from another GCS instance. If that is the case and there are two GCS instances and both are behind the same firewall and you are only concerned with moving data between the two internal GCS instances is it necessary to have a firewall exception on port 443 to any for both instnaces?

Kaufman, Ian

unread,
Mar 4, 2025, 1:32:21 PMMar 4
to Joshua Brown, Discuss


Ian Kaufman
Principal Systems Integration Engineer
UC San Diego, Research IT Services
ikaufman AT ucsd DOT edu
From: dis...@globus.org <dis...@globus.org> on behalf of Joshua Brown <joshbr...@gmail.com>
Sent: Tuesday, March 4, 2025 10:27 AM
To: Discuss <dis...@globus.org>
Cc: Joshua Brown <joshbr...@gmail.com>
Subject: [Globus Discuss] Re: Globus Connect Server FIrewall Exceptions on 443
 
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

Joshua Brown

unread,
Mar 4, 2025, 1:34:28 PMMar 4
to Discuss, Joshua Brown

NetworkDiagram.png

Karl Kornel

unread,
Mar 4, 2025, 1:38:57 PMMar 4
to Joshua Brown, Discuss, Joshua Brown

Hi Joshua,

 

The link Ian sent (Ian, you beat me to it!) gives the details on what ports are used for what.  And thanks much for the diagram!  If you don’t mind, could you please update the diagram to show where the user (the entity doing directory listings, initiating transfers, etc.) would be?  Also, could you please let us know if the user would be downloading data directly (that is, from GCS A or GCS B to their own computer) over HTTPS?

 

~ Karl

 

From: dis...@globus.org <dis...@globus.org> on behalf of Joshua Brown <joshbr...@gmail.com>
Date: Tuesday, March 4, 2025 at 10:34AM
To: Discuss <dis...@globus.org>
Cc: Joshua Brown <joshbr...@gmail.com>
Subject: [Globus Discuss] Re: Globus Connect Server FIrewall Exceptions on 443


To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

Joshua Brown

unread,
Mar 4, 2025, 1:43:42 PMMar 4
to Discuss, ikau...@ucsd.edu, Joshua Brown
Thanks Ian. I'm still not clear on some of the implications of this, but it clarifies a lot. 

Kaufman, Ian

unread,
Mar 4, 2025, 1:47:02 PMMar 4
to Joshua Brown, Discuss
In the most simplistic case, Globus uses port 443 to phone home ... i.e. talk to the Globus management infrastructure. Without that, nothing will work properly.

Ian Kaufman
Principal Systems Integration Engineer
UC San Diego, Research IT Services
ikaufman AT ucsd DOT edu
From: Joshua Brown <joshbr...@gmail.com>
Sent: Tuesday, March 4, 2025 10:43 AM
To: Discuss <dis...@globus.org>
Cc: Kaufman, Ian <ikau...@ucsd.edu>; Joshua Brown <joshbr...@gmail.com>
Subject: Re: [Globus Discuss] Re: Globus Connect Server FIrewall Exceptions on 443
 

Joshua Brown

unread,
Mar 4, 2025, 2:01:40 PMMar 4
to Discuss, ikau...@ucsd.edu, Joshua Brown
It looks like from what I am seeing on the AWS documentation, it would be a pretty big headache to whitelist the AWS IP address ranges as there is no guarantee that they won't change.

Joshua Brown

unread,
Mar 6, 2025, 12:16:55 PMMar 6
to Discuss, akko...@stanford.edu, Joshua Brown
Hi Karl,

Here you go, I didn't see your response until today. We are wanting to do this in a CI env, so pretty much everything is an internal network including the client. 

Screenshot (402).png
Reply all
Reply to author
Forward
0 new messages