What are the firewall ports and destination servers for GAM on corporate nework
1,390 views
Skip to first unread message
jellybean
Jun 28, 2011, 9:52:02 AM6/28/11
to google-ap...@googlegroups.com
I've had trouble finding this info to request a firewall change from our networks team. Can anyone point me in the right direction?.
Thanks
Richie Foreman
Jun 28, 2011, 9:58:14 AM6/28/11
to google-ap...@googlegroups.com
Hello,
The Google APIs do all of their handshaking and communications over HTTPS (TCP Port 443) -- This alone should be enough info for your team. Google has an epic multitude of servers, so I really recommend your firewall team simply whitelist:
However, you can find a list of Google netblocks by using the following command on a *nix/mac box.
Richie:~ Richie$ dig +short _netblocks.google.com txt
"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
Hope that helps.
Sandip Shah
Jun 28, 2011, 10:43:59 AM6/28/11
to Google Apps Manager
I think GAM just uses standard http/https - there should be no
firewall issues.
SS
firewall issues.
SS
jellybean
Jun 28, 2011, 10:53:28 AM6/28/11
to google-ap...@googlegroups.com
Ahh of course, we use a proxy and a non standard port for internet. I will have to get port 80 and 443 opened specifically for GAM to bypass the proxy server. Do you know what would the destination server address range be?
Thanks
Sandip Shah
Jun 28, 2011, 11:01:58 AM6/28/11
to Google Apps Manager
You are getting this wrong - what "you" (i.e. your organization) uses
applies to incoming connections. GAM initiates o/g connection to
Google's servers on standard http/https ports.
However, there was an earlier post in which Jay had mentioned that GAM
does not work through proxy connections and that is where your problem
may be.
http://groups.google.com/group/google-apps-manager/browse_thread/thread/8a42c61e42be6b08/a51e32582ddc743f?lnk=gst&q=gam+does+not+work+through+proxy#a51e32582ddc743f
Ss
applies to incoming connections. GAM initiates o/g connection to
Google's servers on standard http/https ports.
However, there was an earlier post in which Jay had mentioned that GAM
does not work through proxy connections and that is where your problem
may be.
http://groups.google.com/group/google-apps-manager/browse_thread/thread/8a42c61e42be6b08/a51e32582ddc743f?lnk=gst&q=gam+does+not+work+through+proxy#a51e32582ddc743f
Ss
Sandip Shah
Jun 28, 2011, 11:05:05 AM6/28/11
to Google Apps Manager
Hi Richie,
I guess one can drop the third hostname:
*.google.com
google-apis.com
(apps-apis.google.com) - this can be dropped since it is already
covered by the first rule.
SS
I guess one can drop the third hostname:
*.google.com
google-apis.com
(apps-apis.google.com) - this can be dropped since it is already
covered by the first rule.
SS
jellybean
Jun 29, 2011, 12:04:31 PM6/29/11
to google-ap...@googlegroups.com
Sandip, it may initiate contact on standard ports but the reply will not make it back. I am not trying to make this work through the proxy. i am bypassing the proxy. This requires our firewalls to be configured to allow traffic out as well as in.
Richie - google-apis.com doesn't appear to be registered by Google although googleapis.com is.
apps-apis.google.com is registered to Google
I can't get the firewall opened for everything google.com so I have submitted a firewall change request for googleapis.com and app-apis-google.com.
Once that has been approved and done I will test and let you know the outcome.
Thanks
Sandip Shah
Jun 29, 2011, 1:41:30 PM6/29/11
to Google Apps Manager
jellybean,
"normally", the initiator uses a (source) port to open the connection
to a (destination) port and the destination will communicate back on
the same (source) port.
Again, "normally", firewalls block only the well known standard ports
for incoming communications (these are the ports on which servers and
services are running which maybe ab/used).
If a firewall allows o/g communications, then obviously an o/g port is
open. The communication in this case will be to a standard HTTP/HTTPS
port on Google's servers (simplified). When Google's servers
communicate back, they will communicate back to the same port.
In effect, "normally", no changes should be required to the firewall -
if an o/g communication with Google's servers is possible.
However, your situation might be different and changes may need to get
done.
SS
"normally", the initiator uses a (source) port to open the connection
to a (destination) port and the destination will communicate back on
the same (source) port.
Again, "normally", firewalls block only the well known standard ports
for incoming communications (these are the ports on which servers and
services are running which maybe ab/used).
If a firewall allows o/g communications, then obviously an o/g port is
open. The communication in this case will be to a standard HTTP/HTTPS
port on Google's servers (simplified). When Google's servers
communicate back, they will communicate back to the same port.
In effect, "normally", no changes should be required to the firewall -
if an o/g communication with Google's servers is possible.
However, your situation might be different and changes may need to get
done.
SS
Reply all
Reply to author
Forward
0 new messages