Forum Discussion
Luca_55898
Nimbostratus
NimbostratusBrand new GTM deployment
hi,
i'm deploying two brand new GTMs, one in each DC.
I have configured synchronization groups using the external (public) self IP on each GTM
The port lockdown settings for each self IP are just 'allow default' but i'd like to tighten this up since I don't need to have management access from the external self IP.
So if I define a customized portlock down list, what exactly do I need to have allowed so the two GTM's can sync their config and monitor each other?
Obviosuly TCP/UDP 4353 is needed,
But what else?
Also - is it an OK design to have the two GTMs synchronizing their config over the public internet?
I could do it internally however it seems better to do it over the internet since they are more or less public internet DNS servers..
Thanks!
2 Replies
Luca_55898Any thoughts guys?
What_Lies_Bene1Cirrostratus
I'm more of an LTM guy myself but apparently these ports would be open ideally: TCP\4353 (ConfigSync), UDP\1026 (Network Failover if used), and 443 (Device Group tasks) and 22. 443 is used for certificate exchanges and the like, 22 as a backup. 22 Is not absolutely required.. Obviously test, especially where 443 is concerned.
I would go for internal communications without question, the servers may be public but their management interfaces (and related data) shouldn't be, HTTPS security or not.
