Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Feb 08, 2013

Brand new GTM deployment

hi,

 

i'm deploying two brand new GTMs, one in each DC.

 

I have configured synchronization groups using the external (public) self IP on each GTM

 

The port lockdown settings for each self IP are just 'allow default' but i'd like to tighten this up since I don't need to have management access from the external self IP.

 

So if I define a customized portlock down list, what exactly do I need to have allowed so the two GTM's can sync their config and monitor each other?

 

Obviosuly TCP/UDP 4353 is needed,

 

But what else?

 

 

Also - is it an OK design to have the two GTMs synchronizing their config over the public internet?

 

I could do it internally however it seems better to do it over the internet since they are more or less public internet DNS servers..

 

 

Thanks!

 

 

config
design

2 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2013
    I'm more of an LTM guy myself but apparently these ports would be open ideally: TCP\4353 (ConfigSync), UDP\1026 (Network Failover if used), and 443 (Device Group tasks) and 22. 443 is used for certificate exchanges and the like, 22 as a backup. 22 Is not absolutely required.. Obviously test, especially where 443 is concerned.

     

     

    I would go for internal communications without question, the servers may be public but their management interfaces (and related data) shouldn't be, HTTPS security or not.