Example Firewall Rules Based on BeyondTrust Appliance B Series Location

Below are example firewall rules for use with BeyondTrust, including port numbers, descriptions, and required rules. If a B Series Appliance has multiple IP addresses, outbound traffic for services such as LDAP can flow out of any configured address. Because of this, it is best practice to make firewall rules apply for all IP addresses configured on each B Series Appliance.

Firewall Rules
Internet to the DMZ
TCP Port 443 (required)* Used for all session traffic.
UDP Port 3478 (optional) Used to enable Peer-to-Peer connections if the Use Appliance as Peer-to-Peer Server option is selected.
Internal Network to the DMZ
TCP Port 161/UDP Used for SNMP queries via IP configuration settings in the /appliance interface.
TCP Port 443 (required)* Used for all session traffic.
DMZ to the Internet
TCP Port 443 to the specific host gwsupport.bomgar.com (optional) Default port used to establish connections with BeyondTrust Support for advanced troubleshooting/repairs.
TCP Port 443 to the specific host btupdate.com (optional) You can optionally enable access from the B Series Appliance on port 443 to this host for automatic updates, or you can apply updates manually.
DMZ to the Internal Network
UDP Port 123 (optional) Access NTP server and sync the time.
LDAP - TCP/UDP 389 (optional)‡ Access LDAP server and authenticate users.
LDAP - TCP/UDP 636 (optional)‡ Access LDAP server and authenticate users via SSL.
Syslog - UDP 514 (required for logging) Used to send syslog messages to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ.
DNS - UDP 53 (required if DNS server is outside the DMZ) Access DNS server to verify that a DNS A record or CNAME record points to the B Series Appliance.
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services for outbound events.
TCP Port 5696 Allows the B Series Appliance to access the KMIP server located in the internal network for Data at Rest Encryption.
Internal Network to Internal Network
Port 389, 636 (Active Directory), 445 (Local Account Management) Ports used for discovery and rotation of Vault accounts.

*Each of the following BeyondTrust components can be configured to connect on a port other than 443: access console, endpoint client, Jumpoint, connection agent.

‡ If the LDAP server is outside of the DMZ, the BeyondTrust Connection Agent is used to authenticate users via LDAP.