Documentation / Knowledge Base
What firewall ports should I open to use Enclave?¶
Enclave is designed to work in as many environments as possible and does not have a default port number, instead a random port number is selected each time Enclave starts. We generally discourage fixed port configurations because it runs counter to the philosophy of getting the network out of the way.
You normally don't need to open inbound firewall ports for Enclave to safely connect to other Enclave devices thanks to NAT traversal techniques. Enclave uses UDP and TCP holepunching to automatically establish peer-to-peer connectivity between devices without administrators needing to make changes the underlying network or open firewall ports.
However, Enclave needs to make outbound connections to the public Internet in order to reach the control plane (tcp/discover.enclave.io:443 and tcp/relays.discover.io) and to establish peer-to-peer connectivity with other systems and devices running Enclave.
SSL/TLS inspection¶
Please note that Enclave communicates with the platform (control plane) using tcp/443 with an optimised protocol, so next-generation firewalls or proxies which attempt to perform TLS/SSL/HTTPS traffic inspection will fail, and likely cause connectivity issues to the Enclave platform.
In order to establish reliable platform connectivity, be sure to set no-inspection, transparent mode, or skiplist modes for the Enclave platform domains listed below. You may also want to check our documentation on how to use Enclave with your firewall for specific workarounds.
Enclave Platform (minimum required ACLs)¶
In order for Enclave to reach our command and control servers, ensure outbound access to the following is permitted:
| Direction | Hostname | Protocol | Port | ||
|---|---|---|---|---|---|
| Outbound | install.enclave.io | tcp | 443 | π Lookup IP addresses | |
| Outbound | api.enclave.io | tcp | 443 | π Lookup IP addresses | |
| Outbound | discover.enclave.io | tcp | 443 | π Lookup IP addresses | |
| Outbound | relays.enclave.io | tcp | 443 | π Lookup IP addresses | Learn more about traffic relays |
Our platform IP addresses may change from time to time.
Our platform IP addresses may change from time to time, so if your organisation restricts outbound traffic, or you need to disable traffic inspection, then we recommend creating name-based DNS firewall rules to allow your systems to reach the Enclave platform, and not using IP address directly.
In order to use DNS name-based rules, your firewall must support "full resolution" or "complete resolution", where the firewall adds all resolved IP addresses to the rule, and not just the first resolved IP address.
Peer-to-Peer Connectivity¶
In order to establish direct peer-to-peer connectivity between systems and devices, Enclave requires outbound access to the public Internet.
- Let your internal devices send outbound UDP packets to
*:*Allow Enclave to establish peer-to-peer connectivity with other devices by enabling outbound UDP traffic. We recommend allowing traffic to*:*because its not possible to predict every guest Wi-fi, coffee shop, LTE provider, hotel network or dynamic IP address that your users may connect from.
Traffic Relays¶
Gateway devices and firewalls use network address translation (NAT) to route traffic between different logical subnets. There are different type of NAT configuration, but devices which use symmetric NAT can degrade VoIP, WebRTC and other protocols which aim to establish direct, peer-to-peer connectivity like Enclave.
If one or more of your devices running Enclave are on networks behind firewalls or gateways that use symmetric network address translation (NAT), Enclave may not be able to establish peer-to-peer connections. In such cases, your devices will still be able to connect and communicate with one other thanks to traffic relays, but the connection might not be as fast.
Success
Avoid configuring firewalls and network gateways to use "Symmetric" NAT. Instead, prefer "Full Cone" or "Port Restricted Cone" NAT configuration to enable direct peer-to-peer connectivity.
Traffic relays act as a network router between two or more Enclave devices, helping those devices to exchange data when direct connections arenβt available. When connections are relayed, the traffic flows are still outbound only from devices to relay servers and still end-to-end encrypted. Traffic relay servers only handle opaque data streams, so do not have access to the relayed traffic.
Relay servers are geographically distributed, located at high-bandwidth points of presence (POPs) with fixed IP addresses. Organisations with strict egress policies may force all Enclave traffic via relay servers (which by default are run and managed by Enclave, but may optionally be self-hosted).
Forcing all Enclave traffic through relay servers has the effect of constraining egress traffic from Enclave agents to a select list of pre-authorised relay server IP addresses instead of needing to allow outbound access to the whole Internet. Contact us at support@enclave.io for more information.
Forcing a specific port number¶
If your network operates with an aggressive NAT configuration, you may consider configuring Enclave to use a fixed port opening the firewall to help Enclave establish direct peer-to-peer connectivity, but we don't recommend this approach.
To force Enclave to use a specific port number:
- Run
enclave set-config localport <portnumber>, replacing<portnumber>with the port you've chosen, for example 47100. - Run
enclave restart.
In this example, if you've set Enclave to use localport 47100 you can also constrain outbound firewall rules:
- Let your internal devices send outbound UDP packets from
:47100to*:*
Last updated April 11, 2024