Firewall Requirements

Overview

This document provides a comprehensive guide to the firewall requirements for the LightBeam application, detailing the necessary ports, sub-domains, and external dependencies.

1. SMTP Communication Requirements

To onboard new users to the LightBeam application and ensure successful email delivery, the following ports must be opened:

Port 25: Utilized for SMTP communication, transmitting email messages between mail servers.
Port 465: Employed for SMTP communication over a secure SSL/TLS connection.
Port 587: Used by email clients (e.g., Outlook, Thunderbird) for mail submission to the SMTP server for further delivery.

2. Sub-Domain Configuration

Secure the LightBeam application endpoint with HTTPS using LetsEncrypt.
The endpoint is private unless there is a user requirement for public access.
Subdomain to secure the LightBeam DSR module endpoint with HTTPs using LetsEncrypt. Example:https://dsr.lightbeam.ai/ The endpoint can be public or private as per user requirement.

Let's encrypt performs HTTP-01 challenge which can only be done on port 80. Ref https://letsencrypt.org/docs/challenge-types/

3. Firewall Requirements to Deploy and Run LightBeam Application

Whitelist the Whitelist the following URLs through your firewall on ports 80 and 443 to enable the deployment and operation of the LightBeam application:

4. Cluster Management Requirements

To ensure proper communication and operation of Docker and Kubernetes components in the LightBeam setup, certain ports must be opened between the jump server, master node, and worker nodes. These ports facilitate critical interactions necessary for deploying, managing, and scaling the Kubernetes cluster. Below are the detailed requirements:

Docker Ports:
- 80/443: For downloading Docker images (HTTP/HTTPS).
- 2375/2376: Docker API communication (HTTP/HTTPS).
Kubernetes Ports:
- 6443: Kubernetes API server.
- 10250: Kubelet API.
- 30000-32767: NodePort Services.

5. Data Source Connectivity

Necessary firewall configurations and default port assignments for LightBeam cluster nodes to establish connections with target data sources for the purpose of scanning.

Datasource Type

Datasource name

Port Number

Structured Datasources

MS SQL Default Port
Postgres Default Port
MySQL Default Port
Oracle Default Port
Azure Cosmos DB*

1433
5432
3306
1521

Unstructured Datasources

Microsoft SMB Shares
Amazon S3 *
Google Drive *
Gmail *
M365 SharePoint *
M365 Onedrive *
M365 Outlook *
M365 Teams *
Salesforce *
Jira *
ADP *
ServiceNow *
Box *
Hubspot *

445

(2-10): *No specific port number is required. Access is typically via API over HTTP/HTTPS (port 80/443).

6. Firewall Requirements for Proactive Remote Support :

To enable proactive monitoring and troubleshooting of the LightBeam cluster, outbound SSH (port 22) access is required from the jumpbox (or the master node, if LightBeam is deployed on-premises) to our remote server in your region.

Verify connectivity for US region:

alpha-remote.lightbeam-ai.com port 22 (IP 34.198.104.197)

curl -kv alpha-remote.lightbeam-ai.com:22
*	Trying alpha-remote.lightbeam-ai.com:22...
* Connected to alpha-remote.lightbeam-ai.com (34.198.104.197) port 22 (#0)

Verify connectivity for Canada region:

gamma-remote.lightbeam-ai.com port 22 (IP 52.60.227.18)

curl -kv gamma-remote.lightbeam-ai.com:22
*	Trying gamma-remote.lightbeam-ai.com:22...
* Connected to gamma-remote.lightbeam-ai.com (52.60.227.18) port 22 (#0)

7. LightBeam diagnostics requirements

Diagnostics will run a set of tests on the cluster everyday and generate a report and share it with the LightBeam support team.

Outbound firewall requirement from the cluster:

SES

Direction

Protocol

Port

Endpoint

Description

Outbound

HTTPS

443

email.us-west-2.amazonaws.com

Allow outbound HTTPS traffic to the SES API for email service communication

Outbound

DNS

email.us-west-2.amazonaws.com

Allow DNS resolution for SES endpoints.

SMTP

Direction

Protocol

Port

Endpoint

Description

Outbound

TCP

587

smtp.sendgrid.net

Allow outbound SMTP traffic with STARTTLS.

Outbound

HTTPS, TCP

443, 587

api.sendgrid.net

Allow outbound HTTPS and SMTP traffic.

8. Firewall Requirements for SSO configuration

To enable Single Sign-On (SSO) functionality for the LightBeam application, the following firewall rules must be configured to allow communication with identity providers and related services:

Type

URLs

Ports to Allow

Description

Microsoft Azure AD

https://login.microsoftonline.com

443

Allows authentication and token exchange with Azure Active Directory.

Google Identity Platform

https://accounts.google.com

443

Enables Google SSO authentication.

Okta

https://<your_okta_domain>.okta.com

443

Supports SSO authentication and authorization via Okta.

JumpCloud

https://console.jumpcloud.com

443

Allows authentication and directory management with JumpCloud.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].

PreviousPre-Requisites / Security Configurations NextSecuring LightBeam on EKS with AWS Certificate Manager on Elastic Load Balancer

Last updated 4 months ago