Firewall and Network Requirements

Server Scout is designed with security and network simplicity in mind. The monitoring agent requires minimal network access, making it easy to deploy even in restrictive network environments. This guide covers the essential firewall and network requirements for successful Server Scout deployment.

Agent Network Requirements

The Server Scout agent only requires outbound HTTPS access to communicate with the dashboard. Specifically, the agent needs:

  • Destination: app.serverscout.ie
  • Protocol: HTTPS (TCP)
  • Port: 443
  • Direction: Outbound only

No inbound ports need to be opened on your monitored servers, which significantly reduces the security attack surface. The agent uses curl for all communication, making it compatible with most network configurations and proxy setups.

Device Monitoring Network Requirements

If you're monitoring network devices or servers via SNMP or IPMI, the Server Scout poller service requires additional outbound access:

SNMP Monitoring

  • Protocol: UDP
  • Port: 161 (standard SNMP)
  • Direction: Outbound to target device IPs

IPMI Monitoring

  • Protocol: UDP
  • Port: 623 (IPMI over LAN)
  • Direction: Outbound to target device IPs

Common Firewall Configurations

iptables Rules

For servers using iptables, allow outbound HTTPS traffic with these rules:

# Allow outbound HTTPS to Server Scout dashboard
iptables -A OUTPUT -p tcp --dport 443 -d app.serverscout.ie -j ACCEPT

# For SNMP device monitoring (if applicable)
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT

# For IPMI device monitoring (if applicable)  
iptables -A OUTPUT -p udp --dport 623 -j ACCEPT

# Save the rules (command varies by distribution)
iptables-save > /etc/iptables/rules.v4

firewalld Configuration

On systems using firewalld (RHEL, CentOS, Fedora):

# Allow HTTPS outbound (usually allowed by default)
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-port=443/tcp

# For SNMP monitoring
firewall-cmd --permanent --add-port=161/udp

# For IPMI monitoring
firewall-cmd --permanent --add-port=623/udp

# Reload firewall configuration
firewall-cmd --reload

UFW (Uncomplicated Firewall)

For Ubuntu systems using UFW:

# Allow outbound HTTPS (usually allowed by default)
ufw allow out 443/tcp

# For SNMP monitoring
ufw allow out 161/udp

# For IPMI monitoring  
ufw allow out 623/udp

Proxy Server Support

Server Scout fully supports HTTP proxy configurations. If your server routes traffic through a corporate proxy, the agent will automatically detect and use system proxy settings configured via:

  • Environment variables (HTTPPROXY, HTTPSPROXY, httpproxy, httpsproxy)
  • System-wide proxy configuration files

For manual proxy configuration, you can set the environment variables before running the agent:

export HTTPS_PROXY=http://proxy.company.com:8080
export HTTP_PROXY=http://proxy.company.com:8080

The agent respects NO_PROXY settings to bypass proxy for specific destinations if needed.

Network Resilience and Data Integrity

Server Scout includes built-in network resilience features:

  • Local data spooling: During network outages, the agent stores monitoring data locally
  • Automatic replay: When connectivity is restored, cached data is automatically transmitted
  • No data loss: Brief firewall changes, network maintenance, or connectivity issues won't result in monitoring gaps

This means you can safely perform network maintenance or firewall updates without worrying about losing historical monitoring data.

Testing Connectivity

To verify your firewall configuration is correct, test connectivity from your server:

# Test HTTPS connectivity to Server Scout
curl -I https://app.serverscout.ie

# You should receive a HTTP 200 or similar response

If the connection fails, check your firewall rules and ensure outbound HTTPS traffic is permitted to app.serverscout.ie on port 443.

Frequently Asked Questions

What network ports does ServerScout monitoring agent require?

The ServerScout agent only requires outbound HTTPS access on port 443 to app.serverscout.ie. No inbound ports need to be opened on your monitored servers, which significantly reduces the security attack surface.

How do I configure firewall rules for ServerScout agent?

Allow outbound HTTPS traffic on port 443 to app.serverscout.ie. For iptables, use: iptables -A OUTPUT -p tcp --dport 443 -d app.serverscout.ie -j ACCEPT. For firewalld, use: firewall-cmd --permanent --add-service=https.

Does ServerScout work through corporate proxy servers?

Yes, ServerScout fully supports HTTP proxy configurations. The agent automatically detects system proxy settings from environment variables (HTTP_PROXY, HTTPS_PROXY) or system-wide configuration files. It also respects NO_PROXY settings.

What happens if network connectivity is temporarily lost?

ServerScout includes built-in network resilience with local data spooling during outages. When connectivity is restored, cached data is automatically transmitted, ensuring no monitoring gaps or data loss during brief network issues.

What additional ports are needed for SNMP and IPMI monitoring?

For SNMP monitoring, you need outbound UDP port 161 to target device IPs. For IPMI monitoring, you need outbound UDP port 623 to target device IPs. These are only required if monitoring network devices via these protocols.

How can I test if my firewall configuration is working?

Test connectivity using: curl -I https://app.serverscout.ie. You should receive a HTTP 200 or similar response. If the connection fails, check your firewall rules and ensure outbound HTTPS traffic is permitted to app.serverscout.ie on port 443.

Why doesn't ServerScout require inbound firewall rules?

ServerScout uses an agent-initiated architecture where the monitoring agent only makes outbound HTTPS connections to the dashboard. This eliminates the need for inbound ports and reduces security risks by minimizing the attack surface on monitored servers.

Was this article helpful?

Related Articles