Firewall Rules for Agent Communication

Overview

Server Scout agents require minimal firewall configuration to communicate with the monitoring dashboard. The design prioritises security by using outbound-only connections, eliminating the need to open any inbound ports on your monitored servers. This significantly reduces your attack surface whilst maintaining full monitoring functionality.

Basic Agent Requirements

The Server Scout agent only needs outbound HTTPS connectivity to function properly:

• Protocol: TCP
• Port: 443 (HTTPS)
• Direction: Outbound only
• Destination: serverscout.ie dashboard

No inbound ports need to be opened on the monitored server, making this one of the most secure monitoring solutions available.

Firewall Configuration Examples

iptables

For systems using iptables, ensure outbound HTTPS traffic is permitted:

# Allow outbound HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# If you have a restrictive default OUTPUT policy, also allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

firewalld

On Red Hat-based systems with firewalld:

# Add HTTPS service permanently
firewall-cmd --permanent --add-service=https

# Reload configuration
firewall-cmd --reload

# Verify the rule
firewall-cmd --list-services

UFW (Uncomplicated Firewall)

For Ubuntu and Debian systems using UFW:

# Allow outbound HTTPS
ufw allow out 443/tcp

# Allow outbound DNS if needed
ufw allow out 53

Device Monitoring Requirements

If you're using Server Scout's device monitoring capabilities, additional outbound rules are required on the poller server:

SNMP Monitoring

# iptables
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT

# firewalld
firewall-cmd --permanent --add-port=161/udp

# UFW
ufw allow out 161/udp

IPMI Monitoring

# iptables
iptables -A OUTPUT -p udp --dport 623 -j ACCEPT

# firewalld  
firewall-cmd --permanent --add-port=623/udp

# UFW
ufw allow out 623/udp

Common Deployment Scenarios

Private Network Servers

Servers in private networks must have a route to the internet to reach the Server Scout dashboard. This can be achieved through:

• NAT Gateway: Most common in cloud environments
• Proxy Server: Corporate environments often use HTTP/HTTPS proxies
• Direct Internet Access: Via firewall rules allowing outbound traffic

If using a proxy, configure the agent with your proxy settings in the configuration file.

Cloud Security Groups

Most cloud providers allow outbound HTTPS by default:

AWS Security Groups: The default outbound rule allows all traffic (0.0.0.0/0) on all ports. No changes needed.

Azure Network Security Groups: Default outbound rules permit internet access. Verify the "AllowInternetOutBound" rule exists.

Google Cloud Platform: Default egress rules allow outbound traffic. Ensure no restrictive egress rules block HTTPS.

Corporate Firewalls

Corporate environments may require whitelisting the Server Scout domain:

• Domain: serverscout.ie
• IP Range: Contact support for current IP ranges if domain whitelisting isn't possible
• SSL/TLS Inspection: Ensure corporate SSL inspection doesn't interfere with agent communication

Security Benefits

This outbound-only approach provides several security advantages:

1. Minimal Attack Surface: No listening ports reduce potential entry points
2. Network Segmentation Friendly: Works well with existing network security policies
3. Firewall Friendly: Most firewalls allow outbound HTTPS by default
4. Audit Compliance: Easier to justify outbound monitoring traffic in security reviews

Troubleshooting Connectivity

If the agent fails to connect:

1. Test basic connectivity:

``bash curl -I https://serverscout.ie ``

1. Check firewall logs for dropped packets
2. Verify DNS resolution works for the dashboard domain
3. Ensure system time is synchronised (SSL certificates are time-sensitive)

Conclusion

Server Scout's firewall requirements are deliberately minimal to simplify deployment whilst maximising security. The outbound-only design means you can monitor your infrastructure without compromising your network's security posture or creating additional attack vectors.