If you have any type of Application Filtering, Captive Portal or Proxy service that would block outbound access to an OpenVPN application, you must ensure your policy allows from the appliances source IP.
If you have a strict egress policy in your environment you will need to ensure a few things are allowed outbound in order for the appliance to function. Make sure to allow outbound UDP/TCP to the DNS servers being used.
If needed, the current IP address or addresses for the URLs below can be found with the nslookup
command. Example: nslookup activate.pondurance.com
NOTE: The domains for the AWS S3 service resolve to many IP addresses, therefore, it's preferable to add the corresponding domain names to the allow lists. However, if IP addresses are needed, they can be obtained by running the following command:
curl --no-progress-meter 'https://ip-ranges.amazonaws.com/ip-ranges.json' | jq -r '.prefixes[] | select(.region=="us-east-2") | select(.service=="S3") | .ip_prefix' | sort
For further information on finding IP address ranges for AWS S3, please refer to: AWS re:Post | How can I find the IP address ranges that Amazon S3 uses?
List of services to add to outbound allow lists:
The activation API endpoint: activate.pondurance.com tcp/443
This endpoint is used to communicate to the Pondurance cloud in order to receive provisioning instructions. This services communicates over tcp/443.
Egress traffic to link.pondurance.com tcp/11512
(see note below on former port 11013)
Egress traffic to link.pondurance.com tcp/443
This endpoint is used for Pondurance VPN connectivity checking
Egress traffic to stream.pondurance.com tcp/443
This endpoint is used for streaming log data into the ingest pipeline, through Kafka
Egress traffic to s3.us-east-2.amazonaws.com tcp/443
This endpoint is used for streaming log data into the ingest pipeline, through AWS S3
Egress traffic to pondurance-stream.s3.us-east-2.amazonaws.com tcp/443
This endpoint is reserved for future use of streaming log data into the ingest pipeline, through AWS S3
Egress traffic to *.datadoghq.com tcp/443
These endpoints are used to collect device health status and performance metrics into the Pondurance observability platform
Note: Configurations deployed on or before May 2022 specified egress traffic to link.pondurance.com tcp/11013
instead of or in addition to link.pondurance.com tcp/11512
.