Synctus and Firewalls
Automatic Connections
In order to function, Synctus communicates between sites. To make installation easy, it uses an integrated VPN with automatic locating and UDP hole punching. In the majority of instances, this means that connectivity is established automatically without any assistance from an administrator—even when all appliances are behind NAT gateways.
Port Forwards
Synctus uses UDP hole punching to traverse NAT. If you have difficulty in connecting, then your router or firewall may not support UDP hole punching. You can work around this by port forwarding UDP port 8001 at each site back to the corresponding Synctus unit.
Basic Traffic Requirements
If you have a system installed that is specifically designed to block traffic, such as a firewall, then you will need to allow Synctus traffic through. These changes should be made by the person who manages your firewall.
It is easiest to allow all outbound traffic from Synctus. This is all that is required for full functionality.
Fine-grained Traffic Requirements
If you wish to be as restrictive as possible, then traffic that must still be permitted is as follows:
| Traffic type | Direction | Notes |
|---|---|---|
| DHCP | LAN only | DHCP is used for configuration on boot and to keep the lease renewed. DNS and default gateway information must be supplied in the DHCP response. |
DNS A and SRV records for *.ef.synctus.com and public NTP servers | Request to DNS servers specified by DHCP | Requests are made via the DNS servers provided in the DHCP response provided to the unit. |
| TCP 443 | Outbound to *.ef.synctus.com | Used to locate other linked Synctus nodes (TLS-secured; very low bandwidth). |
| UDP 8001 | Direct between all linked Synctus nodes | Used for all synchronisation and replication traffic (DTLS-secured). |
| UDP 1969 | Outbound to *.ef.synctus.com | UDP hole punching. |
| TCP 80 | Outbound to *.ef.synctus.com | Used to locate an NTP server. |
| TCP/UDP 123 | Outbound | NTP (time) synchronisation. |
