Locking down access in and out of network

Ewon Support eWON Cosy
#1

Hello forum and support,

I’m attempting to lock down all possible connections coming in and going out of the network behind an EWON Cosy device.

I’ve reviewed the “Talk2M used addresses and ports” document but I wanted to verify some details before I write in 60 + lines of code on our firewall since i can’t whitelist hostnames and only IP addresses and ranges.

Our techs used a web-based link (https://m2web.talk2m.com) to connect to a single PC behind the Cosy. One they login, the URL updates to https://us4.m2web.talk2m.com:48925

If I block ALL inbound and outbound traffic other than what is needed for this to happen, can someone confirm I need the following rules:
Outbound on UDP port 1194 for each of device.vpn(1-30).talk2m.com
Outbound on TCP port 443 for each of device.vpn(1-30).talk2m.com

Inbound TCP port 48925 from https://usX.m2web.talk2m.com (what range are we looking at here?)

Assistance greatly appreciated!!!

#2

Hi,

You only need to open outgoing ports 443 (tcp) and 1194 (udp). TCP port 48925 is only being used by the client computer that is connecting to our servers, not the eWON itself.

For the domains, make sure to also whitelist as.pro.talk2m.com and device.api.talk2m.com, see Talk2M Server Addresses & Hostnames.

Kyle

#4

Good morning Kyle,

Thanks for this. Unfortunately as I mentioned in my post, I am not able to whitelist hostnames – only by IP.

If I resolved those hostnames, I would have the following outbound firewall rules:

Outbound port 443 permitted to:

device.api.talk2m.com
– 92.52.111.213

as.pro.talk2m.com
– 92.52.111.210

Outbound port 1194 permitted to:

device.api.talk2m.com
– 92.52.111.213

as.pro.talk2m.com
– 92.52.111.210

I can block all inbound traffic?

#5

Hi Michael,

You will also need to whitelist the VPN server, depending on what region you are in. If the U.S., whitelisting the IP address for VPNs 8, 11, 17, 23, 27, and 28 should be fine.

Yes, you do not need to open any outgoing ports.

Kyle

#7

Hi Kyle,

We’re in Canada – will that make a difference in the VPN addresses?

#8

No, US and Canada use the same servers.

#10

Topic closed due to inactivity.