You can configure your firewall so that you can connect Sitecore xDB Cloud securely with the following external endpoints:
- Reporting Service
- Azure Search Service
- MongoDB Servers
- Get firewall setting endpoints
To configure your firewall settings, you can request the Sitecore xDB Cloud set endpoints for firewall settings by using the REST API reference for the xDB Cloud service: Get Firewall settings V2.
For example, a set of endpoints could look like this:
https:// [service name].search.windows.net:443
There is currently one xDB Cloud firewall configuration limitation: xDB Cloud does not currently support any static IPs or ranges of IPs for setting up firewall restrictions. xDB Cloud's MongoDB servers, Reporting Service, and other endpoints have a dynamic set of IP addresses that can change within the lifetime of the deployment.
This topic describes how to:
Configure a firewall
To ensure that Sitecore xDB Cloud works correctly and securely in all scenarios, you must configure your firewall settings with a rule to allow requests to the following services: the
Reporting Service, and
MongoDB Servers. You can obtain these services by calling the Get Firewall settings endpoint.
If you are using xDB Cloud 1.0, you must also configure your firewall for the Discovery Service:
Sitecore only requires communication with MongoDB data node
Configure your network for a MongoDB SSL connection
To configure your firewall and application servers for use with the MongoDB SSL connection, as part of Sitecore xDB Cloud service:
- Go to the REST API reference for the xDB Cloud service, Get Firewall settings V2.
- Open the firewall ports for hostnames and the ports listed for the MongoDB connection strings. For example, a MongoDB URI can contain the following hostnames and ports:
ds046408-a0.qmt44.fleet.mongolab.com, port 46408
ds046408-a1.qmt44.fleet.mongolab.com, port 46406
To download the SSL certificate for your MongoDB database:
- In your browser, connect to your MongoDB server using HTTPS. For example:
MongoDB responds with the following message: “It looks like you are trying to access MongoDB over HTTP on the native driver port.”
- In the Certificate Viewer dialog, on the General tab, use the padlock icon to view the connection certificate
- Download and install the Trusted Root Authority certificate to the application server that is running Sitecore.
- In the Certificate Viewer, dialog, on the Details tab, in the Certificate Fields field, click Authority Information Access.
- In the Field Value field, in the CA Issuers: URI: section, copy the link to the certification authority certificate into your browser. For example, http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
- Use the link to download the CRT file to the application server and install onto: (Local Computer)\Trusted Root Certification Authorities\Certificates certificate store. See the Microsoft website for more information on adding certificates to the Trusted Root Certification Authorities store for a local computer.
- In your firewall, open access to the On-line Certificate Status Protocol endpoint for Digicert,
ocsp.digicert.com, port 80.
- In your firewall, open access to the Certificate Revocation Lists (CRL) Distribution Points. You can find the links in the CRL Distribution Points field of the Trusted Root Authority certificate: