Configure your firewall settings for xDB Cloud

Last updated Thursday, June 8, 2017 in xDB Cloud for Administrator, Developer

You can configure your firewall so that you can connect Sitecore xDB Cloud securely with the following external endpoints:

  • Reporting Service
  • Azure Search Service
  • MongoDB Servers
  • Get firewall setting endpoints

To configure your firewall settings, you can request the Sitecore xDB Cloud set endpoints for firewall settings by using the REST API reference for the xDB Cloud service: Get Firewall settings V2.

For example, a set of endpoints could look like this:

Endpoint

Location

SearchService

https:// [service name].search.windows.net:443

ReportingService

https://reporting-prod-[service name].cloudapp.net:443

MongoDbPrimary

ds[service name]-a0.qmt44.fleet.mongolab.com:[port]

MongoDbSecondary

ds[service name]-a1.qmt44.fleet.mongolab.com:[port]

Note

There is currently one xDB Cloud firewall configuration limitation: xDB Cloud does not currently support any static IPs or ranges of IPs for setting up firewall restrictions. xDB Cloud's MongoDB servers, Reporting Service, and other endpoints have a dynamic set of IP addresses that can change within the lifetime of the deployment.

This topic describes how to:

Configure a firewall

To ensure that Sitecore xDB Cloud works correctly and securely in all scenarios, you must configure your firewall settings with a rule to allow requests to the following services: the Search Service, Reporting Service, and MongoDB Servers. You can obtain these services by calling the Get Firewall settings endpoint.

Important

If you are using xDB Cloud 1.0, you must also configure your firewall for the Discovery Service: discovery.xdb.cloud.sitecore.net

Sitecore only requires communication with MongoDB data nodes. The monitoring process can show an outbound connection to the MongoDB arbiter as well, but you can block this as it will have no effect on how Sitecore is running.

Configure your network for a MongoDB SSL connection

To configure your firewall and application servers for use with the MongoDB SSL connection, as part of Sitecore xDB Cloud service:

  1. Go to the REST API reference for the xDB Cloud service, Get Firewall settings V2.
  2. Open the firewall ports for hostnames and the ports listed for the MongoDB connection strings. For example, a MongoDB URI can contain the following hostnames and ports:

    ds046408-a0.qmt44.fleet.mongolab.com, port 46408

    ds046408-a1.qmt44.fleet.mongolab.com, port 46406

To download the SSL certificate for your MongoDB database:

  1. In your browser, connect to your MongoDB server using HTTPS. For example:

    https://ds046408-a0.qmt44.fleet.mongolab.com:46408

    MongoDB responds with the following message: “It looks like you are trying to access MongoDB over HTTP on the native driver port.”

  2. In the Certificate Viewer dialog, on the General tab, use the padlock icon to view the connection certificate

    Cloud_xDBCloud_CertificateViewer_FirewallSettings_Screenshot

  3. Download and install the Trusted Root Authority certificate to the application server that is running Sitecore.
  4. In the Certificate Viewer, dialog, on the Details tab, in the Certificate Fields field, click Authority Information Access.
  5. In the Field Value field, in the CA Issuers: URI: section, copy the link to the certification authority certificate into your browser. For example, http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

    Cloud_xDBCloud_CertificateViewer_FirewallSettings_Screenshot

  6. Use the link to download the CRT file to the application server and install onto: (Local Computer)\Trusted Root Certification Authorities\Certificates certificate store. See the Microsoft website for more information on adding certificates to the Trusted Root Certification Authorities store for a local computer.
  7. In your firewall, open access to the On-line Certificate Status Protocol endpoint for Digicert, ocsp.digicert.com, port 80.
  8. In your firewall, open access to the Certificate Revocation Lists (CRL) Distribution Points. You can find the links in the CRL Distribution Points field of the Trusted Root Authority certificate:

    Cloud_xDBCloud_CertificateViewerDetails_FirewallSettings_Screenshot

Note

You can use the DigiCert Certificate Utility to verify server access to CRL and OCSP endpoints.

Send feedback about the documentation to docsite@sitecore.net.