Network Considerations During Appliance Install

The following questions should be considered when implementing your Bomgar Appliance in the network.

  1. How are connections established to the appliance? The connection from each of the various clients is an outbound connection from the computer to the appliance, and the only required ports are 80 and 443. Therefore, the allowed ports would typically be 80 and 443 from the internet to the DMZ, and 80 and 443 from the internal network to the DMZ.
  2. Is port 443 the only port that needs to stay open inbound to the appliance? The connection from each of the various clients is an outbound connection from the computer to the appliance, and the only required ports are 80 and 443. Therefore, the allowed ports would typically be 80 and 443 from the internet to the DMZ, and 80 and 443 from the internal network to the DMZ. Port 22 is an outbound port from the appliance to Bomgar. More ports may be available depending on your build.

    Optionally, the appliance can be configured to automatically check for updates from update.bomgar.com. This requires an outbound connection on port 443 from the appliance and the ability to connect to a DNS server to resolve this name. If the DNS Server is within the DMZ, no additional ports would be required, but if the DNS server is in a different zone, the necessary ports for this would need to be allowed as described in the Firewall Rules table below. This can be avoided by downloading updates for the appliance and applying them manually. Lastly, the server is configured with an NTP server to sync the time on the appliance. This can be supported by connecting to clock.bomgar.com, or it can be supported pointing to an internal NTP server using Port 123.

  3. What other outbound connectivity does the appliance need? The appliance can be configured with an NTP server to sync the time on the appliance. This can be supported by connecting to clock.bomgar.com, or it can be supported pointing to an internal NTP server using Port 123.
  4. Is the LDAP Server on the same LAN as your Bomgar Appliance? If not, you must install a Bomgar Connection Agent on the LDAP server to support communications between the Bomgar Appliance and the LDAP Server.
  5. Will there be two appliances configured, one as a backup appliance to support automatic failover? If so, the appliances need to be on the same subnet, and they each need a DNS A Record for their individual IP Addresses.
  6. Will you be utilizing a RADIUS Server with Bomgar? If so, this is typically port 1812.
  7. Will you be utilizing a Kerberos Key Distribution Center (KDC) with Bomgar? If so, the representatives typically communicate with their KDC over port 88 UDP.
  8. Is your support base completely internal or accessible through a VPN? If so, deploying the Bomgar Appliance on an internal network segment is ideal, and no firewall changes are required because both the appliance and all of the supported clients are internal to the firewall.
  9. Are you supporting customers outside of your company's internal network? If so, best practices in network design discourage opening external access directly to your internal network. If you are providing external support via Bomgar, it is highly recommended that the appliance reside in a DMZ that segments the internal network from the internet.
  10. How are updates to the appliance done? The appliance can be configured to automatically check for updates from update.bomgar.com. This requires an outbound connection on port 443 from the appliance and the ability to connect to a DNS server to resolve this name. If the DNS Server is within the DMZ, no additional ports would be required, but if the DNS server is in a different zone, the necessary ports for this would need to be allowed. This can be avoided by downloading updates for the appliance and applying them manually.