Considerations for Firewall Rules

The Enterprise server requires authentication and has some limited functionality for disallowing connections outside of specified IP addresses and hostnames. It does not, however, have more complex or powerful methods of dealing with unwanted traffic. So, you may want to add firewall rules to control input to the Enterprise server host.

The Enterprise server and clients do not require internet connectivity and can function in a completely offline environment. But, if you would like to use online updates from our servers, you will need to ensure they can access the following over HTTPS (port 443):

• registry.enterprise.binary.ninja (server only)
• Used for pulling updated docker images for the server containers
• master.binary.ninja (client and server)
• Used by clients to check if there are any available updates (unless the clients are configured to use the enterprise server for updates)
• Used by the server to pull client updates, as well as server management binary updates
• cdn.binary.ninja (client only)
• Serves update files for clients
• extensions.binary.ninja (client only)
• Used to fetch official (made by v35) plugin info
• github.com (client only)
• Used to fetch community plugin info, as well as download community and official plugins

If you configure any Single Sign-On (SSO) endpoints or webhooks, the server and clients will require access to those hosts as well. This should generally be over HTTPS (usually port 443).

The Enterprise server also requires the following for inbound access:

• Default port 3535/tcp (HTTPS + WebSockets) to the Enterprise proxy service.
• If you are placing another proxy in front of the Enterprise server on 443, open that port instead and set ENTERPRISE_PROXY_NO_TLS=true (or use --no-tls) so the external proxy terminates TLS.
• WebSockets share the same port, so make sure any intermediaries allow upgrade/keep-alive traffic.