Network¶
Architecture¶
Web Server¶
You do not need your own Webserver to host Grape. The on-premise installation contains a reverse nginx proxy that will route requests to Grape and Sentry which both run on that main host.
You will need valid x509 certificates for the domain name you chose for your Grape instance and for sentry.
e.g. grape.example.org and sentry-grape.example.org for the two services.
Edge Server¶
Optionally, you can setup a second Grape Web Server as an Edge Server. This server can stay in the DMZ and allow users from the outside to connect to Grape without using VPN - this is particularly useful when some mobile devices have no VPN set up but still need to access Grape without compromising security.
The Edge Server is a HTTP reverse proxy and can be set up by the client or by our networking team. It needs to be able to connect to the internal Grape reverse-proxy on port 443 as well as accept the internal reverse-proxy’s SSL certificate as valid.
Ports¶
External (required)¶
These ports must be open to the Internet
Service |
Direction |
Protocol |
Ports |
Hostnames/IPs |
|---|---|---|---|---|
Grape |
In |
TCP |
443 |
your Grape Server
|
Grape Setup |
In |
TCP |
8888 |
your Grape Server
|
GCM (Android Push Notifications) 1 |
Out |
TCP |
443 |
android.googleapis.com
|
Out |
TCP |
443 |
fcm.googleapis.com
|
|
Out |
TCP |
443 |
or allow those IPs(Google IPs list)
|
|
APNs (iOS Push Notifications) 2
|
In & Out |
TCP |
443 |
api.push.apple.com (17.0.0.0/8)
HTTP/2, TLS 1.2
|
WNS (Windows Phone 8.1 Push) 3 |
Out |
TCP |
443 |
next-services.apps.microsoft.com
*.wns.windows.com
*.notify.windows.com
wscont1.apps.microsoft.com
(or see Microsoft WNS IP list)
|
Grape Docker Registry |
Out |
TCP |
443 |
docker-registry-builds.chatgrape.com
|
HaveIBeenPwned.com |
Out |
TCP |
443 |
api.pwnedpasswords.com
|
Grape Docker Image Distribution |
Out |
TCP |
443 |
distrib.ubergrape.com
|
Grape Setup Scripts |
Out |
TCP |
443 |
|
Jitsi Clients Connection |
Out |
UDP |
11100-11200 |
*.grapecall.com
|
External Search Integrations (optional)¶
All built-in External Search Integrations use HTTPS. For more information on how to set them up see Built-in External Search Integrations
The Server will try to generate a preview for the links posted in the chat, this will often require additional hostnames/URLs to be whitelisted, hence the list of hostnames for each service.
Service |
Direction |
Protocol |
Ports |
Hostnames/URLs |
|---|---|---|---|---|
(All) |
Out |
TCP |
443 |
|
YouTube |
Out |
TCP |
443 |
https://www.googleapis.com/youtube/v3, https://www.youtube.com/ |
Wikipedia |
Out |
TCP |
443 |
|
StackOverflow |
Out |
TCP |
443 |
|
Spotify |
Out |
TCP |
443 |
|
Imgur |
Out |
TCP |
443 |
|
Google Maps |
Out |
TCP |
443 |
|
Giphy |
Out |
TCP |
443 |
Internal¶
Depending on your setup, Grape also needs to be able to communicate internally in your network:
Active Directory server
File server
SMTP server
All integrated services (Sharepoint, Exchange, …)
Service |
Direction |
Protocol |
Ports |
Note |
|---|---|---|---|---|
SMTP |
Out |
TCP |
25/587 |
You can configure the SMTP port in the grape setup |
Exchange Integration |
In & Out |
TCP |
443 |
HTTPS requests need to work in both directions |
Netapp Integration |
Out |
TCP |
139 |
SMB 2.0 |
Sharepoint 2013 |
Out |
TCP |
80/443 |
|
HaveIBeenPwned.com |
Out |
TCP |
443 |
api.pwnedpasswords.com |