In front of the Grape Application, you need a web server that has a valid TLS certificate for the domain where grape will run (e.g. grape.example.com). You can either provide this on a separate machine or install a web server on the machine that runs Grape. If the web server that does the TLS termination runs on a separate machine, the network connection between the two machines should be encrypted.
The step-by-step install guides contain a section on how to setup an nginx webserver to work with Grape.
Optionally, you can setup a second Grape Web Server as an Edge Server. This server can stay in the DMZ and allow users from the outside to connect to Grape without using VPN - this is particularly useful when some mobile devices have no VPN set up but still need to access Grape without compromising security.
The Edge Server is a HTTP reverse proxy and can be set up by the client or by our networking team. It needs to be able to connect to the internal Grape reverse-proxy on port 443 as well as accept the internal reverse-proxy’s SSL certificate as valid.
These ports must be open to the internet
your Grape Server
|GCM (Android Push Notifications) ||Out||TCP||443||
or allow those IPs(Google IPs list)
|In & Out||TCP||443||
HTTP/2, TLS 1.2
|WNS (Windows Phone 8.1 Push) ||Out||TCP||443||
(or see Microsoft WNS IP list)
|Grape Docker Registry||Out||TCP||443||
|Grape Docker Image Distribution||Out||TCP||443||
|Jitsi Clients Connection||Out||UDP||11100-11200||
External Search Integrations (optional)¶
All built-in External Search Integrations use HTTPS. For more information on how to set them up see Built-in External Search Integrations
The Server will try to generate a preview for the links posted in the chat, this will often require additional hostnames/URLs to be whitelisted, hence the list of hostnames for each service.
Depending on your setup, Grape also needs to be able to communicate internally in your network:
- Active Directory server
- File server
- SMTP server
- All integrated services (Sharepoint, Exchange, …)
|SMTP||Out||TCP||25/587||You can configure the SMTP port in the grape setup|
|Exchange Integration||In & Out||TCP||443||HTTPS requests need to work in both directions|
|Netapp Integration||Out||TCP||139||SMB 2.0|