Network

Architecture

../_images/network_architecture_grape.png

Web Server

In front of the Grape Application, you need a web server that has a valid TLS certificate for the domain where grape will run (e.g. grape.example.com). You can either provide this on a separate machine or install a web server on the machine that runs Grape. If the web server that does the TLS termination runs on a separate machine, the network connection between the two machines should be encrypted.

The step-by-step install guides contain a section on how to setup an nginx webserver to work with Grape.

Edge Server

Optionally, you can setup a second Grape Web Server as an Edge Server. This server can stay in the DMZ and allow users from the outside to connect to Grape without using VPN - this is particularly useful when some mobile devices have no VPN set up but still need to access Grape without compromising security.

The Edge Server is a HTTP reverse proxy and can be set up by the client or by our networking team. It needs to be able to connect to the internal Grape reverse-proxy on port 443 as well as accept the internal reverse-proxy’s SSL certificate as valid.

Ports

External (required)

These ports must be open to the internet

Service Direction Protocol Ports Hostnames/IPs
Grape In TCP 443
your Grape Server
GCM (Android Push Notifications) [1] Out TCP 443
android.googleapis.com
  Out TCP 443
fcm.googleapis.com
  Out TCP 443
or allow those IPs(Google IPs list)
APNs (iOS Push Notifications) [2] In & Out TCP 443
api.push.apple.com (HTTP/2, TLS 1.2)
WNS (Windows Phone 8.1 Push) [3] Out TCP 443
next-services.apps.microsoft.com
*.wns.windows.com
*.notify.windows.com
wscont1.apps.microsoft.com
Grape Docker Registry Out TCP 443
docker-registry-builds.chatgrape.com
Grape Docker Image Distribution Out TCP 443
distrib.ubergrape.com

External Search Integrations (optional)

All built-in External Search Integrations use HTTPS. For more information on how to set them up see Built-in External Search Integrations

The Server will try to generate a preview for the links posted in the chat, this will often require additional hostnames/URLs to be whitelisted, hence the list of hostnames for each service.

Service Direction Protocol Ports Hostnames/URLs
(All) Out TCP 443 https://www.google.com/s2/favicons
YouTube Out TCP 443 https://www.googleapis.com/youtube/v3, https://www.youtube.com/
Wikipedia Out TCP 443 https://en.wikipedia.org/wiki/
StackOverflow Out TCP 443 https://api.stackexchange.com/
Spotify Out TCP 443 https://api.spotify.com/
Imgur Out TCP 443 https://api.imgur.com/
Google Maps Out TCP 443 https://maps.googleapis.com/maps/api/
Giphy Out TCP 443 https://api.giphy.com, https://*.giphy.com

Internal

Depending on your setup, Grape also needs to be able to communicate internally in your network:

  • Active Directory server
  • File server
  • SMTP server
  • All integrated services (Sharepoint, Exchange, …)
Service Direction Protocol Ports Note
SMTP Out TCP 25/587 You can configure the SMTP port in the grape setup
Exchange Integration In & Out TCP 443 HTTPS requests need to work in both directions
Netapp Integration Out TCP 139 SMB 2.0
Sharepoint 2013 Out TCP 80/443  
[1]https://github.com/google/gcm/issues/134
[2]https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns
[3]https://stackoverflow.com/questions/23044724/microsoft-windows-notification-service-ip-address-range