Network

Architecture

../_images/network_architecture_grape.png

Web Server

In front of the Grape Application, you need a web server that has a valid TLS certificate for the domain where grape will run (e.g. grape.example.com). You can either provide this on a separate machine or install a web server on the machine that runs Grape. If the web server that does the TLS termination runs on a separate machine, the network connection between the two machines should be encrypted.

The step-by-step install guide contains a section on how to setup an nginx webserver to work with Grape.

Edge Server

Optionally, you can setup a second Grape Web Server as an Edge Server. This server can stay in the DMZ and allow users from the outside to connect to Grape without using VPN - this is particularly useful when some mobile devices have no VPN set up but still need to access Grape without compromising security.

The Edge Server is a HTTP reverse proxy and can be set up by the client or by our networking team. It needs to be able to connect to the internal Grape reverse-proxy on port 443 as well as accept the internal reverse-proxy’s SSL certificate as valid.

Ports

External (required)

These ports must be open to the Internet

Service

Direction

Protocol

Ports

Hostnames/IPs

Grape

In

TCP

443

your Grape Server

GCM (Android Push Notifications) 1

Out

TCP

443

android.googleapis.com

Out

TCP

443

fcm.googleapis.com

Out

TCP

443

or allow those IPs(Google IPs list)
APNs (iOS Push Notifications) 2

In & Out

TCP

443

api.push.apple.com (17.0.0.0/8)
HTTP/2, TLS 1.2

WNS (Windows Phone 8.1 Push) 3

Out

TCP

443

next-services.apps.microsoft.com
*.wns.windows.com
*.notify.windows.com
wscont1.apps.microsoft.com

Grape Docker Registry

Out

TCP

443

docker-registry-builds.chatgrape.com

HaveIBeenPwned.com

Out

TCP

443

api.pwnedpasswords.com

Grape Docker Image Distribution

Out

TCP

443

distrib.ubergrape.com

Jitsi Clients Connection

Out

UDP

11100-11200

*.grapecall.com

External Search Integrations (optional)

All built-in External Search Integrations use HTTPS. For more information on how to set them up see Built-in External Search Integrations

The Server will try to generate a preview for the links posted in the chat, this will often require additional hostnames/URLs to be whitelisted, hence the list of hostnames for each service.

Service

Direction

Protocol

Ports

Hostnames/URLs

(All)

Out

TCP

443

https://www.google.com/s2/favicons

YouTube

Out

TCP

443

https://www.googleapis.com/youtube/v3, https://www.youtube.com/

Wikipedia

Out

TCP

443

https://en.wikipedia.org/wiki/

StackOverflow

Out

TCP

443

https://api.stackexchange.com/

Spotify

Out

TCP

443

https://api.spotify.com/

Imgur

Out

TCP

443

https://api.imgur.com/

Google Maps

Out

TCP

443

https://maps.googleapis.com/maps/api/

Giphy

Out

TCP

443

https://api.giphy.com, https://*.giphy.com

Internal

Depending on your setup, Grape also needs to be able to communicate internally in your network:

  • Active Directory server

  • File server

  • SMTP server

  • All integrated services (Sharepoint, Exchange, …)

Service

Direction

Protocol

Ports

Note

SMTP

Out

TCP

25/587

You can configure the SMTP port in the grape setup

Exchange Integration

In & Out

TCP

443

HTTPS requests need to work in both directions

Netapp Integration

Out

TCP

139

SMB 2.0

Sharepoint 2013

Out

TCP

80/443

HaveIBeenPwned.com

Out

TCP

443

api.pwnedpasswords.com

1

https://github.com/google/gcm/issues/134

2

https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns

3

https://stackoverflow.com/questions/23044724/microsoft-windows-notification-service-ip-address-range