Firewall Rules

Each room in Tehama has its own set of firewall rules. These rules are exceptions that allow access to the room's Desktops from remote applications/services.

If the room's connected organization has set the room's 'Network Access' to 'Tehama Gateway', then this access is managed through the room's Tehama Gateway.

If the room's connected organization has set the room's 'Network Access' to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.

There are two types of firewall rules.


Custom rules

Custom rules are firewall exceptions added and removed explicitly by the user through the firewall rules 'custom' interface.

Custom rules are not typically associated with a particular room asset. Such rules should be added as an inferred rule.

The rules can be managed (added/removed) from the custom firewall rules interface.

View the custom firewall rules interface from:

Desktop custom firewall rules interface:
Navigate to the Desktop's FIREWALL RULES tab, then select CUSTOM.

Firewall-rules-custom-desktop

Tehama client custom firewall rules interface:
Navigate to the Room's CONNECTION tab, select the FIREWALL RULES sidebar item, then, if necessary, click on the SHOW CUSTOM RULES button.

Firewall-rules-custom-client

Add custom firewall rule

Click on ADD FIREWALL RULE (ADD RULE in the Tehama client) then enter the following information:

  • Rule Name: the name you wish the rule to appear under.
  • IPv4 CIDR block: this must take the form "127.0.0.1/32".
  • Port: this can be a single port or a port-range (1-65535).

Click on CREATE. The rule will appear in the list.

Allow Access to WAM

The Amazon Workspace Application Manager (WAM) (only available in Windows 7 Desktops) requires access to a group of remote cloud-based assets. Add the firewall exceptions for this access as follows:

Click on ALLOW ACCESS TO WAM (ADD RULE in the Tehama client) then approve the list of endpoints shown by clicking on YES. The rules will appear in the list.

Remove custom firewall rule

Click on the trash-can icon (trashcan-icon) for the entry you wish to remove, then click on DELETE.


Inferred rules

Inferred rules are firewall exceptions that are linked to assets configured in the secrets vault.

An inferred firewall exception rule may be added to the list of inferred rules when an asset is added to the secrets vault.

When an asset that specifies a firewall exception is removed from the secrets vault its associated inferred firewall exception rule is removed from the list of inferred rules.

If there is no firewall exception specified in the vault for an asset, then Tehama will not allow that asset to be accessed. (Unless there is a custom firewall rule that provides an equivalent exception. It is preferred to manage exceptions for an asset from the entry for the asset in the secrets vault.)

View the inferred firewall rules interface from:

Desktop inferred firewall rules interface:
Navigate to the Desktop's FIREWALL RULES tab, then select INFERRED.

Firewall-rules-inferred-desktop

Tehama client inferred firewall rules interface:
Navigate to the Room's CONNECTION tab, select the FIREWALL RULES sidebar item, then, if necessary, click on the SHOW INFERRED RULES button.

Firewall-rules-inferred-client