Firewall Rules User Guide

Each Room in Tehama has its own set of firewall rules, defined by the Room's connected organization.

Tehama’s policy is that, by default, remote applications/services cannot be accessed from a Room’s Desktops.

If the connected organization wants Desktop users to be able to access a particular remote application/service, they must add a firewall rule to the Room to allow access.

If the Room's connected organization has set the Room's 'Network Access' to 'Tehama Gateway', then access to the Room's Desktops is managed through the Room's Tehama Gateway which runs in the connected organization's private network (or the Room's two Tehama Gateways, if the Room has the 'Multiple Gateways' option enabled for redundancy). The Tehama Gateway will only allow access to the Desktops from remote applications/services which it can access and for which the Room has firewall access rules defined.

If the Room's connected organization has set the Room's 'Network Access' to 'Internet Only', then access to the Room's Desktops is managed through the Room's infrastructure, which, similarly to the Gateway, will only access to the Desktops from remote applications/services for which the Room has firewall access rules defined.

Note that when 'Network Access' is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.

There are two types of firewall rules.


Custom Rules

Custom rules are firewall exceptions added and removed explicitly by the user through the firewall rules 'custom' interface.

Custom rules are not typically associated with a particular Room asset. Such rules should be added as an inferred rule.

The rules can be managed (added/removed) from the custom firewall rules interface in the Tehama Web UI and viewed from the custom firewall rules interface in both the Tehama Web UI and the Desktop Agent running in a Desktop session.

 • View Custom Rules

View the custom firewall rules from:

Desktop custom firewall rules interface:

  1. Connect to a Desktop session.
  2. Open the Desktop Agent application.
  3. Click on the FIREWALL RULES tab.
  4. Click on CUSTOM.

Firewall-rules-custom-desktop

Tehama Web UI custom firewall rules interface:

  1. Log in to the Tehama Web UI.
  2. Click on the ROOMS tab.
  3. Click on the name of the Room you want to access custom firewall rules in. You will see the user interface for the Room.
  4. Click on the Room's CONNECTION tab.
  5. Select the FIREWALL RULES sidebar item.
  6. If necessary, click on the SHOW CUSTOM RULES button.

Firewall-rules-custom-client

 • Add Custom Rule

To add a custom rule do the following:

  1. View the custom firewall rules page.
  2. Click on the ADD RULES dropdown to open it.
  3. Select "Add Custom Rule". The ADD RULE dialog will appear.
  4. Enter the following information:
    • Rule Name: the name you wish the rule to appear under.
    • IPv4 CIDR block: this must take the form "127.0.0.1/32".
    • Protocol: the protocol supported by the rule (TCP or UDP).
    • Port: this can be a single port, a port-range (e.g.: minimum 32 to maximum 63) or all ports between 0 and 65535.
  5. Click CREATE. The rule will appear in the list.

 • Import Custom Rules

To import multiple (up to 300) custom rules from a Comma Separated File (CSV) file, do the following:

A. Construct a spreadsheet with the following format:

name cidr protocol port
FWR 1 0.0.0.0/0 UDP 6431
FWR 2 127.0.0.1/0 TCP 3368
FWR 3 0.0.0.0/0 TCP 32-63
FWR 4 127.0.0.1/32 TCP All
  • name: The rule name you wish the rule to appear under. The names must be unique.
  • cidr: The IPv4 CIDR block - this must take the form "127.0.0.1/32".
  • protocol: The protocol supported by the rule (TCP or UDP).
  • port: The port(s) supported. This can be a single port, a port-range (minimum and maximum separated by a dash: e.g.: 32-63), or all ports between 0 and 65535 ("All").

The maximum number of rules that can be imported at once is 300.

B. Generate a CSV file from the spreadsheet.

C. Import the CSV file:

  1. View the custom firewall rules page.
  2. Click on the ADD RULES dropdown to open it.
  3. Select "Import Firewall Rules". The IMPORT FIREWALL RULES dialog will appear.
  4. Click IMPORT FIREWALL RULES.
  5. Select your CSV file from the file selection dialog and click Open. The rules in the CSV file will begin to be imported asynchronously. A dialog will appear to let you know the process has started.
  6. Click CLOSE to dismiss the dialog.
  7. Track the progress of the import through the Activity Stream. Once the selected firewall rules have been processed, they will appear in the list of rules on custom firewall rules page. You may need to refresh the page to see them.

 • Allow Web Access

Access to the web requires access to all TCP endpoints over HTTP and HTTPS. Add the firewall exceptions for web access as follows:

  1. View the custom firewall rules page.
  2. Click on the ADD RULES dropdown to open it.
  3. Select "Allow Web Access". The ALLOW WEB ACCESS dialog will appear.
  4. Click YES to approve the addition of the shown endpoints. The rules will appear in the list.

 • Allow Full Access

Full access requires access to all TCP endpoints. Add the firewall exceptions for full access as follows:

  1. View the custom firewall rules page.
  2. Click on the ADD RULES dropdown to open it.
  3. Select "Allow Full Access". The ALLOW FULL ACCESS dialog will appear.
  4. Click YES to approve the addition of the shown endpoint. The rule will appear in the list.

 • Remove Custom Rule(s)

Remove a custom firewall rule as follows:

  1. View the custom firewall rules page.
  2. Locate the entry you wish to remove.
  3. Click on the three vertical dots under the Actions column in the entry. A drop down list of actions will appear.
  4. Select "Remove". The DELETE FIREWALL RULE dialog will appear.
  5. Click DELETE. The rule will no longer appear in the list.

Remove multiple (up to 300) custom firewall rules at once as follows:

  1. View the custom firewall rules page.
  2. Locate the entries you wish to remove.
  3. Select each of them by clicking in the checkboxes found to their left.
    After at least one entry has been selected, a banner will appear at the bottom of the page. You can click on the SELECT button in the banner to select all of the entries. Unselect an entry by clicking again on its checked checkbox. A maximum of 300 selected rules will be processed.
  4. Click on the trash-can icon (trashcan-icon) found in the banner at the bottom of the page. The DELETE FIREWALL RULES dialog will appear.
  5. Click DELETE. The selected rules will begin to be deleted asynchronously. A dialog will appear to let you know the process has started.
  6. Click CLOSE to dismiss the dialog.
  7. Track the progress of the deletion through the Activity Stream. Once the selected firewall rules have been processed, they will no longer appear in the list of rules on custom firewall rules page. You may need to refresh the page to see the change in the list.

Inferred Rules

Inferred rules are firewall exceptions that are linked to assets configured in the secrets vault.

An inferred firewall exception rule may be added to the list of inferred rules when an asset is added to the secrets vault.

When an asset that specifies a firewall exception is removed from the secrets vault its associated inferred firewall exception rule is removed from the list of inferred rules.

If there is no firewall exception specified in the vault for an asset, then Tehama will not allow that asset to be accessed. (Unless there is a custom firewall rule that provides an equivalent exception. It is preferred to manage exceptions for an asset from the entry for the asset in the secrets vault.)

 • View Inferred Rules

View the inferred firewall rules from:

Desktop inferred firewall rules interface:

  1. Connect to a Desktop session.
  2. Open the Desktop Agent application.
  3. Click on the FIREWALL RULES tab.
  4. Click on INFERRED.

Firewall-rules-inferred-desktop

Tehama Web UI inferred firewall rules interface:

  1. Log in to the Tehama Web UI.
  2. Click on the ROOMS tab.
  3. Click on the name of the Room you want to access inferred firewall rules in. You will see the user interface for the Room.
  4. Click on the Room's CONNECTION tab.
  5. Select the FIREWALL RULES sidebar item.
  6. If necessary, click on the SHOW INFERRED RULES button.

Firewall-rules-inferred-client