Firewall Rules

Each room in Tehama has its own set of firewall rules, defined by the room's connected organization.

Tehama’s policy is that, by default, remote applications/services cannot be accessed from a room’s desktops.

If the connected organization wants desktop users to be able to access a particular remote application/service, they must add a firewall rule to the room to allow access.

If the room's connected organization has set the room's 'Network Access' to 'Tehama Gateway', then access to the room's desktops is managed through the room's Tehama Gateway which runs in the connected organization's private network (or the room's two Tehama Gateways, if the room has the 'Multiple Gateways' option enabled for redundancy). The Tehama Gateway will only allow access to the desktops from remote applications/services which it can access and for which the room has firewall access rules defined.

If the room's connected organization has set the room's 'Network Access' to 'Internet Only', then access to the room's desktops is managed through the room's infrastructure, which, similarly to the gateway, will only access to the desktops from remote applications/services for which the room has firewall access rules defined.

Note that when 'Network Access' is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.

There are two types of firewall rules.


Custom rules

Custom rules are firewall exceptions added and removed explicitly by the user through the firewall rules 'custom' interface.

Custom rules are not typically associated with a particular room asset. Such rules should be added as an inferred rule.

The rules can be managed (added/removed) from the custom firewall rules interface.

View the custom firewall rules interface from:

Desktop custom firewall rules interface:
Navigate to the Desktop's FIREWALL RULES tab, then select CUSTOM.

Firewall-rules-custom-desktop

Tehama Web UI custom firewall rules interface:
Navigate to the Room's CONNECTION tab, select the FIREWALL RULES sidebar item, then, if necessary, click on the SHOW CUSTOM RULES button.

Firewall-rules-custom-client

Add custom firewall rule

Click on ADD FIREWALL RULE (ADD RULE in the Tehama Web UI) then enter the following information:

  • Rule Name: the name you wish the rule to appear under.
  • IPv4 CIDR block: this must take the form "127.0.0.1/32".
  • Protocol: the protocol supported by the rule (TCP or UDP).
  • Port: this can be a single port or a port-range (1-65535).

Click on CREATE. The rule will appear in the list.

Allow Access to WAM

The Amazon Workspace Application Manager (WAM) (only available in Windows 7 Desktops) requires access to a group of remote cloud-based assets. Add the firewall exceptions for this access as follows:

Click on ALLOW ACCESS TO WAM (ALLOW WAM in the Tehama Web UI) then approve the list of endpoints shown by clicking on YES. The rules will appear in the list.

Remove custom firewall rule

Click on the trash-can icon (trashcan-icon) for the entry you wish to remove, then click on DELETE.


Inferred rules

Inferred rules are firewall exceptions that are linked to assets configured in the secrets vault.

An inferred firewall exception rule may be added to the list of inferred rules when an asset is added to the secrets vault.

When an asset that specifies a firewall exception is removed from the secrets vault its associated inferred firewall exception rule is removed from the list of inferred rules.

If there is no firewall exception specified in the vault for an asset, then Tehama will not allow that asset to be accessed. (Unless there is a custom firewall rule that provides an equivalent exception. It is preferred to manage exceptions for an asset from the entry for the asset in the secrets vault.)

View the inferred firewall rules interface from:

Desktop inferred firewall rules interface:
Navigate to the Desktop's FIREWALL RULES tab, then select INFERRED.

Firewall-rules-inferred-desktop

Tehama Web UI inferred firewall rules interface:
Navigate to the Room's CONNECTION tab, select the FIREWALL RULES sidebar item, then, if necessary, click on the SHOW INFERRED RULES button.

Firewall-rules-inferred-client