Configure your firewall settings for xDB Cloud
Configure your firewall settings so you can securely connect Sitecore xDB Cloud with its relevant endpoints.
You can configure your firewall so that you can connect Sitecore xDB Cloud securely with the following external endpoints:
Reporting service
Azure Cognitive Search service
MongoDB Servers
Get firewall setting endpoints
To configure your firewall settings, you can request the Sitecore xDB Cloud set endpoints for firewall settings by using the REST API reference for the xDB Cloud service: Get Firewall settings V2.
For example, a set of endpoints could look like this:
Endpoint | Location |
|---|---|
| https:// [service name].search.windows.net:443 |
| https://reporting-prod-[service name].cloudapp.net:443 |
| ds[service name]-a0.qmt44.fleet.mongolab.com:[port] |
| ds[service name]-a1.qmt44.fleet.mongolab.com:[port] |
Note
There is currently one xDB Cloud firewall configuration limitation: xDB Cloud does not currently support any static IPs or ranges of IPs for setting up firewall restrictions. xDB Cloud's MongoDB servers, Reporting Service, and other endpoints have a dynamic set of IP addresses that can change within the lifetime of the deployment.
To ensure that Sitecore xDB Cloud works correctly and securely in all scenarios, you must configure your firewall settings with a rule to allow requests to the following services: the Search Service, Reporting Service, and MongoDB Servers. You can obtain these services by calling the Get Firewall settings endpoint.
Important
If you are using xDB Cloud 1.0, you must also configure your firewall for the Discovery Service: discovery.xdb.cloud.sitecore.net
Sitecore only requires communication with MongoDB data nodes. The monitoring process can show an outbound connection to the MongoDB arbiter as well, but you can block this as it will have no effect on how Sitecore is running.
To configure your firewall and application servers for use with the MongoDB SSL connection, as part of Sitecore xDB Cloud service:
Go to the REST API reference for the xDB Cloud service, Get Firewall settings V2.
Open the firewall ports for hostnames and the ports listed for the MongoDB connection strings. For example, a MongoDB URI can contain the following hostnames and ports:
ds046408-a0.qmt44.fleet.mongolab.com, port 46408ds046408-a1.qmt44.fleet.mongolab.com, port 46406
To download the SSL certificate for your MongoDB database:
In your browser, connect to your MongoDB server using HTTPS. For example:
https://ds046408-a0.qmt44.fleet.mongolab.com:46408
MongoDB responds with the following message: “It looks like you are trying to access MongoDB over HTTP on the native driver port.”
In the Certificate Viewer dialog, on the General tab, use the padlock icon to view the connection certificate
Download and install the Trusted Root Authority certificate to the application server that is running Sitecore.
In the Certificate Viewer, dialog, on the Details tab, in the Certificate Fields field, click Authority Information Access.
In the Field Value field, in the CA Issuers: URI: section, copy the link to the certification authority certificate into your browser. For example, http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Use the link to download the CRT file to the application server and install onto: (Local Computer)\Trusted Root Certification Authorities\Certificates certificate store. See the Microsoft website for more information on adding certificates to the Trusted Root Certification Authorities store for a local computer.
In your firewall, open access to the On-line Certificate Status Protocol endpoint for Digicert,
ocsp.digicert.com, port 80.In your firewall, open access to the Certificate Revocation Lists (CRL) Distribution Points. You can find the links in the CRL Distribution Points field of the Trusted Root Authority certificate:
Note
You can use the DigiCert Certificate Utility to verify server access to CRL and OCSP endpoints.