KB0020 - Firewall Configuration for PowerShell Universal

KB0020 - Firewall Configuration for PowerShell Universal

Purpose

The purpose of this document is to provide information about the necessary filewall settings required by PowerShell Universal. 

Overview

PowerShell Universal does not offer a built in firewall. We recommend using standard firewalls available in your environment. The below document outlines the ports that are required for various features to function properly. 
While not possible to filter IP Addresses, it is possible to configure host filtering

Inbound

PowerShell Universal listens on any configured port. By default, it will run on port 5000. Standard configurations will typically run PowerShell Universal on HTTPS and port 443. 

You can use standard Windows Firewall rules to limit which IP Address ranges have access to PowerShell Universal. It doesn't employ any IP address filtering itself. To access it, you will only need to add a rule for HTTP (port 80) and\or HTTPS (port 443). 

In the Windows firewall settings, you can use the scope tab to limit which IPs have access. 

Outbound

In terms of outbound rules, PowerShell Universal will only need network access for the following features. None of these features are required.

Updates: 

PowerShell Universal communicates with IronmanSoftware.com to check to see if there are updates to the platform. Port 443 access is required.

PowerShell Modules:

The Modules feature of PowerShell Universal communicates with the PowerShellGallery.com website to download and install modules onto the machine when requested to do so.  Port 443 access is required.

Universal Dashboard Components: 

PowerShell Universal communicates with marketplace.universaldashboard.io to view and download community developed components.  Port 443 access is required.

PowerShell Universal Templates

PowerShell Universal will communicate with IronmanSoftware.com to browse for and install templates.  Port 443 access is required.

Git Support

In order to synchronize with a remote git repository, HTTPS or SSH access will need to be provided. This port 443 is default for HTTPS and port 22 is default for SSH. 

SQL Server Support

In order to store configuration and historical data in a SQL server, PowerShell Universal will need access to port 1433 by default. 

Azure Application Insights

In order to send monitoring data to Azure, you will need to enable access to port 443. Data will be sent to Microsoft's Azure platform. You will need to enter your Application Insights key in order to enable this feature. 

Port Table


Feature
Port
Direction
Required
Default Web Server Port (configurable)
5000
Inbound
Yes
Updates
443
Outbound
No
PowerShell Modules
443
Outbound
No
Universal Dashboard Components
443
Outbound
No
Universal Templates
443
Outbound
No
Git Support (HTTPS)
443
Outbound
No
Git Support (SSH)
22
Outbound
No
SQL Server Support
1433
Outbound
No
Azure Application Insights
443
Outbound
No