> For the complete documentation index, see [llms.txt](https://docs.devland.is/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devland.is/products/x-road/x-road-security-server-installation-and-registration-steps/network-configuration.md). # Network Configuration ## Network configuration The X-Road Security Servers mediate service calls and service responses between Information Systems. They can be placed in a DMZ between the Information Systems they serve and the Internet. ### X-Road Network Architecture Diagram

X-Road Network Architecture

### Port configuration A Security Server requires the following open ports for proper functioning: | Port | Purpose | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Inbound ports from external network** | Ports for inbound connections from the external network to the security server | | TCP 5500 | Message exchange between security servers | | TCP 5577 | Querying of OCSP responses between security servers | | **Outbound ports to external network** | Ports for outbound connections from the security server to the external network | | TCP 5500 | Message exchange between security servers | | TCP 5577 | Querying of OCSP responses between security servers | | TCP 4001 | Communication with the central server | | TCP 80 | Downloading global configuration from the central server | | TCP 80,443 | Most common OCSP and time-stamping services | | **Inbound ports from internal network** | Ports for inbound connections from the internal network to the security server | | TCP 4000 | User interface and management REST API (local network). **Must not be accessible from the internet!** | | TCP 80, 443 | Information system access points (local network). **Must not be accessible from the external network without strong authentication. If open to the external network, IP filtering is strongly recommended.** | | **Outbound ports to internal network** | Ports for inbound connections from the internal network to the security server | | TCP 80, 443, *other* | Producer information system endpoints | ### Central Server IP Addresses The following table contains the CIDR masks / IP addresses of the central components of the Icelandic X-Road network which need to be whitelisted by all Security Servers.
ComponentISIS-TESTIS-DEV
Central Server176.57.224.0/25176.57.224.128/25176.57.227.96/27
Mgmt. Security Server176.57.224.0/25176.57.224.128/25176.57.227.96/27
Central Monitoring Server34.252.193.13134.253.108.2483.250.245.108
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.devland.is/products/x-road/x-road-security-server-installation-and-registration-steps/network-configuration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.