# Network Configuration

## Network configuration

The X-Road Security Servers mediate service calls and service responses between Information Systems. 

They can be placed in a DMZ between the Information Systems they serve and the Internet. 

### X-Road Network Architecture Diagram

<figure><img src="https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Flkx76W1Xp9FEeIcHYAOq%2Fxroad-network-diagram.webp?alt=media&#x26;token=51bdbb54-00e4-41ad-b0e0-7eaaf46352a8" alt=""><figcaption><p>X-Road Network Architecture</p></figcaption></figure>

### Port configuration

A Security Server requires the following open ports for proper functioning:

| Port                                    | Purpose                                                                                                                                                                                                      |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Inbound ports from external network** | Ports for inbound connections from the external network to the security server                                                                                                                               |
| TCP 5500                                | Message exchange between security servers                                                                                                                                                                    |
| TCP 5577                                | Querying of OCSP responses between security servers                                                                                                                                                          |
| **Outbound ports to external network**  | Ports for outbound connections from the security server to the external network                                                                                                                              |
| TCP 5500                                | Message exchange between security servers                                                                                                                                                                    |
| TCP 5577                                | Querying of OCSP responses between security servers                                                                                                                                                          |
| TCP 4001                                | Communication with the central server                                                                                                                                                                        |
| TCP 80                                  | Downloading global configuration from the central server                                                                                                                                                     |
| TCP 80,443                              | Most common OCSP and time-stamping services                                                                                                                                                                  |
| **Inbound ports from internal network** | Ports for inbound connections from the internal network to the security server                                                                                                                               |
| TCP 4000                                | User interface and management REST API (local network). **Must not be accessible from the internet!**                                                                                                        |
| TCP 80, 443                             | Information system access points (local network). **Must not be accessible from the external network without strong authentication. If open to the external network, IP filtering is strongly recommended.** |
| **Outbound ports to internal network**  | Ports for inbound connections from the internal network to the security server                                                                                                                               |
| TCP 80, 443, *other*                    | Producer information system endpoints                                                                                                                                                                        |

### Central Server IP Addresses

The following table contains the CIDR masks / IP addresses of the central components of the Icelandic X-Road network which need to be whitelisted by all Security Servers.

<table><thead><tr><th width="136">Component</th><th width="189" align="right">IS</th><th width="224" align="right">IS-TEST</th><th align="right">IS-DEV</th></tr></thead><tbody><tr><td>Central Server</td><td align="right"><code>176.57.224.0/25</code></td><td align="right"><code>176.57.224.128/25</code></td><td align="right"><code>176.57.227.96/27</code></td></tr><tr><td>Mgmt. Security Server</td><td align="right"><code>176.57.224.0/25</code></td><td align="right"><code>176.57.224.128/25</code></td><td align="right"><code>176.57.227.96/27</code></td></tr><tr><td>Central Monitoring Server</td><td align="right"><code>34.252.193.131</code></td><td align="right"><code>34.253.108.248</code></td><td align="right"><code>3.250.245.108</code></td></tr></tbody></table>