Last updated: 6/17/2026

Firewall rules

---

The ShareAspace architecture is illustrated below:

Note

All ports are configurable and can be changed.

Default port access

---

Read the following table as:

• Source connects to Target on Port using Protocol.
• Target must allow inbound communication on Port.

Source	Port	Protocol	Target
Web Browsers	443	HTTPS	Web Server (IIS) / ShareAspace Web
Web Browsers	443	HTTPS	Web Server (IIS) / Documentation
Web Server (IIS) / ReverseProxy(Gateway)	5001	HTTPS	Application Server / ShareAspace Host
Web Server (IIS) / New Web UI	5002	HTTPS	Application Server / ShareAspace Host
Application Server / DataBackup Tool	5001	HTTPS	Application Server / ShareAspace Host
Application Server / ShareAspace Host	445	TCP (SMB)	File vault Server
Web Browsers	443	HTTPS	Web Server (IIS) / External Extensions
Web Server (IIS) / ShareAspace Extensions	443	HTTPS	Web Server (IIS) / ReverseProxy(Gateway)
Web Server (IIS) / Trusted External Extensions	443	HTTPS	Web Server (IIS) / ReverseProxy(Gateway)
Application Server / ShareAspace Host	443	HTTPS	Web Server (IIS) / Trusted External Extensions
Application Server / ShareAspace Host	4317	gRPC (HTTP/2)	ShareAspace OpenTelemetry collector
Application Server / ShareAspace Host	4318	HTTPS	ShareAspace OpenTelemetry collector
Web Server (IIS) / Trusted External Extensions	4317	gRPC (HTTP/2)	ShareAspace OpenTelemetry collector
Web Server (IIS) / Trusted External Extensions	4318	HTTPS	ShareAspace OpenTelemetry collector
Web Server (IIS) / External Extensions	4317	gRPC (HTTP/2)	ShareAspace OpenTelemetry collector
Web Server (IIS) / External Extensions	4318	HTTPS	ShareAspace OpenTelemetry collector
Web Server (IIS) / ShareAspace SMTP Mail Extension	25	SMTP	SMTP Server

Note

ShareAspace OpenTelemetry collector is an optional component. If all extensions are configured to send signals via the same protocol, it is sufficient to open a single port for the corresponding protocol.

Windows firewall setup

---

Beside environmental firewall settings, on Microsoft Windows Server 2025 (Application Server and Web Server) you will need to add Inbound Rules to the Windows Firewall.

• Ports 5001 and 5001 on the Application Servers.
• Port 443 on the Web Servers (those are usually set by default when installing the Web Server (IIS) Role).
• Port 445 on the FileVault (this port is usually automatically opened when setting file sharing on a Windows Server)

Caution

On the Application Server the following procedure will open up port 5001 completely. This will allow you to access the Application Server from any client application. If you are running the all the ShareAspace components (including the Gateway) on the same machine as the Application Server, you do not have to open this port as HTTP clients will contact ShareAspace via the Gateway.

To setup an Inbound Rule on Windows Servers:

• Open Windows Firewall with Advanced Security.
• On the menu on the left, Click Inbound Rules.
• On the Actions menu on the right, Click New Rule....

• Select Port

• Select TCP
• Set the specific local ports to open, for instance 5000

• Select Allow the connection

• Select, Domain, Private, Public

The Windows Firewall Inbound Rules can also be set using a Windows PowerShell script as follow:

Download set-firewall-rules.ps1

$NET_FW_PROFILE2_DOMAIN = 1
$NET_FW_PROFILE2_PRIVATE = 2
$NET_FW_PROFILE2_PUBLIC = 4
$NET_FW_PROFILE2_ALL = 2147483647

$NET_FW_IP_PROTOCOL_TCP = 6
$NET_FW_IP_PROTOCOL_UDP = 17
$NET_FW_IP_PROTOCOL_ICMPv4 = 1
$NET_FW_IP_PROTOCOL_ICMPv6 = 58

$NET_FW_RULE_DIR_IN = 1
$NET_FW_RULE_DIR_OUT = 2

$NET_FW_ACTION_BLOCK = 0
$NET_FW_ACTION_ALLOW = 1


$fwPolicy = New-Object -ComObject HNetCfg.FwPolicy2

$rule = New-Object -ComObject HNetCfg.FWRule
$rule.Name = 'NovaCluster'
$rule.Profiles = $NET_FW_PROFILE2_ALL
$rule.Enabled = $true
$rule.Action = $NET_FW_ACTION_ALLOW
$rule.Direction = $NET_FW_RULE_DIR_IN
$rule.Protocol = $NET_FW_IP_PROTOCOL_TCP
$rule.LocalPorts = 5001

$fwPolicy.Rules.Add($rule)