Firewall Configuration for versions 3.0 and above

Version 3.x of @TheOffice (Called @TheOffice.Wherever!) makes use of peer to peer technology to connect and is fundamentally different to previous versions.

It should normally not be necessary to change your firewall settings, however in some cases where very restrictive firewalling rules have been set up the following traffic types are required to be set up:

Gateway Connection

The gateway software needs to connect to the following addresses: (all connections are outgoing)

• TCP to port 9555 on oem.trispen.com
• TCP to port 9555 on lookup.trispen.com
• TCP to port 5222 on lookup.trispen.com
• Outgoing UDP sessions must be allowed.

Client Connection

• TCP to port 9555 on lookup.trispen.com
• TCP to port 5222 on lookup.trispen.com
• Outgoing UDP sessions must be allowed.

If you suspect that you are experiencing firewall related issues, a quick test would be to see if you can use an application like Google Talk from either network. @TheOffice.Wherever! uses the same protocol set (with the exception of port 9555).

Firewall Configuration for versions 2.0 and below

Here you can find the exact Firewall requirements and examples on how to go about configuring some popular Firewalls to enable versions of @TheOffice from version 2.0 and up to work.

Before version 2.0, @TheOffice used UDP traffic on port 500.  From 2.0 and up it uses TCP traffic on port 9555.  The requirements for versions before 2.0 can be found here.

Here is an easy test you can perform to check that your Gateway is correctly accessible from the Internet and running.

The connection from a Client to the Gateway uses TCP Traffic to port 9555 on the Gateway.  The following rules are required at the Gateway's side to allow the Client connections:

• Allow: TCP From [anywhere][any port] To [GW IP][Port 9555]
• Allow: TCP From [GW IP] [Port 9555] To [anywhere] [any port]

If your office network is situated behind a NAT router, you also need to configure a port or static IP mapping:

• Map: port 9555 on public interface to [GW IP] port 9555, or
• Map: [reserved public IP] to [GW IP]

In order for the gateway to connect to the licensing server, your firewall needs to allow outgoing TCP connections to port 9555.  Most firewalls will already be configured to allow this type of traffic:

• Allow: TCP From [GW IP] [any port] To [anywhere] [Port 9555]
• The reverse direction is usually automatically allowed with a stateful mechanism.

All traffic between the Client and Gateway appears on the network as TCP traffic to and from the Gateway’s port 9555.  On the Gateway itself, however, this traffic gets decapsulated and re-injected into the Gateway’s IP stack.  If there’s any form of firewalling running on the Gateway itself, some additional rules might need to be configured to allow this decapsulated traffic to be processed by the Gateway.  Some typical scenarios where this might be required are:

• The Gateway is hosted on the same PC as the Firewall; for instance, many small businesses runs Microsoft’s Small Business Server and might typically install the Gateway on it.
• Some firewalling software might already be running as part of the Operating System.
• Separate third-party personal firewall products such as Zone Alarm might be installed.

We suggest that you dedicate a PC for the Gateway inside your office network rather than installing the Gateway software on the perimeter (firewall) PC. Otherwise, be sure the following rules are in place:

• Allow: TCP From [anywhere][any port] To [GW IP][Port 500]
• Allow: TCP From [GW IP] [Port 500] To [anywhere] [any port]
• Allow: UDP From [anywhere][any port] To [GW IP][Port 500]
• Allow: UDP From [GW IP] [Port 500] To [anywhere] [any port]
• Allow: All traffic from [IP Pool] to [anywhere] – this rule might be made more restrictive if required.
• To set up your ADSL router or firewall for forwarding port 9555 to the gateway, refer to site http://www.portforward.com