Peppol Firewall requirements

This article outlines the required minimum firewall openings for default Peppol components. This list does not consider application specific firewall requirements.
Please also remember the "connect once, connect everywhere" principle of Peppol, meaning that every Peppol AccessPoint (AP) MUST be capable of exchanging business documents with any other Peppol AP.

Table of contents
  1. Outbound requirements
  2. Inbound requirements

Firewall requirements for outbound connections

AP

  • Allow TCP port 443 to * (all IPs) - for sending messages to another AP
  • Allow TCP port 80 to * (all IPs) - for querying any SMP and to download CRL files from http://crl.one.nl.digicert.com/:
    • Test AP: http://crl.one.nl.digicert.com/PEPPOLACCESSPOINTTESTCA-G3.crl
    • Test SMP: http://crl.one.nl.digicert.com/PEPPOLSERVICEMETADATAPUBLISHERTESTCA-G3.crl
    • Production AP: http://crl.one.nl.digicert.com/PEPPOLACCESSPOINTCA-G3.crl
    • Production SMP: http://crl.one.nl.digicert.com/PEPPOLSERVICEMETADATAPUBLISHERCA-G3.crl

SMP

  • Allow TCP port 80 to download CRL files from http://crl.one.nl.digicert.com/ (see AP section above for specific URLs)
  • Allow TCP port 443 to Peppol Directory
    • Production: directory.peppol.eu
    • Test: test-directory.peppol.eu
  • Allow TCP port 443 to SMK/SML
    • Production: participant.sml.prod.tech.peppol.org
    • Test: participant.sml.test.tech.peppol.org

Firewall requirements for inbound connections

AP

  • Allow TCP port 443 from * (all IPs) - for receiving messages from another AP

SMP

  • Allow TCP port 443 from * (all IPs) - for being queried from any AP
You must be logged in to post a comment!