Morro global file system is built on top of the public cloud infrastructure, such as AWS, Azure, Wasabi, etc. For the cloud-based file system to function, CacheDrive needs to access the cloud, needing to use only HTTPS (port 443) to communicate with cloud resources, so you must enable all HTTPS (port 443) outbound traffic.
Please also reference below for the requirements for open ports:
https://support.morrodata.com/a/solutions/articles/14000060512?lang=en
Traditionally, administrators can help secure their network by restricting outbound connections to known trusted IP addresses, also known as whitelisting. This was meant to prevent devices from accessing unauthorized sites. However, cloud services can be dynamic and scalable and are not necessarily at fixed IP addresses. It may grow address ranges as the service grows.
For Morro CacheDrive and Morro Edge devices, we strongly recommend against whitelisting outbound destinations by IP address. While a given list of IP addresses may work today, there is no guarantee that they will continue to work tomorrow as Morro's cloud services and cloud storage providers continue to grow. If the IP addresses for cloud storage or services change to the outside of the whitelisted range, access issues may arise.
Instead of whitelisting IP addresses, we recommend using URLs instead. Please see the following lists of URLs used for the Morro Data Global File Services. As our service grows, the lists may be updated as needed. We reserve the right to update these lists without prior notice.
Amazon S3
To find the URL for your S3-based cloud storage, see the following article:
https://docs.aws.amazon.com/general/latest/gr/rande.html
https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/
For example, if your cloud storage uses S3 region us-west-1, the URL would be:
https://s3.us-west-1.amazonaws.com
https://*.s3.amazonaws.com (https://mc-dlink-production.s3.amazonaws.com for share link)
https://*.s3.us-west-1.amazonaws.com
Wasabi
To find the URL for your Wasabi-based cloud storage, see the following article:
For share link:
https://mc-dlink-production.s3.wasabisys.com
Morro Cloud Services
Morro uses the following destinations for outbound connections. Actual IP address may change as our service grow.
End Point | Purpose | Required Port, Notes |
---|---|---|
discovery.morrodata.com | Device Discovery, etc. | 443 |
smcd.morrodata.com | Cloud Sync | 443 |
yoursubdomain.morrodata.com | MCM | 443 |
sqs.us-west-2.amazonaws.com | Push notification for Sync | 443 |
mlock.morrodata.com | RTC Service (US West) | 443 |
mlock-va.morrodata.com | RTC Service (US East) | 443 |
mlock-jp.morrodata.com | RTC Service (Japan) | 443 |
52.8.71.105 | Remote Support | 22. (Outbound connection only) |
duujyvyqgknm1.cloudfront.net | Firmware download | 443 |
Other Services
If you want to use the additional services below host is required to be white-listed.
mc-dlink-production.s3.amazonaws.com (for creating share link)
Standard Internet Services
We use following standard internet services. Outbound connection should be allowed if need to use cloud based service.
Service Name | Port | Purpose | Note |
---|---|---|---|
NTP | UDP/123 | Time Synchronization | You can configure NTP server address via DHCP. If not set by DHCP, we use default servers. (time.google.com, etc.) Time must be synchronized, otherwise authentication will be failed. |
DNS | UDP+TCP/53 | Name resolution | You can configure DNS server address via DHCP. If not set by DHCP, we use fallback server 8.8.8.8, 8.8.4.4, etc. |
Notes
In order to enhance Morro Services, we may use other endpoints in the future. Currently, we mainly use Amazon AWS service as the server platform, however, we may use other cloud services in the future. We recommend allowing access to the whole cloud if possible. Currently, we recommend at least the following endpoints to be white-listed, "*.morrodata.com
", "*.amazonaws.com
", "*.cloudfront.net
". Also "52.8.71.105
" is needed when you request remote support.
Cisco Umbrella Users
Cisco Umbrella may act as a proxy for some of the domains used by your Morro storage system. This can cause SSL certificate issues that prevent access to Morro's cloud services or to cloud storage backends. To avoid these issues, make sure that Cisco Umbrella is configured to allow direct access to the domains in the outbound connections list.
Please also reference below for the requirements for open ports:
https://support.morrodata.com/a/solutions/articles/14000060512?lang=en