Cancel

double-chevron

Support center

Find your answer by topic or keyword

 

Firewall configuration

What information transferred, how and why?  –  Security considerations  –  Firewall configuration rules

Summary
To activate, use and validate Notarius’ digital signature, four outbound communication flows to Notarius’ servers must be enabled. These flows are always initiated from the given workstation and use standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party.
 
Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing. Several major companies operating in the engineering, transportation, aerospace, hydro-electricity and mining sectors authorize outbound communication flows to Notarius’ servers.

Why Notarius?

CertifiO, the trusted digital signature from Notarius, enables users to sign an electronic document with the same legal value as a handwritten signature on a printed document. It assures the document’s origin, integrity and authenticity. CertifiO for Professionals  is the only digital signature recognized by 25 professional associations in Canada.

What information is transferred, how and why?

Some outbound communication flows are required to activate a digital signature, sign a document and guarantee its authenticity, and validate a third party’s signature (internal or external to your organization).

Is your organization using proxies? LDAP (tcp 389) and CMP (tcp 829) are not proxy friendly. 
We have a solution that uses http and https only.

Service Description Port
ConsignO licencing Encrypted communication to manage ConsignO’s user rights. This includes a license file and the signatory’s public distinguished name (DN).
Required to use ConsignO.
tcp 443 (https)
Digital signature generation Encrypted communication to activate, update or recover a digital signature certificate. Includes all relevant information to create a trusted public/private key pair on the user’s computer. Uses CMP (Certificate Management Protocol). Ref: RFC 6712
Required to obtain a digital signature certificate.
tcp 443 (https) tcp 829
(pkix-3-ca-ra)
Timestamp authority Add a certified timestamp token upon signature. Uses TSP (Time stamp protocol). Ref: RFC 3161
Required to ensure long-term document reliability.
tcp 80 (http)
OCSP responder Add the proof of validity of the digital signature, and verify the authenticity of a document. The communication includes the signatory’s public distinguished name (DN). Uses OCSP (Online Certificate Status Protocol). Ref: RFC 6960
Required to ensure the document’s authenticity and long-term reliability.
tcp 80 (http)
Certificate Revocation List (CRL) Add the proof of validity of the digital signature, and verify the authenticity of a document. Uses LDAP (Lightweight Directory Access Protocol). Ref: RFC 2251
Required to ensure the document’s authenticity and long-term reliability.
tcp 80
(ldap over http)
or
tcp 389 (ldap)1
Digital signature enrollment, activation and management Encrypted communication from the browser to management portal to enroll, activate, manage and invoice digital signatures.
Required to obtain a digital signature.
tcp 443 (https)
Templates download Unencrypted communication to ConsignO Desktop’s PDF and XML templates. tcp 80 (http)
Notifications Encrypted communication to get the update notifications and “what’s new” notifications. tcp 443 (https)
CertifiO Manager Light desktop application removing the need to install JAVA to access your account on the Notarius portal, to activate or recover  your CertifiO digital signature and to sign in application such as ConsignO Cloud with it. tcp 443, 24250 (https)
CertifiO Manager – Serveur Edition The Server Edition allows multiple users to use CertifiO Manager in a server or virtualized environment. tcp 443, 24251- 24270 (https)

1 Organizations who prefer to block port TCP 389 (ldap) can do so if port tcp 80 (http) is allowed to carry traffic from our servers. See details in the proxy configuration page.

What are the security considerations related to these flows?

These flows are always outbound: they are initiated from the client’s workstation to Notarius’ servers using standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party. Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing.

Who requires or trust these flows?

Other than Notarius, the United Nations, the Government of Canada and the governments of several Canadian provinces and US states use Entrust certificate authority software and related technologies; all require that communication flow to their servers is authorized. These communication protocols are governed by stringent standards set by the IETF, ISO and NIST.

Several of Notarius’ clients have also assessed these considerations. Major companies operating in the engineering, transportation, aerospace, hydroelectricity and mining sectors authorize outbound communication flows to Notarius’ servers.

What are the firewall rules?

Our environments are redundant, distributed and scalable; the IP address of a service can vary at any time within the specified range.

IP range Port
206.55.89.0/27 tcp 80 (http)
tcp 443 (https)
tcp 389 (ldap)1
tcp 829 (pkix-ca-ra)
192.252.131.64/28 tcp 80 (http)
tcp 443 (https)
tcp 389 (ldap)1
tcp 829 (pkix-ca-ra)

 
Our download site and website require a DNS configuration.

DNS Entry Port
support.notarius.com tcp 443 (https)
download.notarius.com tcp 80 (http)
tcp 443 (https)

 

Notes:

  1. Organizations who prefer to block port TCP 389 (ldap) can do so if port tcp 80 (http) is allowed to carry traffic from our servers. See details in the proxy configuration page.
  2. All communications are outbound only; they are initiated by the client to our servers. In no circumstances do we initiate communication from our servers to the client.
  3. ConsignO Desktop opens a listening port on localhost on the user’s computer to avoid opening a new instance everytime a file is open from Windows Explorer. This approach, common in the industry, is also used by Adobe Acrobat, Microsoft Office, etc.