Between the Nodes and Lighthouse
Once enrolled, all communications between the Lighthouse and Nodes happen inside the Lighthouse VPN tunnel, i.e. the only port used is inbound UDP 1194 on Lighthouse.
Between the Lighthouse user and Lighthouse
The user primarily accesses Lighthouse using inbound TCP ports 22 (CLI) and 443 (Web UI). All remote access to Nodes and their Managed Devices is proxied via the Lighthouse's central IP address, then tunneled over Lighthouse VPN.
Node Registration and Enrollment
Enrollment is the initial per-node setup step, that connects them to Lighthouse VPN.
Nodes register for enrollment over the networkvia RESTful API, which listens on TCP port 443 by default. There are two primary registration methods, northbound (Node to Lighthouse) and southbound (Lighthouse to Node):
- Southbound registration (i.e. using the Add Node link) uses inbound TCP port 443 on the Managed Node
- Northbound registration (i.e. all other methods) uses the inbound API port (TCP port 443 or optionally 8443, see below) on Lighthouse
Take care when allowing northbound registration over an untrusted network such as the Internet, as opening TCP port 443 also allow access to the Lighthouse Web UI.
On Lighthouse, you may enable an additional enrollment-only API endpoint on inbound TCP port 8443 by checking Settings -> Services -> Session Settings -> Enable additional enrollment-only REST API port. This port can be safely exposed to an untrusted network, provided enrollment tokens are regularly changed and/or enrollments are manually approved.
Alternatively, you may choose to pre-enroll nodes using a private network (e.g. test bench) prior to deployment, to avoid exposing the API altogether.
Regardless of which method is used, once registration completes the Lighthouse VPN tunnel is established by the Node to Lighthouse, i.e. the only port used is inbound UDP port 1194 on Lighthouse.