Network requirements for Medulla SaaS

Medulla / All Versions / SaaS / Infrastructure

1. Are there any technical prerequisites for using Medulla in SaaS mode?

For the shared SaaS offering, no hardware or software prerequisites are required.

The only requirement is to allow two outbound network connections from your workstations to the Medulla platform.

2. Which ports must be open on the Internet?

Shared SaaS

Only two ports need to be allowedWorkstations → Medulla Server:

TCP 2002: primary communication between the Medulla agent and the server
TCP 5222: XMPP channel used to orchestrate actions and establish secure tunnels

No other ports should be open on the Internet.

3. Why only two ports?

Because:

All operations requiring additional ports (VNC, RDP, WinRM, inventory, package deployments) automatically pass through an OpenSSH tunnel established between the Medulla server and the agent on the workstation.
This tunnel is initiated and managed by the XMPP service.

You therefore do not need to expose sensitive ports to the Internet.

4. Which ports are required for the dedicated SaaS offering?

In addition to the ports required for the shared SaaS offering:

TCP 55415: used for backup functions

All other ports continue to pass through the OpenSSH tunnel and do not need to be opened.

5. Why are certain ports (UDP 67, 69, 111, 2049) no longer listed in SaaS mode?

Because they arenot used in SaaS mode:

No PXE or DHCP over the Internet →UDP 67 / 69 are unnecessary
No NFS exposed → 111 / 2049 unnecessary
No low-level services are exposed in the Medulla cloud

6. Do I need to open incoming ports on my firewall?

No.

No incoming traffic is required in Medulla SaaS mode.

Your firewall simply needs to allow the following outbound traffic for the agents to communicate:

TCP 2002
TCP 5222

(+ TCP 55415 if dedicated SaaS)

7. Quick Summary

Offer	Required Data Flows Workstations → Server	Notes
Shared SaaS	TCP 2002, TCP 5222	All other ports go through the OpenSSH tunnel
Dedicated SaaS	TCP 2002, TCP 5222, TCP 55415	Optional backup enabled
Incoming traffic	None	Everything is initiated by the workstation

Network requirements for Medulla SaaS

Client Accounts (Status & Visibility)

Deployment (broadcasting)

Packages

Remote Maintenance & Getting Started

Deployment (broadcasting)

Remote Maintenance & Getting Started

FLUX Test

Firewall

IMAGING Prerequisites

Active Directory

I already have a PXE server on my network. Is that a problem?

Simplified flowchart of Medulla

OIDC

DNS and Medulla Relay views in the DMZ

Filter machine types by GLPI ID

Your GLPI with Read-Only User

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Increase the connection timeout to the interface

Activation Support / WSUS / CVE

Change the server's FQDN

Change the SSH port between Server and Client

GLPI - Connect an external GLPI

Network requirements for Medulla Private SaaS

Client Accounts (Status & Visibility)

Deployment (broadcasting)

Packages

Console & Administration

Remote Maintenance & Getting Started

Client Accounts (Status & Visibility)

Packages

Console & Administration

Remote Maintenance & Getting Started

Set the agent to Debug

Windows Agent Issue

Introduction

ACLs

ACLs continued

Console & Administration

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Accounts (Status & Visibility)

GPO

Reconfigure my agent

Generate Windows and Linux agents

Agents for the MINT Linux distribution

Uninstalling the Medulla Agent (Versions prior to 5.5.2)

Uninstalling Medulla Agent Version 5.5.2 and later

Architecture and Deployment of Medulla Relay Servers

Procedure for adding relays to Medulla Dedicated SaaS

Medulla Update - 5.4.x to 5.5.x

Network requirements for Medulla SaaS

1. Are there any technical prerequisites for using Medulla in SaaS mode?

2. Which ports must be open on the Internet?

Shared SaaS

3. Why only two ports?

4. Which ports are required for the dedicated SaaS offering?

5. Why are certain ports (UDP 67, 69, 111, 2049) no longer listed in SaaS mode?

6. Do I need to open incoming ports on my firewall?

7. Quick Summary