# Network requirements for Medulla SaaS

<p class="callout info"> **Medulla / All Versions / SaaS / Infrastructure**</p>

### **1. Are there any technical prerequisites for using Medulla in SaaS mode?**

For the <span class="s1">**shared SaaS**</span> offering, no hardware or software prerequisites are required.

The only requirement is to allow <span class="s1">**two outbound network connections**</span> from your workstations to the Medulla platform.

---

### **2. Which ports must be open on the Internet?**

#### **Shared SaaS**

Only two ports need to be allowed<span class="s1">**Workstations → Medulla Server**</span>:

- <span class="s1">**TCP 2002**</span>: primary communication between the Medulla agent and the server
- <span class="s1">**TCP 5222**</span>: XMPP channel used to orchestrate actions and establish secure tunnels

No other ports should be open on the Internet.

---

### **3. Why only two ports?**

Because:

- All operations requiring additional ports (VNC, RDP, WinRM, inventory, package deployments) <span class="s1">**automatically**</span> pass <span class="s1">**through an OpenSSH tunnel**</span> established between the Medulla server and the agent on the workstation.
- This tunnel is initiated and managed by the XMPP service.

You therefore <span class="s1">**do not**</span> need to expose sensitive ports to the Internet.

### **4. Which ports are required for the dedicated SaaS offering?**

In addition to the ports required for the shared SaaS offering:

- <span class="s1">**TCP 55415**</span>: used for backup functions

All other ports continue to pass through the <span class="s1">**OpenSSH tunnel**</span> and do not need to be opened.

### **5. Why are certain ports (UDP 67, 69, 111, 2049) no longer listed in SaaS mode?**

Because they are<span class="s1">**not used**</span> in SaaS mode:

- No PXE or DHCP over the Internet →<span class="s1">**UDP 67 / 69 are unnecessary**</span>
- No NFS exposed → <span class="s1">**111 / 2049 unnecessary**</span>
- No low-level services are exposed in the Medulla cloud

### **6. Do I need to open incoming ports on my firewall?**

No.

<span class="s1">**No incoming traffic**</span> is required in Medulla SaaS mode.

Your firewall simply needs to <span class="s1">**allow the**</span> following <span class="s1">**outbound traffic**</span> for the agents to communicate:

- TCP <span class="s1">**2002**</span>
- TCP <span class="s1">**5222**</span>
    
    (+ TCP <span class="s1">**55415**</span> if dedicated SaaS)

### **7. Quick Summary**

<table id="bkmrk-offre-flux-n%C3%A9cessair"><thead><tr><th>**Offer**

</th><th>**Required Data Flows Workstations → Server**

</th><th>**Notes**

</th></tr></thead><tbody><tr><td>**Shared SaaS**

</td><td>TCP <span class="s1">**2002**</span>, TCP <span class="s1">**5222**</span>

</td><td>All other ports go through the OpenSSH tunnel

</td></tr><tr><td>**Dedicated SaaS**

</td><td>TCP <span class="s1">**2002**</span>, TCP <span class="s1">**5222**</span>, TCP <span class="s1">**55415**</span>

</td><td>Optional backup enabled

</td></tr><tr><td>**Incoming traffic**

</td><td>None

</td><td>Everything is initiated by the workstation

</td></tr></tbody></table>