Network Prerequisites for Medulla SaaS

Medulla / All Versions / Shared SaaS - Private SaaS / Infrastructure

1. Are there any technical prerequisites for using Medulla in SaaS mode?

For the shared SaaS offering, no hardware or software prerequisites are required.

The only requirement is to allow two outbound network connections from your workstations to the Medulla platform.

2. Which ports must be open on the Internet?

Shared SaaS

Only two ports need to be allowed:Workstations → Medulla Server:

TCP 2002: primary communication between the Medulla agent and the server
TCP 5222: XMPP channel used to orchestrate actions and establish secure tunnels

No other ports should be open to the Internet.

3. Why only two ports?

Because:

All operations requiring additional ports (VNC, RDP, WinRM, inventory, package deployments) automatically pass through an OpenSSH tunnel established between the Medulla server and the agent on the workstation.
This tunnel is initiated and managed by the XMPP service.

Therefore, you do not need to expose sensitive ports to the Internet.

4. Which ports are required for the dedicated SaaS offering?

In addition to the ports required for the shared SaaS offering:

TCP 55415: used for Backup functions

All other ports continue to pass through the OpenSSH tunnel and do not need to be opened.

5. Why are certain ports (UDP 67, 69, 111, 2049) no longer listed in SaaS mode?

Because they arenot used in SaaS mode:

No PXE or DHCP over the Internet →UDP 67 and 69 are unnecessary
No exposed NFS → 111 / 2049 are unnecessary
No low-level services are exposed in the Medulla cloud

6. Do I need to open inbound ports on my firewall?

No.

No incoming traffic is required in Medulla SaaS mode.

Your firewall simply needs to allow the following outbound traffic so that the agents can communicate:

TCP 2002
TCP 5222

(+ TCP 55415 if using dedicated SaaS)

7. Quick Summary

Offer	Required Data Flows: Workstations → Server	Notes
Shared SaaS	TCP 2002, TCP 5222	All other ports go through the OpenSSH tunnel
Dedicated SaaS	TCP 2002, TCP 5222, TCP 55415	Optional backup enabled
Incoming traffic	None	Everything is initiated by the workstation

Network Prerequisites for Medulla SaaS

FLUX Test

Firewall

Active Directory

I already have a PXE server on my network—is that a problem?

Simplified Medulla Flowchart

OIDC

DNS Views and Medulla Relay in the DMZ

Filter machine types by GLPI ID

GLPI Access for Medulla

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Activation Support / WSUS / CVE / Shop

Rename the FQDN and Switch to HTTPS on Medulla

Changing the SSH Port Between Server and Workstation

GLPI - Connecting an External GLPI

SUPPORT - Access

Installing Medulla on an OVH Virtual Private Server (VPS)

Client Workstations (Status & Visibility)

Packages

Remote Maintenance & Getting Started

Set the agent to Debug mode

Windows Agent Issue

Introduction

The ACLs

The ACLs (continued)

Console & Administration

Increase the Web session timeout (MMC / XMLRPC)

Retrieve the root password for the Medulla interface

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Workstations (Status & Visibility)

GPO

Reconfigure My Agent

Generate Windows and Linux agents

Linux MINT Distribution Agents

Uninstalling a Medulla Agent (Versions earlier than 5.5.2)

Uninstalling a Medulla Agent (Version 5.5.2 and later)

How do I force a reconfiguration of Medulla agents?

Duplicate MAC Addresses

Check the connection from the agent to the server

WithSecure alerts regarding PAExec used by Medulla

Architecture and Deployment of Medulla Relay Servers

Procedure for Adding Relays to Dedicated Medulla SaaS

Medulla Update - 5.4.x to 5.5.x

Services

Imaging Prerequisites

Imaging - Davos Debug

Imaging - Debug

Where are Medulla imaging masters stored?

About the Masters

An unknown machine does not appear in Medulla or GLPI after Register PXE

Copying Imaging Profiles

How the WSUS Tool Works

Module Update (WSUS) is unavailable after enabling AES protection for update catalogs

Network Prerequisites for Medulla SaaS

1. Are there any technical prerequisites for using Medulla in SaaS mode?

2. Which ports must be open on the Internet?

Shared SaaS

3. Why only two ports?

4. Which ports are required for the dedicated SaaS offering?

5. Why are certain ports (UDP 67, 69, 111, 2049) no longer listed in SaaS mode?

6. Do I need to open inbound ports on my firewall?

7. Quick Summary