Simplified Medulla Flowchart

Simplified Flow Rules

The rules are interpreted as follows:

SOURCE -> DEST means that the flow is initiated from the SOURCE to the DESTINATION.
If the protocol is not specified, it defaults to TCP.

If you have a single Medulla server, refer to the table below:

1. Without a Relay Server

If you have a Medulla server and a relay server, refer to the table below:

2. With a Classic Relay Server

If you have a Medulla server and a DMZ relay server, refer to the table below:

3. With a DMZ Relay Server

Medulla access to the outside:

updates.siveo.net:443
download.windowsupdate.com:80

Medulla access to other internal servers:

Your GLPI server (if you have one)
Your LDAP server (if you have one; see our LDAP documentation: LDAP DOC)

Access from your Admin Machine to Medulla:

Connection	Ports Used (DEST)	Notes
Your internal admin workstation ➡️ Medulla server	139/445 8384	Traffic initiated by the internal Admin workstation to Medulla.

Connection

Ports Used (DEST)

Notes

Your internal admin workstation ➡️ Medulla server

139/445

8384

Traffic initiated by the internal Admin workstation to Medulla.

1. Without a relay server

Connection	Ports Used (DEST)	Notes
Internal workstations ➡️ Medulla server	22 (SSH) 67/69 (UDP) 80/443 111/2049 (TCP & UDP) 5222 8443 9990 9999, 22067 55415	Traffic initiated by the workstation to Medulla.
Medulla server ➡️ Internal workstation	9 22 ( SSH) 3389 5900 5985/5986 35621 35623	Traffic initiated by the Medulla server to internal workstations.

2. With a Classic Relay Server

Connection	Ports Used (DEST)	Notes
Internal workstations ➡️ Medulla servers	22 (SSH) 67/69 (UDP) 80/443 111/2049 (TCP & UDP) 5222 8443 9990 9999, 22067 55415	Traffic initiated by the workstation to Medulla.
Medulla servers ➡️ Internal workstations	9 22 ( SSH) 3389 5900 5985/5986 35621 35623	Traffic initiated by the Medulla server to internal workstations.
---	---	---
Medulla Server ➡️ Relay Server	22 ( SSH) 5269 8081 9990 22000	Traffic initiated by Medulla to the DMZ Server.
Relay Server ➡️ Medulla Server	22 ( SSH) 5269 7080 8443 9999 22067 22000	Traffic initiated by the DMZ server to Medulla.
---
Workstations ➡️ Relay Server	22 69/69 (UDP) 80/443 111/2049 (TCP & UDP) 5222 9990	Traffic initiated by the internal workstation to the Relay Server.
Relay Server ➡️ Internal workstation	9 22 3389 5900	Traffic initiated by the Relay Servertothe internal workstation.

3. With a DMZ Relay Server

Connection	Ports Used (DEST)	Notes
Internal workstation ➡️ Medulla Server	22 (SSH) 67/69 (UDP) 80/443 111/2049 (TCP & UDP) 5222 8443 9990 9999, 22067 55415	Traffic initiated by the workstation to Medulla.
Medulla server ➡️ Internal workstation	9 22 ( SSH) 3389 5900 5985/5986 35621 35623	Traffic initiated by the Medulla server to internal workstations.
---	---	---
Medulla Server ➡️ DMZ Relay Server	22 ( SSH) 4369 4370–4380 5269 8081 22000	Traffic initiated by Medulla to the DMZ Server.
DMZ Relay Server➡️ MedullaServer	22 ( SSH) 3306 4369 4370 to 4380 5269 7080 8443 9999 22067 22000	Traffic initiated by the DMZ server to Medulla.
---	---	---
External Workstation ➡️ DMZ Server	22 ( SSH) 5222	Traffic initiated by the external workstation to the DMZ server.

Port Descriptions

Port 9: Used for Wake-on-LAN (WOL) to wake up a remote workstation.

Port 22 (SSH): SSH port used by Medulla for remote operations, command execution, and agent administration.

Ports 67 and 69 (UDP): used for DHCP and TFTP, particularly during PXE boot or for loading deployment images.

Ports 80 and 443: HTTP and HTTPS, used for web access and secure communication with Medulla services.

Port 111 (TCP and UDP): Used by Portmapper/RPCbind; required for NFS services and certain internal network calls.

Port 3389: used for RDP to connect remotely to Windows workstations.

Port 4369: Used for an ejabberd cluster if you have a DMZ relay

Ports 4370 through 4380: used for an ejabberd cluster if you have a DMZ relay

Port 5222: used by XMPP for communication between Medulla agents and the server.

Port 5269: used by XMPP for server-to-server communication, particularly between Medulla and the DMZ relay server.

Port 5900: used by VNC for remote control.

Ports 5985 and 5986: used by WinRM (HTTP and HTTPS) for remote commands on Windows.

Ports 7080 and 8081: used by internal services or management APIs required by the relay server or Medulla components.

Port 8443: HTTPS used by Medulla’s secure interface or APIs.

Port 9990: Used by an internal Medulla service for management and monitoring.

Port 9999: Used as an internal port for synchronization or communication between the Medulla server and components such as the relay.

Port 22000: used by Syncthing as the primary channel for data synchronization (packages, artifacts, inventories).

Port 22067: Used by Syncthing as a relayed channel, useful for mobile workstations or those located behind a NAT.

Ports 35621, 35623, and 55415: dynamic ports used by Medulla agents for real-time communication, inventory, synchronization, or task execution.

Network Prerequisites for Medulla SaaS

FLUX Test

Firewall

Active Directory

I already have a PXE server on my network—is that a problem?

Simplified Medulla Flowchart

OIDC

DNS Views and Medulla Relay in the DMZ

Filter machine types by GLPI ID

GLPI Access for Medulla

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Activation Support / WSUS / CVE / Shop

Rename the FQDN and Switch to HTTPS on Medulla

Changing the SSH Port Between Server and Workstation

GLPI - Connecting an External GLPI

SUPPORT - Access

Installing Medulla on an OVH Virtual Private Server (VPS)

Client Workstations (Status & Visibility)

Packages

Remote Maintenance & Getting Started

Set the agent to Debug mode

Windows Agent Issue

Introduction

The ACLs

The ACLs (continued)

Console & Administration

Increase the Web session timeout (MMC / XMLRPC)

Retrieve the root password for the Medulla interface

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Workstations (Status & Visibility)

GPO

Reconfigure My Agent

Generate Windows and Linux agents

Linux MINT Distribution Agents

Uninstalling a Medulla Agent (Versions earlier than 5.5.2)

Uninstalling a Medulla Agent (Version 5.5.2 and later)

How do I force a reconfiguration of Medulla agents?

Duplicate MAC Addresses

Check the connection from the agent to the server

WithSecure alerts regarding PAExec used by Medulla

Architecture and Deployment of Medulla Relay Servers

Procedure for Adding Relays to Dedicated Medulla SaaS

Medulla Update - 5.4.x to 5.5.x

Services

Imaging Prerequisites

Imaging - Davos Debug

Imaging - Debug

Where are Medulla imaging masters stored?

About the Masters

An unknown machine does not appear in Medulla or GLPI after Register PXE

Copying Imaging Profiles

How the WSUS Tool Works

Module Update (WSUS) is unavailable after enabling AES protection for update catalogs

Simplified Medulla Flowchart

Simplified Flow Rules

If you have a single Medulla server, refer to the table below:

If you have a Medulla server and a relay server, refer to the table below:

If you have a Medulla server and a DMZ relay server, refer to the table below:

Medulla access to the outside:

Medulla access to other internal servers:

Access from your Admin Machine to Medulla:

1. Without a relay server

2. With a Classic Relay Server

3. With a DMZ Relay Server

Port Descriptions