Firewall configuration:

Encrypted LucidLink client filesystem data is communicated securely with our service via Transmission Control Protocol/Internet Protocol (TCP/IP) port 443 and the Object Store (S3 compatible Bucket or Azure Container) using the Object Storage credentials provided. 

All Object Storage transfers are performed with Advanced Encryption Standard (AES-256) end-to-end, client-side authenticated encryption through the LucidLink Windows, macOS or Linux client and Filespace user access controlled filesystem credentials.

LucidLink client communicates with AES-256 encryption via TCP/IP port 443 with our Discovery Service for the purpose of Namespace verification and Metadata coordination.

In order for the LucidLink client to work behind a firewall, the following outbound connections on port 443 must be enabled:

• The filespace ID, as the fully qualified domain name (FQDN) <filespaceID>.fs.lucidlink.com. Use the lucid status command to obtain the Filespace id. 
  As an example, the FQDN should look like the following: 
  0a00a00a-bb11-22cc-333d-4e44e44e4444.fs.lucidlink.com
• LucidLink discovery service - DNS Record discovery-service.lucidlink.com.
  Whitelisting by FQDN is recommended, as the service's IP address can change.
• Object storage endpoint(s) TCP/IP typically port 443 standard HTTPS traffic or as per the Filespace endpoint specified during initialization. 
  Example s3.<region>.amazonaws.com
   
• LucidLink web service - api.lucidlink.com.

Additionally, we use certificates signed by our internal certificate authority (CA).

Some firewalls do Secure Sockets Layer (SSL) decryption (aka Deep Packet Inspection (DPI) or SSL Certificate Inspection). This is interpreted as a man-in-the-middle attack, by injecting their own CA in the trusted store and using it to impersonate the accessed service.

In case of local object storage, the inbound traffic on the port the filespace was initialized must also be enabled. All data and proprietary metadata of the Filespace are client-side encrypted. They never go in decrypted form, even in LucidLink internal traffic. LucidLink services have a zero-knowledge policy. Even if a firewall wants to analyze the traffic it will still be encrypted.

In highly secure or isolated network environments, administrators may need to allow outbound HTTP connections on port 80 to *.amazontrust.com for proper SSL certificate validation. The SSL certificate for https://app.lucidlink.com is issued by Amazon Trust Services and is configured to perform OCSP (Online Certificate Status Protocol) revocation checks via HTTP to Amazon's certificate authority endpoints. 
If outbound HTTP traffic on port 80 is blocked, the OCSP revocation check will fail, resulting in an unsuccessful SSL certificate validation and preventing the establishment of secure connections to app.lucidlink.com. To maintain proper certificate validation functionality, environments with restricted outbound HTTP traffic should ensure that port 80 connections to *.amazontrust.com are allowed.

Web app considerations:

The same firewall rules outlined above are also recommended for users accessing their Filespace via the LucidLink web app at https://app.lucidlink.com.

Software:

FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace will be installed as a dependency on Linux.

LucidFS is a required driver within a Windows and macOS environment and is included within our installation.

Most object storage providers require Transport Layer Security (TLS) 1.1 or greater SSL connections