User manual
Page 37
877-877-2269 | blackbox.com/Coalesce
Appendix D: Coalesce Security
D.2 Network, Ports and Traffic
Network communication to and from the Coalesce is restricted to the ports that Coalesce requires. Other ports are not open on
the device for security reasons. In networking modes where the Coalesce will be deployed on an existing network, the following
ports need to be open to allow traffic from users to reach the Coalesce.
Table D-1. Network ports and traffic.
Required Ports Description
TCP Port 53100
Used to establish connections between clients and the Coalesce unit.
*This base communication port can be configured to a new port, follow-on ports at +1, +2
will move to new port range.
TCP Port 53101
Used for all session traffic.
TCP Port 53102
Used for control traffic and thumbnails transmitted to connected client.
Optional Ports Description
TCP Port 80 (optional) Remote configuration port and support for the QuickConnect feature that allows users to connect
directly from a web browser.
TCP Port 443 Required for licensing and software updates on the unit.
TCP Port 53200 Support for display naming and discovery (see the Coalesce Directory Services (CDS) User Guide).
D.3 Encryption
Network traffic between the clients to a Coalesce can be encrypted to provide additional security. This is enabled in the
configuration panel on the Coalesce itself or in the Coalesce Central. When enabled, traffic is encrypted using a 2048-bit length
encryption key for all network traffic between the Coalesce and client devices. Encryption is also applied to traffic between the
centralized dashboard and the Coalesce. Browser-based access for Coalesce Web Configuration uses OpenSSL and HTTPS when
encryption is enabled.
D.4 Coalesce Base Port Scan Results
The Coalesce only exposes a limited set of TCP ports that are required for Coalesce operation. These ports are:
• 80, 8008, 8009, 8080 – Standard HTTP traffic. Web browser configuration, QuickConnect download of clients from the
Coalesce, Browser Look-In support
• 8443 – SSL HTTP traffic. Encrypted traffic for configuration and management via Browsers.
• 53100-53102 – Coalesce communications. Used for interaction, video sharing, and device sharing. This port range is
configurable.
D.5 Operating System Security Considerations
The Coalesce appliance has been engineered for secure deployment behind the corporate firewall. Users are not able to access
the Coalesce's underlying operating system or firmware and new software cannot be installed on the Coalesce unless it is a certi-
fied software update from Black Box. The Coalesce runs on the Android operating system and the following modifications have
been performed in the interest of security:
• Android Debug Bridge (ADB) has been disabled. Users cannot use the debug bridge to access the unit to open terminal access.
• Android configuration is disabled. Users cannot access or modify the Android configuration settings.
• Coalesce has been enlisted as the Android launcher process and other launchers have been disabled. Users cannot access a
launcher to open other applications on the unit or access other processes. Even in the event of a Coalesce crash, Coalesce will
be re-run as the launcher process.
• Shell tunneling is disabled. Without access to ADB, users cannot open a shell to the Coalesce and run commands.
• Root access is disabled. In the event users do gain access to the unit, root commands (“su” and “sudo”) have been removed
from the Android image so there is no way to run a process as root.