z929669 Posted October 11, 2022 Posted October 11, 2022 May I have the IP address ranges that IPS services will use during upgrade? I want to redirect all IPs but my own and IPS upgrade to a maintenance page while I perform the upgrade. A couple years ago, I had used the following. I'd appreciate confirmation or update: ### IPS support #allow 67.227.215.137; #allow 50.28.55.154; #allow 50.28.75.104; Thanks in advance.
Solution Randy Calvert Posted October 11, 2022 Solution Posted October 11, 2022 (edited) The upgrader connects to remoteservices.invisionpower.com. There is no set number of IP addresses as the site is fronted by CloudFront which as IPs that change potentially for each request. For example, I just tried looking up the site via a DIG and got: ;; ANSWER SECTION: remoteservices.invisionpower.com. 60 IN A 108.138.64.78 remoteservices.invisionpower.com. 60 IN A 108.138.64.121 remoteservices.invisionpower.com. 60 IN A 108.138.64.49 remoteservices.invisionpower.com. 60 IN A 108.138.64.57 From another computer: ;; ANSWER SECTION: remoteservices.invisionpower.com. 17 IN A 13.32.208.15 remoteservices.invisionpower.com. 17 IN A 13.32.208.96 remoteservices.invisionpower.com. 17 IN A 13.32.208.107 remoteservices.invisionpower.com. 17 IN A 13.32.208.25 Your best bet is to whitelist all of Cloudfront's IP ranges as it's impossible to give a fixed IP set. As a short term fix, ping the site right before you do your update and use the IP in your firewall. But remember, it can change literally at anytime. Edited October 11, 2022 by Randy Calvert
z929669 Posted October 11, 2022 Author Posted October 11, 2022 Thanks for the info. Bummer, but will do
Marc Posted October 12, 2022 Posted October 12, 2022 You should really whitelist the domain, and not the IP, for the above reason
Mark H Posted October 12, 2022 Posted October 12, 2022 Just to clarify one item... those 3 IP Addresses provided initially, starting with 50 or 67, were/are the IP Addresses of our corporate VPN, which we in Support would use to connect to your install. However, they are not related to remoteservices.invisionpower.com and would not be used by the ACP automated upgrader, update checks, or license checks, for example; they are used only by IPS Support. As my colleague mentioned, you would need to whitelist the domain rather than an IP, or IP range, in order to be certain not to block a legitimate callout to remoteservices.invisionpower.com during the upgrade. SeNioR- 1
Randy Calvert Posted October 12, 2022 Posted October 12, 2022 (edited) 1 hour ago, Mark H said: Just to clarify one item... those 3 IP Addresses provided initially, starting with 50 or 67, were/are the IP Addresses of our corporate VPN, which we in Support would use to connect to your install. However, they are not related to remoteservices.invisionpower.com and would not be used by the ACP automated upgrader, update checks, or license checks, for example; they are used only by IPS Support. As my colleague mentioned, you would need to whitelist the domain rather than an IP, or IP range, in order to be certain not to block a legitimate callout to remoteservices.invisionpower.com during the upgrade. I was not going to note that in case you did not want it publicly known those were the IPs used for your VPN. When those were shared with me, it was done via PM. As a result, I operated under the impression it was not meant for public posting. 😄 Better coming from you than me. hahaha Edited October 12, 2022 by Randy Calvert SeNioR- and Mark H 1 1
Recommended Posts