Firewall Exceptions

The S&T border firewall blocks all inbound connections by default. Firewall exceptions are granted only for approved services and are subject to auditing, verification, and possible revocation.

If your request is for outbound network access, no exception is required—outbound connections are allowed by default.

To request an exception, you must submit a TDX ticket (see “How to Request an Exception” below).

Auditing

All approved firewall exceptions are subject to ongoing security review.

• Systems are routinely scanned for vulnerabilities
• Critical vulnerabilities will prevent approval
• Approved exceptions will be suspended on discovery of critical vulnerabilities
• Important vulnerabilities must be remediated to maintain access
• Verified third-party vulnerability reports may result in temporary suspension until resolved

All systems must be:

• Fully patched with current security updates
• Configured with appropriate protections (e.g., fail2ban, key-based SSH authentication, etc., where applicable)

Verification

Firewall exceptions are approved for specific services only.

• Running services other than those approved may result in suspension or revocation
• Additional features or capabilities (e.g., web server modules like PHP) must be reviewed security for approval

Revocation

Information Security may suspend or revoke a firewall exception at any time to protect the University network, systems, or data.

If an exception is revoked, the requestor will be notified automatically through the system.

Additional Notes

• Restricting access to specific IP addresses or networks is strongly recommended when possible
• Using non-standard ports is acceptable, but does not affect how exceptions are evaluated

How to Request an Exception

All firewall exception requests must be submitted through TDX.

• https://tdx.umsystem.edu/TDClient/48/Portal/Requests/TicketRequests/NewForm?ID=pPOkH93NoCo_&RequestorType=ServiceOffering
• Submit a TDX ticket for a Firewall Exception request
• Requests must be submitted by the full-time faculty or staff member responsible for the service
• Submit one ticket per system (multiple services may be included in a single request)

When submitting your request, include:

• A clear and specific justification for the exception
• The service(s) requiring access (not just ports)
• Any relevant protocols and ports (for clarification only)
• Any source IP addresses or networks that should be allowed (if access should be restricted)

Note: Exceptions are granted to services, not ports. Only traffic matching the approved service will be allowed, regardless of port number.