FAQ: Can I run Portmaster on a server?

[dhaavi]

Portmaster is currently built for desktops that have a physical graphical interface. That said, you can run Portmaster on a server if done correctly.

Backup Access

If in any way possible make sure and test your backup access to the server in case you lock yourself out.

Prepare Config File

We'll need to write our config file ourselves and place it on the server before we install Portmaster so that we don't lock ourselves out. You can either use an existing Portmaster instance to configure your settings and then copy the config.json file from the data directory, or you can build it from scratch. Below is a template as a starting point. Now, let's go though the settings you want to change:

• API Listen Address
  • By default, Portmaster only listens on localhost, change this to 0.0.0.0:817 to enable connections from anywhere.
• Incoming Rules
  • You need to additionally allow from where connections to the Portmaster API are allowed. Scope this a narrow as possible.
  • We can't configure rules for applications in config.json, so we add only global rules for now and can switch to per-app after install.
    • (First add app rule, test, and then remove the global rule!)
  • Also, allow other management protocols so you can still access your server, such as SSH or RDP.
• Development Mode
  • ⚠️ While Portmaster has support for API Keys, these are not yet supported for logging into the UI. This means you will need to activate Development Mode for now, to allow access the the UI.
• Automatic Updates
  • Portmaster uses automatic updates to stay up to date. Depending on your use case, this might not be what you want.
  • We haven't yet split the automatic update system into binaries and intelligence data, so disabling this will cut you off from intelligence data updates.
    • Until we have support for splitting this, you should manually update regularly by pressing the "Download Updates" button in tools menu.

If you run Portmaster on a private network you have access to, then this might be enough. If you want to access Portmaster via a public network, more caution and work is needed.

⚠️ Portmaster does not support HTTPS for the UI. You will need to take care of this yourself. We recommend using something like Traefik or Caddy as a reverse proxy for automatic HTTPS.

config.json template with multiple options - delete the ones you don't need:

{
  "core": {
    "automaticUpdates": false,
    "devMode": true,
    "expertiseLevel": "developer",
    "listenAddress": "0.0.0.0:817"
  },
  "filter": {
    "serviceEndpoints": [
      "+ Localhost",
      "+ * TCP/SSH # Allow remote SSH access from anywhere",
      "+ * */3389 # Allow remote RDP access from anywhere",
      "+ * TCP/817 # Allow remote access to Portmaster from anywhere",
      "+ LAN TCP/817 # Allow remote access to Portmaster from LAN only"
    ]
  }
}

You may also want to validate the json before using your config.

Place Config File

Before installing we need to place to config file:

• Windows: C:\ProgramData\Safing\Portmaster\config.json
• Linux: /opt/safing/portmaster/config.json

Install Portmaster

Then, run the installer for Portmaster on the server. If everything went well, then you should still have access to your server and to the Portmaster UI in the way you configured.

---

Keywords: server, automatic updates, production, remote access, API, HTTP, authentication

Categories: Compatibility

[dhaavi]

Reserved.