Radu, thanks for your answer.

"HTTP / HTTPS to all domain atlassian.com."

Yes, that would be my first guess as weel. However, a network capture tells me that JIRA is contacting "63-246-22-216.contegix.com". I understand that Contegix is Atlassian's hosting partner (http://confluence.atlassian.com/display/EHOSTING/Contegix+Hosting), so I guess I need to add that as well.

Anything else?

I never caught it going to contengix.com (but, of course, I believe you). But my advice would be that if you want to secure it as much as possible, cut all and install manually the needed plugins.

Prevent the UPM from even attempting it with -Dupm.pac.disable=true.

Thanks again. Here is the summary I will submit to my IT dept:

Protocols/ports:

• User interface: HTTPS/8443
• JIRA e-mail notification: outgoing SMTP/25.
• Allow for incoming SMTP, so that users can reply to notification e-mail (rather than using the Web user interface)
• Database server: MySQL/3306. Currently running on the JIRA server itself.
• JIRA management: HTTPS/8443
• JIRA management also needs outgoing access to the Internet: HTTP/80 and HTTPS/443. Known servers are *.atlassian.com and *contegix.com. Other servers may be needed in the future.
• Linux management, including JIRA maintenance: SSH/22
• System e-mail: SMTP/25.
• File upload/download: SFTP/22, also occasionally using Windows File Sharing (Samba) on our lab server

I am not mentioning other protocols such as DNS or NTP which I assume are part of the corporate network infrastructure.

Did I miss anything?

Your question was about access through the firewall to the public internet. Nearly none of those ports should be through the firewall, eg your SMTP server, database etc will all be inside the firewall.

Completing Jamie's answer: if you plan to use Jira ONLY from your corporate network, you should not allow even incoming http and https from Internet. Otherwise, completely agree with his comment above.

Yes, your systems admin guys will be fired if they agreed to what you are suggesting anyway;-) Particularly ssh - if that was allowed we wouldn't have the fun of doing reverse tunnelling through socks proxies.

Yes, almost all of the network connections I listed are bound to remain within the corporate network. The only one that might be allowed (depending on the paranoid IT guys ;-) is this one:

• JIRA management also needs outgoing access to the Internet: HTTP/80 and HTTPS/443. Known servers are *.atlassian.com and *contegix.com. Other servers may be needed in the future.

Thanks again for your comments. I consider the question answered.