Network firewall rules

This article contains information for network teams to prepare their environment for deployment of RemoteSpark

In this article:
Glossary
Ports to open
DNS
Endpoints

Alternative options for not whitelisting all traffic


Glossary

Web Endpoint is the API the RemoteSpark Client uses to interact with the system

Storage Endpoint: how the system uploads and downloads content

STUN/TURN: how video calls are established between the Expert and the remote worker

Traffic Manager: how the application selects which data centre to use for the application

Note: our cloud-based solution is hosted on Microsoft Azure. For more information on Azure services, see here.

Ports to open

  • 443 (TCP)
  • 3478 (TCP/UDP)
  • 5349 (TCP/UDP)

DNS

  • Public DNS resolution

Endpoints

The cloud configuration of RemoteSpark has two possible firewall enablement scenarios:

    • Using Traffic Manager:
      • If you’re going to use the load-balanced Traffic Manager solution to connect to the webservice (this is on by default in RemoteSpark), you’ll need to allow the Traffic Manager and CDN endpoints below through your firewall, along with all of the endpoints for every datacentre as listed below.
    • Only connecting through a specific datacentre:
      • If you decide you need to use a specific datacentre, you will only need to allow the endpoints associated with that datacentre on the relevant ports through your firewall, along with the CDN endpoint.

    Note:Keep in mind that if only one datacentre is enabled, the benefits of the Traffic Manager solution (increased availability and app response time, improved app performance and content delivery, etc.) are limited. If the specific datacentre chosen is offline, then your ability to connect is offline also until the datacentre comes back online again.

    Also note that any users of RemoteSpark who are on a network with single-datacentre firewall rules enabled will need to make sure their application is pointing only to the datacentre you have allowed through the firewall.

    Caution: RemoteSpark updates may require new endpoint rules.

    Traffic Manager endpoint:

    • https://remotespark195.kognitivspark.net

    CDN endpoint

    • cdn.kognitivspark.com

    Canada Central datacentre endpoints

    • Web: remotespark195canadacentral.kognitivspark.net
    • Storage: remotesparkcv1195.core.windows.net
    • STUN/TURN: 40.82.189.139

    US Central datacentre endpoints

    • Web: remotespark195uscentral.kognitivspark.net
    • Storage: remotesparkuscv195.core.windows.net
    • STUN/TURN: 40.67.186.93

    UK West datacentre endpoints:

    • Web: remotespark195ukwest.kognitivspark.net
    • Storage: remotesparkukwv1195.core.windows.net
    • STUN/TURN: 40.81.125.51

    Options for not whitelisting all traffic

    If you choose to select a specific data centre, depending on your network configuration you will need to allow traffic on Port 3478 (TCP/UDP) and 5349 (TCP/UDP).

    If you don’t whitelist all traffic on those two ports, you will need to contact Kognitiv Spark Support to determine the correct IP addresses for those ports.