Network firewall rules

This article contains information for network teams to prepare their environment for deployment of RemoteSpark

In this article:
Glossary
Ports to open
DNS
Endpoints

Alternative options for not whitelisting all traffic

 

Glossary

Web Endpoint is the API the RemoteSpark Client uses to interact with the system

Storage Endpoint: how the system uploads and downloads content

STUN/TURN: how video calls are established between the Expert and the remote worker

Traffic Manager: how the application selects which data centre to use for the application

Note: our cloud-based solution is hosted on Microsoft Azure. For more information on Azure services, see here.

 

Ports to open

  • 443 (TCP)
  • 3478 (TCP/UDP)

 

DNS

  • Public DNS resolution

 

Endpoints

The cloud configuration of RemoteSpark requires users to allow the Traffic Manager endpoint, the CDN endpoint, and each of the datacentre endpoints through their firewall.

  • Benefits of using Traffic Manager: increased availability and app response time, improved app performance and content delivery, along with DNS-based load balancing. If a specific datacentre is offline for any reason, your ability to connect to RemoteSpark services and perform video calls is not affected when using Traffic Manager.
  • By default, Traffic Manager in RemoteSpark (shown as RemoteSpark Cloud in the RemoteSpark Client settings page) will route your connection to the fastest available datacentre. Most often this is the closest one geographically to the user, but can vary depending on traffic and other factors.

Note: only connecting through one of the specific datacentres through your firewall is not supported by our Service Level Agreement. Please contact your account team if there are questions around architecture or security layers in RemoteSpark.

Caution: RemoteSpark updates may require new endpoint rules.

Traffic Manager endpoint:

  • https://remotespark1990.kognitivspark.net/api/

CDN endpoint

  • cdn.kognitivspark.com

    North America datacentre endpoints

    • Web: https://remotespark1990noramer.kognitivspark.net/api/
    • Storage: https://remotespark1990noramersa.blob.core.windows.net/
    • STUN/TURN: 40.67.186.93

    Europe datacentre endpoints:

    • Web: https://remotespark1990europe.kognitivspark.net/api/
    • Storage: https://remotespark1990europesa.blob.core.windows.net/
    • STUN/TURN: 40.81.125.51

    South America datacentre endpoints

    • Web: https://remotespark1990souamer.kognitivspark.net/api/
    • Storage: https://remotespark1990souamersa.blob.core.windows.net/
    • STUN/TURN: 20.197.230.22

    South America STUN/TURN IP new as of 2021-05-25

    STUN/TURN Redundancies

    In the unlikely event that our (Azure's) STUN/TURN servers go offline we have the following redundancies in place to ensure that there is no interruption in service. Please ensure that they're added to your firewall settings for good measure.

    • global.turn.twilio.com
    • stun.google.com

     

    Options for not whitelisting all traffic

    If you choose to select a specific data centre, depending on your network configuration you will need to allow traffic on Port 3478 (TCP/UDP) and 5349 (TCP/UDP).

    If you don’t whitelist all traffic on those two ports, you will need to contact Kognitiv Spark Support to determine the correct IP addresses for those ports.