Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Firewall Exceptions for Network Appliances and Endpoint Agents

            Table of contents


            Introduction

            This guide outlines the required network connections for Field Effect appliances.

            To verify that your network appliance is functioning correctly, see Validating Network Coverage.


            To learn more about how our appliances communicate with both client devices and Field Effect systems, see:


            Requirements: Physical Appliance

            All appliance types (primary and remote sensors) establish their primary connection to the secure cloud relay over UDP/443


            You will need your organization’s relay server hostname ($hash) in order to allow traffic through your firewall. This value is unique to your organization and is displayed on the Appliance Status Page after logging in.


            Required Outbound Rule

            Allow the following outbound connection:

            $hash.mobile.fieldeffect.net, UDP/443


            • The required protocol is UDP.
            • This is an outbound rule (appliance → internet).
            • The appliance requires functional DNS:
              • Typically provided by DHCP within your environment. See our appliance installation content.
              • Additional firewall rules may be required depending on your network configuration.


            Additional Rules and Traffic:

            If your organization permits general HTTPS outbound access (443/TCP), allowing this port will provide fallback connectivity in the event that the relay connection is disrupted.


            If the relay becomes unavailable—or if UDP/443 is blocked—the appliance will attempt the following outbound traffic:

            • TCP/22 — SSH to the relay
            • TCP/443 — HTTPS traffic to various systems
            • UDP/3478 — STUN
            • Various UDP ports — WireGuard connections


            Requirements: Self-Hosted Virtual Appliance

            During initial configuration, the following outbound connections must be allowed:

            • TCP/22 — SSH to the relay
            • TCP/443— HTTPS to the following systems:
              • login.tailscale.com
              • controlplane.tailscale.com
              • derp1-all.tailscale.com
              • 192.200.0.0/24
            • Allowing an outbound UDP traffic is recommended for efficiency but not required.

            Post-Configuration Requirements

            After configuration is complete, only the standard relay connection is required:

            $hash.mobile.fieldeffect.net, UDP/443


            HTTPS (TCP/443) outbound is recommended, but optional.


            Requirements: Endpoint Agents

            When a new endpoint agent is installed, it connects to the following systems to self‑configure:

            epid.fieldeffect.net, TCP/443
installlogs.fieldeffect.net, TCP/443


            After successful installation, the endpoint attempts to contact the secure cloud relay over TCP/443:

            $hash.mobile.fieldeffect.net

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0