# Firewall Allowlist
Required domains and ports for Vrex
This page lists all domains that need to be allowed through your firewall for Vrex to function.

## Required Ports

| Port | Protocol | Purpose |
|------|----------|---------|
| 443 | HTTPS/TCP | All Vrex traffic |
| 80 | HTTP/TCP | Certificate revocation only |

All traffic uses HTTPS on port 443. HTTP (port 80) is only needed for some CRL endpoints.

## Core Domains

These domains are required for all Vrex functionality:

```
# Main application
*.vrex.no

# Authentication
*.auth0.com
*.cloudflare.com

# Cloud infrastructure
*.amazonaws.com
*.cloudfront.net
```

## Streaming Domains

Required for VR Streaming (Quest via Portal):

```
# Streaming service
*.innoactive.io
*.innoactive.de

# Video streaming
*.twilio.com
```

## Update Domains

Required for application updates:

```
# Launcher updates
vrex-launcher-releases.s3.eu-north-1.amazonaws.com

# Application updates
vrex-releases.s3.eu-north-1.amazonaws.com
```

## Certificate Revocation

Allow access to CA endpoints for certificate validation:

```
# DigiCert
*.digicert.com
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com

# Sectigo
*.sectigo.com
ocsp.sectigo.com

# GlobalSign
*.globalsign.com
ocsp.globalsign.com

# Let's Encrypt
ocsp.pki.goog
*.lencr.org
```

## Complete Allowlist

Copy this full list for your firewall configuration:

```
# === Core Services ===
*.vrex.no
*.auth0.com
*.amazonaws.com
*.cloudfront.net
*.cloudflare.com

# === VR Streaming ===
*.innoactive.io
*.innoactive.de
*.twilio.com

# === Updates ===
vrex-launcher-releases.s3.eu-north-1.amazonaws.com
vrex-releases.s3.eu-north-1.amazonaws.com

# === Certificate Revocation ===
*.digicert.com
*.sectigo.com
*.globalsign.com
ocsp.pki.goog
*.lencr.org
```

## IP Ranges

If your firewall requires IP addresses instead of domains, note that Vrex uses:

- AWS (eu-north-1 region primarily)
- Cloudflare CDN
- Auth0 (various regions)

These IP ranges change frequently. **Domain-based rules are strongly recommended.**

## Verification

After configuring your firewall, test connectivity:

```powershell
Test-NetConnection -ComputerName api.vrex.no -Port 443
Test-NetConnection -ComputerName auth.vrex.no -Port 443
Test-NetConnection -ComputerName cdn.vrex.no -Port 443
```

All tests should show `TcpTestSucceeded: True`.

## Common Issues

| Symptom | Cause | Solution |
|---------|-------|----------|
| Login fails | auth0.com blocked | Allow *.auth0.com |
| Models don't load | cloudfront.net blocked | Allow *.cloudfront.net |
| Updates fail | S3 blocked | Allow specific S3 URLs |
| Streaming fails | innoactive blocked | Allow *.innoactive.io |