# Network Requirements
Firewall, proxy, and connectivity requirements for Vrex
This guide covers the network configuration needed to run Vrex in enterprise environments.

## Overview

Vrex requires HTTPS connectivity to several cloud services. Most corporate networks work without changes, but environments with strict firewalls, SSL inspection, or proxy servers may need configuration.

## Required Domains

Allow outbound HTTPS (port 443) to these domains:

### Core Services

| Domain | Purpose |
|--------|---------|
| `*.vrex.no` | Main application and API |
| `*.auth0.com` | Authentication |
| `*.amazonaws.com` | Cloud storage and compute |
| `*.cloudfront.net` | CDN for assets |

### Streaming (Quest VR)

| Domain | Purpose |
|--------|---------|
| `*.innoactive.io` | Portal streaming service |
| `*.innoactive.de` | Streaming infrastructure |

### Updates

| Domain | Purpose |
|--------|---------|
| `vrex-launcher-releases.s3.eu-north-1.amazonaws.com` | Launcher updates |
| `vrex-releases.s3.eu-north-1.amazonaws.com` | Application updates |

## Proxy Configuration

### WinHTTP vs Browser Proxy

Vrex uses **WinHTTP** for network requests, not browser proxy settings.

To configure the system proxy:

```powershell
netsh winhttp set proxy proxy-server="http=proxy.company.com:8080"
```

To verify current settings:

```powershell
netsh winhttp show proxy
```

### SSL Inspection

If your proxy performs SSL inspection, ensure:

1. The proxy's root certificate is in the Windows certificate store
2. Certificate revocation checks (CRL/OCSP) are not blocked
3. The proxy doesn't modify response headers for Vrex domains

## Certificate Revocation

Vrex validates certificates via CRL and OCSP. If revocation checks fail, connections will be rejected.

**Common issues:**

- CRL endpoints blocked by firewall
- OCSP responders unreachable
- Proxy interfering with revocation checks

**Solution:** Allow access to certificate authority endpoints (typically `*.digicert.com`, `*.sectigo.com`, etc.)

## Testing Connectivity

Run the diagnostic PowerShell script to verify all endpoints are reachable:

```powershell
$urls = @(
    "https://api.vrex.no",
    "https://cdn.vrex.no",
    "https://auth.vrex.no"
)

foreach ($url in $urls) {
    try {
        $response = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 10
        Write-Host "OK: $url ($($response.StatusCode))" -ForegroundColor Green
    } catch {
        Write-Host "FAIL: $url ($($_.Exception.Message))" -ForegroundColor Red
    }
}
```

## Troubleshooting

| Symptom | Likely Cause | Solution |
|---------|--------------|----------|
| "Cannot check access" | Proxy or firewall | Check WinHTTP proxy config |
| Slow initial load | SSL inspection latency | Bypass inspection for Vrex domains |
| Auth loop | Cookie blocking | Allow third-party cookies for auth0.com |
| Model won't load | CDN blocked | Allow cloudfront.net |