Firewall whitelisting
Overview
The Giraffe Cloud is a publicly available, 'multi tenant' SAAS application. All communication between the Edge Controllers, the Giraffe Cloud and the end user devices (laptops, mobiles) are encrypted.
Ports
The Giraffe Cloud communicates with Edge Controllers on the following ports. These are outbound ports, we assume
443 (TCP)
Communication from the Edge Controller to the Giraffe API
*.onvp.io *.onvp.net
1194 (UDP or TCP)*
VPN connection from the Edge Controller to the Giraffe API
*.onvp.io *.onvp.net
3478 (UDP or TCP)*
STUN connections from Edge Controller to Giraffe STUN and TURN servers
*.onvp.io *.onvp.net
5349 (TCP)*
STUN connections from Edge Controller to Giraffe STUN and TURN servers
*.onvp.io *.onvp.net
123 (NTP)
NTP requests from the Edge Controller to time servers.
time.google.com time.onvp.io
*Note that the Edge Controller can connect over TCP 443 if UDP 1194 is not open. However, performance will be suboptimal as we have to tunnel TCP over TCP. The Edge COntroller will not connect via TCP 443 automatically and you need to contact Giraffe Support if you wish to have this enabled on your account.
The web and mobile clients communicate with the Giraffe Cloud on the following ports
(443) TCP
General HTTPs web traffic to the Giraffe API.
1194 (UDP or TCP)*
STUN connections from Edge Controller to Giraffe STUN and TURN servers
3478 (UDP or TCP)*
STUN connections from Edge Controller to Giraffe STUN and TURN servers
5349 (TCP)*
STUN connections from Edge Controller to Giraffe STUN and TURN servers
*Note that the Edge Controller will attempt connections over 443 if these ports are not open. However, performance will be suboptimal.
The Edge Controllers do not require any inbound ports to be opened and static IP addresses are not required on mobile routers. All communication is established from the Edge Controller to the Giraffe Cloud, and reverse communication is tunnelled over an automatically provisioned VPN connection.
From a security perspective, we do not recommend opening any inbound ports towards the Edge Controller.
The Giraffe Cloud APIs are hosted on ephemeral nodes and the IP addresses are subject to change hence why they are not listed here. If you wish to firewall your devices to only be able to connect to Giraffe servers, please contact us for details.
WebRTC connections
The Giraffe platform uses WebRTC to transmit live video from the Edge Controller to the viewing device (similar to how video conferencing works). WebRTC will attempt to find a inbound port that it can use to establish a direct connection. Depending on the type of NAT present, this might not be possible.
If a direct tunnel cannot be established, we fall back to a TURN server based connection.
Last updated