Required Outbound Rule

The following outbound connection must be made on your organization's firewall. Replace the <$hash> in the code block below from 

$hash.mobile.fieldeffect.net, UDP/443

• The required protocol is UDP.
• This is an outbound rule (appliance → internet).
• The appliance requires functional DNS:
  • Typically provided by DHCP within your environment. See our appliance installation content.
  • Additional firewall rules may be required depending on your network configuration.

Additional Rules and Traffic:

If your organization permits general HTTPS outbound access (443/TCP), allowing this port will provide fallback connectivity in the event that the relay connection is disrupted.

If the relay becomes unavailable—or if UDP/443 is blocked—the appliance will attempt the following outbound traffic:

• TCP/22 — SSH to the relay
• TCP/443 — HTTPS traffic to various systems
• UDP/3478 — STUN
• Various UDP ports — WireGuard connections

Requirements: Self-Hosted Virtual Appliance

During initial configuration, the following outbound connections must be allowed:

• TCP/22 — SSH to the relay
• TCP/443— HTTPS to the following systems:
  • login.tailscale.com
  • controlplane.tailscale.com
  • derp1-all.tailscale.com
  • 192.200.0.0/24
• Allowing an outbound UDP traffic is recommended for efficiency but not required.

Post-Configuration Requirements

After configuration is complete, only the standard relay connection is required:

$hash.mobile.fieldeffect.net, UDP/443

HTTPS (TCP/443) outbound is recommended, but optional.

Requirements: Endpoint Agents

When a new endpoint agent is installed, it connects to the following systems to self‑configure:

epid.fieldeffect.net, TCP/443
installlogs.fieldeffect.net, TCP/443

After successful installation, the endpoint attempts to contact the secure cloud relay over TCP/443:

$hash.mobile.fieldeffect.net