Table of contents
- Requirements: Physical Appliance
- Requirements: Self-Hosted Virtual Appliance
- Requirements: Endpoint Agents
Introduction
This article outlines all of the required network connections for Field Effect appliances. To verify that your network appliance is operating as it should be, visit Validating Network Coverage.
To learn more about how our appliances, and how they communicate with devices and Field Effect, see:
The unique [$HASH_...] mentioned in the rules below can be obtained by contacting support@fieldeffect.com
Requirements: Physical Appliance
All appliances (primary and remote sensors) connect to the secure cloud relay via Wireguard on port 443. So, the following outbound connection must be allow-listed in your firewall:
$hash.mobile.fieldeffect.net, UDP/443- The protocol that needs to be allowed is UDP
- This is an outbound rule, from the appliance out to the internet.
- You will need your organization's relay server hostname to allow it through your firewall. This is specific to your organization and can be found by visiting the Appliance Status Page in your browser. Once logged in, the hostname is displayed above the table.
- The appliance requires a working DNS:
- This is normally provided by DHCP within your environment. See our appliance installation content
- More Firewall rules may be required, depending on your environment.
Additional Rules and Traffic:
If your organization is comfortable opening up HTTPS to the internet at large (443/TCP), adding this port to your allowlist will allow the appliance to connect with Field Effect if the relay connection is interrupted.
If the relay connection does go offline (or port 443/UDP is not allowed), the appliance will send traffic as follows:
- port 22/TCP (SSH) towards the relay
- port 443/TCP (HTTPS traffic) to numerous systems
- port 3478/UDP (STUN) to numerous systems
- Various UDP ports (Wireguard) to numerous systems
Requirements: Self-Hosted Virtual Appliance
While configuring the appliance the following outbound connections will need to be allowed:
- port 22/TCP (SSH) towards the relay
- port 443/TCP (HTTPS traffic) to the following systems:
- login.tailscale.com
- controlplane.tailscale.com
- derp1-all.tailscale.com
- 192.200.0.0/24
- Allowing an outbound UDP connection will make things more efficient but is not required.
Once the virtual appliance is configured, only the basic relay connection is required:
$hash.mobile.fieldeffect.net, UDP/443Keeping 443 (HTTPS traffic) on your allowlist is preferred, but optional.
Requirements: Endpoint Agents
When a new agent is installed onto an endpoint device, it will connect to the following locations to self-configure:
epid.fieldeffect.net, TCP/443
installlogs.fieldeffect.net, TCP/443After that point, assuming a successful installation, the endpoint will then try to reach two domains (on TCP/443):
The first domain it will try to reach is the local IP of the physical appliance within your network (example: 10.0.0.100, 192.168.1.20):
$hash_local.mobile.fieldeffect.netThe second domain is the secure relay connection to Field Effect.
$hash_org.mobile.fieldeffect.netWas this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article