Open Ports and Domains/Hosts

Refer to this list of required open ports and domains/hosts:

Web Filter (Rocket)

The following ports need to be opened in order for the Web Filter to function correctly.

Note: For security reasons, only the following ports should be open. Firewalls should not be configured with any port/any address rules inbound to the server as this will leave the server vulnerable to attacks from outside sources. If through troubleshooting procedures an any/any rule is put in place, it must be removed once testing has been completed.

Outbound Ports

  • TCP-80 HTTP to ddb.lightspeedsystems.com and ddb.lsfilter.com (needed for filtering)
  • TCP-80 HTTP to keys.lightspeedsystems.com (needed for licensing)
  • TCP-1999 to bsdupdate01.lightspeedsystems.com (needed for monitoring)
  • TCP-80 HTTP to updates.lsfilter.com (needed for updates)
  • UDP-123 for date/time sync
  • UDP-1311 (needed for filtering)These must be stateful UDP connections in the firewall; otherwise, you will need an inbound rule to allow UDP with a source port of 1311.

Inbound Ports

  • TCP-80 and TCP-443 HTTP from anywhere (needed for mobile filteringLaunch, and SIS Imports)
  • TCP-8080 Proxy (if you are planning to use the Rocket as a Proxy Server. We recommend choosing a different open port other than 8080 for additional security.)

Internal Ports

  • TCP/UDP-1305 LTDP lookup (interrogation)
  • TCP/UDP-1306 Identification Server Service; UA reporting, and Identification Subscription
  • TCP/UDP-1307 Reporting (used between cluster servers and cluster master)
  • TCP/UDP-1308 Secure Identification Server Service; UA reporting, and Identification Subscription
  • TCP/UDP-1310 Policy (used between parent and children appliances)

Mobile Manager (MDM)

  • TCP-80 – this is the basic port used for internet and should be accessible (filtered ok) for devices to work properly. Some additional ports are required depending on OS.
  • https://ls-pki.css-security.com/
  • lsmdm-production.s3.amazonaws.com
  • http://lsurl.me

Mobile Manager – Windows 10

  • login.windows.net/{TenantName}
  • graph.windows.net
  • has.spserv.microsoft.com

Mobile Manager – iOS

Mobile Manager – Android

  • TCP-5228-5230 to any out (used to communicate to GCM servers)
  • android.clients.google.com

Relay

Ensure that the following ports and domains/hosts are unblocked by your network filter.

Outbound ports

  • TCP/UDP-443
  • TCP/UDP-3478
  • TCP-5349

Domains

  • relay.school
  • access.relay.school
  • lsrelayaccess.com
  • rs-db.lsfilter.com
  • ws-db.lsfilter.com
  • b16rt683ll.execute-api.us-west-2.amazonaws.com
  • lsrelay-config-production.s3.amazonaws.com
  • lsrelay-extensions-production.s3.amazonaws.com

Relay Classroom

The following outbound ports must be open on your network:

  • TCP/UDP-443 to communicate to the cloud servers
  • TCP/UDP-3478 to share and broadcast screens
  • TCP-5349 to share and broadcast screens

The following domains/hosts should be allowed on your network:

  • 5rw61tcrl5.execute-api.us-west-2.amazonaws.com
  • realtime.ably.io
  • rest.ably.io
  • global.stun.twilio.com
  • global.turn.twilio.com
  • p7nvu5it0k.execute-api.us-west-2.amazonaws.com
  • lightspeed-realtime.ably.io
  • a-fallback-lightspeed.ably.io
  • b-fallback-lightspeed.ably.io
  • c-fallback-lightspeed.ably.io
  • devices.lsmdm.com