Physical Installation Procedures:
General Troubleshooting and Information: Port and IP Address Configuration- Allowed List
For a company with highly restricted network access, additional configuration will be required to allow access to Envysion. If your company has a strict corporate firewall, network access list, or proxy server that blocks all Internet access, please have your network administrator add rules to permit the following ports and/or IP addresses to allow access to Envysion.
Appliance connection from store location requires the following
TCP port 443 and UDP port 22799 to the following IP addresses:
- 3.227.250.16/28 (3.227.250.16 — 3.227.250.31)
- 98.142.144.0/20 (98.142.144.1 — 98.142.159.254)
- 2620:C3:E000::/44
TCP port 443 (IP addresses are set by Amazon Web Services and may change without notice – last updated June 11, 2024):
- 18.34.0.0/19 18.34.0.1 – 18.34.31.254
- 16.15.192.0/18 16.15.192.1 – 16.15.255.254
- 54.231.0.0/16 54.231.0.1 – 54.231.255.254
- 52.216.0.0/15 52.216.0.1 – 52.217.255.254
- 18.34.232.0/21 18.34.232.1 – 18.34.239.254
- 16.15.176.0/20 16.15.176.1 – 16.15.191.254
- 16.182.0.0/16 16.182.0.1 – 16.182.255.254
- 3.5.0.0/19 3.5.0.1 – 3.5.31.254
- 44.192.134.240/28 44.192.134.241 – 44.192.134.254
- 44.192.140.64/28 44.192.140.65 – 44.192.140.78
Additional services
HTTP Proxy and OpenVPN application access from our system to the specified IP ranges above.
Deep Packet Inspection (DPI) — Additional Configuration
Some corporate firewalls perform Deep Packet Inspection on network traffic, examining the contents of connections beyond just the IP address and port number. Even when the IP and port rules above are correctly configured, DPI-enabled firewalls may block Envysion appliance connections because the appliance uses an encrypted VPN protocol (OpenVPN) that is not HTTPS.
On TCP port 443, most firewalls expect to see standard HTTPS traffic. Because Envysion appliances use OpenVPN over this port, a DPI-enabled firewall may detect that the encrypted traffic is not HTTPS and either silently drop the connection or actively terminate it. The same applies to UDP port 22799.
If appliances at your location cannot connect to Envysion despite having the correct IP and port rules in place, your firewall’s DPI policy may be blocking the connection.
To resolve this, configure your firewall to allow or exempt the following traffic from Deep Packet Inspection:
DPI bypass or application-allow rules for the Envysion IP ranges:
| Protocol | Port | Destination | Rule |
|---|---|---|---|
| TCP | 443 | 98.142.144.0/20 | Allow OpenVPN / non-HTTPS TLS traffic |
| UDP | 22799 | 98.142.144.0/20 | Allow OpenVPN traffic |
| TCP | 443 | 2620:C3:E000::/44 | Allow OpenVPN / non-HTTPS TLS traffic |
| UDP | 22799 | 2620:C3:E000::/44 | Allow OpenVPN traffic |
| TCP | 443 | 3.227.250.16/28 | Allow OpenVPN / non-HTTPS TLS traffic |
| UDP | 22799 | 3.227.250.16/28 | Allow OpenVPN traffic |
Depending on your firewall vendor, this may be configured as:
- An SSL/TLS decryption exclusion for the destination IP ranges above
- An application override or application-allow rule permitting the OpenVPN application to the IP ranges above
- A DPI bypass or DPI exemption for the destination IP ranges above
- Disabling protocol enforcement or protocol validation on port 443 for traffic to the IP ranges above
If you are unsure how to configure these rules on your specific firewall, contact your firewall vendor’s support team and reference the IP ranges and ports listed above.
Palo Alto Firewall Example: Allow ‘unknown-tcp-443’ and ‘unknown-udp-22799’ application traffic to the ranges above, and/or create a custom application signature that matches OpenVPN traffic for the ports listed above, allowed to the addresses above.
User access
User access to the web application requires TCP port 443 to the addresses *.envysion.com and *.appliance.envysion.com. The IP addresses these names resolve to may change over time.