Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Whitelisting Implementation for Teams: CyberEscape Online

Review the technical implementation steps that should take before launching the Teams experience to your company, a new region or to users on a different network.

After completing the integration steps below, the tests found in this article can help diagnose if any compatibility tests are still failing, indicating that further whitelisting may need to be done.  We also recommend launching a short experience to various users throughout the organization to identify bandwidth, browser and authentication issues that might be unique to an end user's environment.

Do you use Zscaler or Forcepoint, or have SSL inspection turned on in your network tool? If so, you might need to add an SSL bypass rule for some of these domains. Scroll to the end of this article for more information. 

Do you have participants in China? Please take a look at our documentation here as some services are blocked: Compatibility in China

Watch our technical implementation specialist walk through these steps here.

Session Calendar Invites and Authentication (emailed) 

From Address: training@app.livingsecurity.com

Our sending IPs:

  • 198.37.157.57
  • 198.37.157.99
  • 167.89.96.129
  • 149.72.82.76

Living Security General

*.livingsecurity.com 

*.vitally.io

Participant Audio & Video Conferencing

Twilio RTC (Real-Time Communication) services are architected in two layers:

  • Signaling Plane: This deals with the control information. The communicating entities typically exchange signaling messages for agreeing on what’s to be communicated (e.g. audio, video, etc) and how’s to be communicated (e.g. codecs, formats, etc.)
  • Media Plane: It deals with the media information itself. Media packets typically transport encoded and encrypted audio and video bits.

Both of these components must be whitelisted in order for CyberEscape Online to work.

🔢 Steps

1. From the table in this guide make exceptions for the Global Low Latency (default) region and any other region(s) where your organization operates on port and protocol 443 WSS.

2. From the table here, make exceptions for the region(s) where your organization operates using any of the following port methods:

  • 10,000 - 60,000 UDP/SRTP/SRTCP
  • TLS/443
  • UDP/3478

Example:

Akaromi BioCorp is headquartered in Japan with satellite offices in Los Angeles and Hamburg. They are unable to make exceptions on the ports of 10,000 - 60,000 UDP/SRTP/SRTCP or UDP/3478 for the media servers so they settle on TLS/443.

Signaling Exceptions:

Region ID Location Host Name Port and Protocol
gll Global Low Latency (default) global.vss.twilio.com 443 WSS
jp1 Japan jp1.vss.twilio.com "
de1 Germany de1.vss.twilio.com "
us2 US West Coast (Oregon) us2.vss.twilio.com "


Media Server Exceptions:

Region ID Location Server IPv4 Address Range Port
jp1 Japan 13.115.244.0/27
54.65.63.192/26
18.180.220.128/25		 TLS/443
de1 Germany 52.59.186.0/27
18.195.48.224/27
18.156.18.128/25		 "
us2 US West Coast (Oregon) 34.216.110.128/27
54.244.51.0/24
44.234.69.0/25		 "

 

 

Websocket & Database Connection

  • firestore.googleapis.com
  • firebaseio.com

For our international customers, we recommend you whitelist the below URLs so that your EU and APAC regions are not affected by whitelisting issues.

Firebase EU *.europe-west1.firebasedatabase.app 443
Firebase APAC *.asia-southeast1.firebasedatabase.app 433

Gameplay CMS & Puzzles

  • cdn.contentful.com
  • images.ctfassets.net
  • assets.ctfassets.net
  • cdn.cyberescape.livingsecurity.com


LaunchDarkly
events.launchdarkly.com
app.launchdarkly.com


Whitelisting the following domains will create the most optimal experience, and will allow us to help with troubleshooting, provide chat support if needed, and give you access to our accessibility tool.  


Hubspot Chat Widget (optional)
api.hubspot.com
forms.hubspot.com

Debugging and Error Tracking (optional)
rum-http-intake.logs.datadoghq.com
*.ingest.sentry.io

Instructions & Help Tooltips (optional)
js.userpilot.io
find.userpilot.io
analytex.userpilot.io

Living Security Support Portal (optional)
livingsecurity.com/support
app.hubspot.com

Accessibility Widget (optional)
cdn.acsbapp.com

Fonts (optional)
fonts.googleapis.com
fonts.gstatic.com
Oss.maxcdn.com

SSL Bypass

Security tools like ZScaler, Netskope, and Forcepoint have an optional setting that can make them act as an SSL Proxy. Some services (like Firebase) don’t like SSL Proxies sitting between them and users. If you use either of these network security tools and are having trouble getting tests to pass, adding an SSL bypass rule will likely resolve blocking issues. You can find more detailed information on what this means and how to do this in the following articles: 

https://help.zscaler.com/zia/controlling-access-google-consumer-apps

https://help.zscaler.com/zia/about-ssl-inspection

https://help.zscaler.com/zia/configuring-ssl-inspection-policy 

Also helpful is configuring SSL Certificate Pinning for Google Shared Services as outlined here:

https://help.zscaler.com/zia/certificate-pinning-and-ssl-inspection

The following domains are what we have observed some of our customers having the most frequent errors with. They have successfully resolved these by adding an SSL decryption bypass rule. 

firestore.googleapis.com (or *.googleapis.com) 
*.twilio.com
*.livingsecurity.com (if your videos or puzzles are loading slowly, adding a bypass for this domain might help) 

Other Network Security Software

If you don't use Zscaler or Forcepoint but are still having trouble with whitelisting and getting the compatibility tests to pass, we recommend following the same tips in the Zscaler support docs. Customers have reported the most success by adding an SSL decryption bypass rule for firestore.googleapis.com (or for googleapis.com in general).

 

Questions? Contact Us!