Whitelisting Implementation for Teams: CyberEscape Online

This guide covers the technical implementation steps your IT team should complete before launching the Teams experience to your company, a new region, or users on a different network.

After completing the integration steps below, use the network test (https://networktest.livingsecurity.com) to verify everything is working correctly. We also recommend launching a short experience to various users throughout the organization to identify bandwidth, browser, and authentication issues unique to your environment.

🚨 IMPORTANT FOR CHINA: Some services are blocked in China. See our China compatibility documentation.

📺 VIDEO WALKTHROUGH: Watch our technical implementation specialist walk through these steps here.

⚠️ CRITICAL: Understanding Firewall Configuration Types

Simply "whitelisting" domains is NOT enough. Most corporate firewalls and security tools have two levels of configuration:

1. Domain Whitelisting (Basic - Often Not Sufficient)

• Allows traffic to/from the domain
• BUT may still apply deep packet inspection, SSL interception, or connection throttling
• ✗ Result: CyberEscape will connect but run extremely slowly or timeout

2. SSL Bypass / Trust Configuration (Required for Real-Time Services)

• Allows traffic WITHOUT inspection, interception, or throttling
• Traffic passes through without modification
• ✓ Result: CyberEscape runs at full speed with real-time features working

Why this matters: CyberEscape uses real-time database connections that maintain open HTTPS connections for 60+ seconds. If your firewall inspects or throttles these connections, users will experience:

• 60+ second loading times
• Frozen screens during gameplay
• Timeout errors
• Video buffering

🔒 SSL Bypass Configuration (DO THIS FIRST)

If you use any of these security tools, SSL bypass configuration is REQUIRED:

• Zscaler
• Forcepoint
• Netskope
• Palo Alto Networks
• Cisco Umbrella
• Any firewall with "SSL Inspection" or "SSL Decryption" enabled

Required SSL Bypass Domains

Add these domains to your SSL bypass / no-decrypt / trust list:

CRITICAL (must bypass SSL inspection):
- firestore.googleapis.com
- *.firebasedatabase.app
- *.twilio.com

RECOMMENDED (may need bypass if videos/puzzles load slowly):
- *.livingsecurity.com
- cdn.cyberescape.livingsecurity.com

Platform-Specific Instructions

Zscaler

1. Follow ZScaler's SSL Inspection Policy guide
2. Configure Certificate Pinning for Google Shared Services
3. Add bypass rules for domains listed above
4. See also: Controlling access to Google Consumer Apps

Other Network Security Software

Follow the same principles as Zscaler's documentation:

1. Identify your SSL inspection / decryption settings
2. Create bypass rules for the domains above
3. Ensure the bypass applies to all users who will access CyberEscape

📋 Domain Whitelisting Requirements

After configuring SSL bypass, add the following domains to your whitelist:

Session Calendar Invites and Authentication (Email)

From Address: training@app.livingsecurity.com

Sending IPs:

198.37.157.57
198.37.157.99
167.89.96.129
149.72.82.76

Living Security General

*.livingsecurity.com
*.vitally.io

Websocket & Database Connection (REQUIRES SSL BYPASS)

firestore.googleapis.com
firebaseio.com

For international customers (EU/APAC):

*.europe-west1.firebasedatabase.app      (port 443)
*.asia-southeast1.firebasedatabase.app    (port 443)

⚠️ CONNECTION REQUIREMENTS: These domains need special handling beyond basic whitelisting:

• ✓ Allow long-lived HTTPS connections (90+ seconds)
• ✓ Disable deep packet inspection (DPI)
• ✓ Disable SSL/TLS interception
• ✓ No bandwidth throttling on sustained connections
• ✓ Allow HTTP/2 server push
• ✓ No idle timeout limits under 120 seconds

Participant Audio & Video Conferencing

Twilio RTC (Real-Time Communication) has two components that must be whitelisted:

1. Signaling Plane (control information)

• Port: 443 WSS
• From this table, whitelist Global Low Latency (default) and your operational regions

2. Media Plane (audio/video transport)

• From this table, whitelist your regions using ONE of these port methods:
  • Option A: 10,000 - 60,000 UDP/SRTP/SRTCP (recommended)
  • Option B: TLS/443 (if UDP is blocked)
  • Option C: UDP/3478

Example Configuration

Akaromi BioCorp is headquartered in Japan with offices in Los Angeles and Hamburg. They can only use TLS/443 for media servers.

Signaling Exceptions:

Media Server Exceptions:

Gameplay CMS & Puzzles

cdn.contentful.com
images.ctfassets.net
assets.ctfassets.net
cdn.cyberescape.livingsecurity.com

LaunchDarkly (Feature Flags)

events.launchdarkly.com
app.launchdarkly.com

🔧 Optional but Recommended Domains

Whitelisting these domains creates the most optimal experience and enables support features:

Hubspot Chat Widget

api.hubspot.com
forms.hubspot.com
app.hubspot.com

Debugging and Error Tracking

rum-http-intake.logs.datadoghq.com
*.ingest.sentry.io

Instructions & Help Tooltips

js.userpilot.io
find.userpilot.io
analytex.userpilot.io

Living Security Support Portal

livingsecurity.com/support

Accessibility Widget

cdn.acsbapp.com

Fonts

fonts.googleapis.com
fonts.gstatic.com
oss.maxcdn.com

🧪 Testing & Troubleshooting

Network Test: Run this test to ensure allowlisting is complete.

Common Issues & Solutions

❌ "Connection established but extremely slow (60+ seconds to load)"

Symptoms:

• Compatibility tests pass
• Page loads but takes 60+ seconds
• Gameplay freezes or times out

Cause: Domain is whitelisted but firewall is still inspecting/throttling connections

Solution:

1. Verify SSL bypass is configured (not just whitelist)
2. Check if deep packet inspection (DPI) is enabled
3. Ensure no idle timeout limits < 120 seconds
4. Disable SSL interception for firestore.googleapis.com

IT Questions to Ask:

• "Is deep packet inspection enabled for whitelisted domains?"
• "Are we doing SSL/TLS interception (man-in-the-middle inspection)?"
• "Do we have connection duration limits or idle timeouts?"
• "What firewall/proxy product are we using?"

❌ "Videos or puzzles load slowly"

Solution: Add *.livingsecurity.com to SSL bypass list

❌ "Audio/video conferencing not working"

Solution:

1. Verify both signaling AND media plane are whitelisted
2. Check if UDP ports are blocked (try TLS/443 fallback)
3. Ensure Twilio domains have SSL bypass

❌ "Works for some users but not others"

Possible Causes:

• Users on different networks (VPN vs office vs home)
• Geographic distance to data centers
• Browser extensions blocking connections
• Antivirus software intercepting HTTPS

Solution: Test from different network locations and browsers

📊 Quick Reference Checklist

Use this checklist to ensure complete configuration:

• SSL bypass configured for firestore.googleapis.com
• SSL bypass configured for *.twilio.com
• Deep packet inspection disabled for above domains
• Connection timeouts set to 120+ seconds
• All Living Security domains whitelisted (*.livingsecurity.com)
• Firebase domains whitelisted (including regional variants)
• Twilio signaling plane whitelisted (port 443 WSS)
• Twilio media plane whitelisted (UDP or TLS/443)
• Email sending IPs whitelisted
• Compatibility tests pass
• Pilot test completed with real users

🌍 Regional Considerations

China

Some services are completely blocked in China. See China-specific documentation.

EU/APAC

Ensure regional Firebase endpoints are whitelisted:

• EU: *.europe-west1.firebasedatabase.app
• APAC: *.asia-southeast1.firebasedatabase.app