Network configuration requirements
Endpoints, protocols, and IP addresses that must be reachable from your network to use Commbox. Use this reference when configuring corporate firewalls, web proxies, or zero-trust egress policies.
Overview
- All Commbox endpoints use HTTPS over TCP/443 unless explicitly noted.
- Real-time features additionally use WebSocket Secure (
wss://) over TCP/443. - Long-lived (persistent) outbound connections must not be terminated by intermediate proxies.
- Allowlist by domain wherever possible. Commbox runs on AWS behind Cloudflare and AWS load balancers; backing IP addresses change without notice. Domain-based rules are stable; IP-based rules will eventually break.
Required for all customers
These endpoints must be reachable for the platform to load and function.
Core platform
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
*.commbox.io | HTTPS / WSS | Outbound | All Commbox application traffic, including the web app, APIs, real-time inbox (now.commbox.io), and media |
TipA single wildcard rule for *.commbox.io is the recommended approach. It covers app.commbox.io, api.commbox.io, now.commbox.io, and any future subdomains.
Static assets and UI
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
fonts.googleapis.com | HTTPS | Outbound | Google Fonts CSS |
fonts.gstatic.com | HTTPS | Outbound | Google Fonts files |
ajax.googleapis.com | HTTPS | Outbound | CDN for static frontend libraries |
Login security
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
www.google.com/recaptcha/ | HTTPS | Outbound | reCAPTCHA bot protection on login |
Required per module or channel
The following endpoints are only required if you use the corresponding feature. Skip the rows for channels you do not use.
Facebook Messenger, WhatsApp, Instagram
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
connect.facebook.net | HTTPS | Outbound | Facebook SDK (setup) |
graph.facebook.com | HTTPS | Outbound | Graph API — messaging, WhatsApp templates |
www.facebook.com | HTTPS | Outbound | Embedded sign-up flow |
m.me | HTTPS | Outbound | Messenger deep links |
wa.me | HTTPS | Outbound | WhatsApp deep links |
Google services (Drive, Calendar, My Business, Maps, Play reviews)
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
accounts.google.com | HTTPS | Outbound | Google OAuth sign-in (one-time setup) |
www.googleapis.com | HTTPS | Outbound | Google APIs (Drive, Calendar, etc.) |
mybusiness.googleapis.com | HTTPS | Outbound | Google My Business |
play.google.com | HTTPS | Outbound | Google Play Store reviews |
www.google.com | HTTPS | Outbound | Google Maps embeds |
Microsoft 365 (Outlook, Exchange Online)
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
login.microsoftonline.com | HTTPS | Outbound | Microsoft 365 OAuth sign-in (one-time setup) |
Amazon Connect (SAML SSO)
| Endpoint | Protocol | Direction | Purpose |
|---|---|---|---|
signin.aws.amazon.com | HTTPS | Outbound | SAML AssertionConsumer and Single Logout |
aws.amazon.com | HTTPS | Outbound | AWS user data via SSO |
Recommended
Not strictly required, but disabling these reduces our ability to monitor performance, diagnose issues, and provide product analytics.
| Endpoint | Protocol | Purpose |
|---|---|---|
js-agent.newrelic.com | HTTPS | NewRelic browser monitoring agent |
bam.nr-data.net | HTTPS | NewRelic telemetry endpoint |
api-js.mixpanel.com | HTTPS | Product analytics |
cdn.mxpnl.com | HTTPS | Mixpanel client library |
www.google-analytics.com | HTTPS | Google Analytics |
stats.g.doubleclick.net | HTTPS | Google Analytics |
www.googletagmanager.com | HTTPS | Google Tag Manager |
ipinfo.io | HTTPS | Geo-IP enrichment for workflow rules |
Optional convenience features
| Endpoint | Protocol | Purpose |
|---|---|---|
giphyscripts.s3.amazonaws.com | HTTPS | GIF picker in the inbox composer |
bit.ly | HTTPS | Outbound URL shortening for messages |
IP-based allowlisting Fallback only
ImportantUse domain-based rules wherever possible. The IPs listed below are subject to change as Commbox infrastructure scales or is rotated. Customers who hard-code IP addresses are responsible for monitoring this document for changes. Where your firewall supports FQDN-based rules, prefer those.
Outbound from your network to Commbox
If your firewall does not support FQDN rules, allow outbound HTTPS (TCP/443) to the following Commbox application IPs:
54.76.101.2352.212.81.15
52.51.230.223
52.51.55.64
34.253.33.63
52.48.122.222
54.171.16.182
54.246.232.150
54.229.199.80
54.77.77.35
54.77.112.4
34.249.133.125
Outbound from your network to Commbox SMTP
Only required if you use Commbox-hosted email channels. Allow outbound TCP/443 to:
34.249.57.6552.215.60.193
Inbound to your network from Commbox
If your environment receives webhooks, HTTP callbacks, or other initiated traffic from Commbox (for example, to a customer-hosted webhook receiver), allow the following source IPs:
46.137.14.23734.253.247.49
213.57.31.162
For sandbox or pre-production testing only:
63.33.139.133
Long-lived connection support
The Commbox inbox uses persistent WebSocket connections to deliver real-time updates. Confirm with your network team that:
- Idle TCP timeouts on egress proxies allow connections to remain open for at least 60 minutes.
- WebSocket upgrade headers (
Connection: Upgrade,Upgrade: websocket) are not stripped by HTTP-inspecting proxies. - If TLS interception is in use, the proxy must present a certificate trusted by client browsers for
*.commbox.io.
Validation checklist
After applying allowlist rules, verify the following from a workstation behind the firewall:
- The Commbox web app loads completely with no missing fonts or blank UI tiles.
- Login completes successfully (validates reCAPTCHA and authentication paths).
- New messages appear in the inbox without a manual refresh (validates WebSocket connectivity).
- For each channel in use, send and receive a test message end-to-end.
- Run the following commands and confirm both succeed:
curl -v https://api.commbox.iocurl -v https://now.commbox.io
Support
If connectivity issues persist after applying these rules, contact Commbox support with:
- The exact error message or HTTP status code observed.
- Output from
curl -vagainst the affected endpoint. - Browser developer console logs from a failed session.
- The list of allowed domains and IPs currently configured in your firewall.