--- title: "Network Requirements" slug: "network-requirements" updated: 2026-05-20T09:08:55Z published: 2026-05-20T09:08:55Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.commbox.io/llms.txt > Use this file to discover all available pages before exploring further. # Network Requirements [Commbox Docs](/docs/network-requirements#) On this page - [Overview](/docs/network-requirements#overview) - [Required for all customers](/docs/network-requirements#required-all) - [Core platform](/docs/network-requirements#core-platform) - [Static assets](/docs/network-requirements#static-assets) - [Login security](/docs/network-requirements#login-security) - [Required per module](/docs/network-requirements#per-module) - [Meta (FB, WA, IG)](/docs/network-requirements#meta) - [Google services](/docs/network-requirements#google) - [Microsoft 365](/docs/network-requirements#microsoft) - [Amazon Connect](/docs/network-requirements#aws-connect) - [Recommended](/docs/network-requirements#recommended) - [Optional](/docs/network-requirements#optional) - [IP-based allowlisting](/docs/network-requirements#ip-allowlist) - [Long-lived connections](/docs/network-requirements#long-lived) - [Validation checklist](/docs/network-requirements#validation) - [Support](/docs/network-requirements#support) Administration · Network # Network configuration requirements ``` Endpoints, protocols, and IP addresses that must be reachable from your network to use Commbox. Use this reference when configuring corporate firewalls, web proxies, or zero-trust egress policies. ``` ## Overview - All Commbox endpoints use **HTTPS over TCP/443** unless explicitly noted. - Real-time features additionally use **WebSocket Secure (`wss://`) over TCP/443**. - Long-lived (persistent) outbound connections must not be terminated by intermediate proxies. - **Allowlist by domain wherever possible.** Commbox runs on AWS behind Cloudflare and AWS load balancers; backing IP addresses change without notice. Domain-based rules are stable; IP-based rules will eventually break. --- ## Required for all customers These endpoints must be reachable for the platform to load and function. ### Core platform | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `*.commbox.io` | HTTPS / WSS | Outbound | All Commbox application traffic, including the web app, APIs, real-time inbox (`now.commbox.io`), and media | TipA single wildcard rule for `*.commbox.io` is the recommended approach. It covers `app.commbox.io`, `api.commbox.io`, `now.commbox.io`, and any future subdomains. ### Static assets and UI | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `fonts.googleapis.com` | HTTPS | Outbound | Google Fonts CSS | | `fonts.gstatic.com` | HTTPS | Outbound | Google Fonts files | | `ajax.googleapis.com` | HTTPS | Outbound | CDN for static frontend libraries | ### Login security | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `www.google.com/recaptcha/` | HTTPS | Outbound | reCAPTCHA bot protection on login | --- ## Required per module or channel The following endpoints are only required if you use the corresponding feature. Skip the rows for channels you do not use. ### Facebook Messenger, WhatsApp, Instagram | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `connect.facebook.net` | HTTPS | Outbound | Facebook SDK (setup) | | `graph.facebook.com` | HTTPS | Outbound | Graph API — messaging, WhatsApp templates | | `www.facebook.com` | HTTPS | Outbound | Embedded sign-up flow | | `m.me` | HTTPS | Outbound | Messenger deep links | | `wa.me` | HTTPS | Outbound | WhatsApp deep links | ### Google services (Drive, Calendar, My Business, Maps, Play reviews) | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `accounts.google.com` | HTTPS | Outbound | Google OAuth sign-in (one-time setup) | | `www.googleapis.com` | HTTPS | Outbound | Google APIs (Drive, Calendar, etc.) | | `mybusiness.googleapis.com` | HTTPS | Outbound | Google My Business | | `play.google.com` | HTTPS | Outbound | Google Play Store reviews | | `www.google.com` | HTTPS | Outbound | Google Maps embeds | ### Microsoft 365 (Outlook, Exchange Online) | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `login.microsoftonline.com` | HTTPS | Outbound | Microsoft 365 OAuth sign-in (one-time setup) | ### Amazon Connect (SAML SSO) | Endpoint | Protocol | Direction | Purpose | | --- | --- | --- | --- | | `signin.aws.amazon.com` | HTTPS | Outbound | SAML AssertionConsumer and Single Logout | | `aws.amazon.com` | HTTPS | Outbound | AWS user data via SSO | --- ## Recommended Not strictly required, but disabling these reduces our ability to monitor performance, diagnose issues, and provide product analytics. | Endpoint | Protocol | Purpose | | --- | --- | --- | | `js-agent.newrelic.com` | HTTPS | NewRelic browser monitoring agent | | `bam.nr-data.net` | HTTPS | NewRelic telemetry endpoint | | `api-js.mixpanel.com` | HTTPS | Product analytics | | `cdn.mxpnl.com` | HTTPS | Mixpanel client library | | `www.google-analytics.com` | HTTPS | Google Analytics | | `stats.g.doubleclick.net` | HTTPS | Google Analytics | | `www.googletagmanager.com` | HTTPS | Google Tag Manager | | `ipinfo.io` | HTTPS | Geo-IP enrichment for workflow rules | --- ## Optional convenience features | Endpoint | Protocol | Purpose | | --- | --- | --- | | `giphyscripts.s3.amazonaws.com` | HTTPS | GIF picker in the inbox composer | | `bit.ly` | HTTPS | Outbound URL shortening for messages | --- ## IP-based allowlisting Fallback only ImportantUse domain-based rules wherever possible. The IPs listed below are subject to change as Commbox infrastructure scales or is rotated. Customers who hard-code IP addresses are responsible for monitoring this document for changes. Where your firewall supports FQDN-based rules, prefer those. ### Outbound from your network to Commbox If your firewall does not support FQDN rules, allow outbound HTTPS (TCP/443) to the following Commbox application IPs: 54.76.101.23 52.212.81.15 52.51.230.223 52.51.55.64 34.253.33.63 52.48.122.222 54.171.16.182 54.246.232.150 54.229.199.80 54.77.77.35 54.77.112.4 34.249.133.125 ### Outbound from your network to Commbox SMTP Only required if you use Commbox-hosted email channels. Allow outbound TCP/443 to: 34.249.57.65 52.215.60.193 ### Inbound to your network from Commbox If your environment **receives** webhooks, HTTP callbacks, or other initiated traffic *from* Commbox (for example, to a customer-hosted webhook receiver), allow the following source IPs: 46.137.14.237 34.253.247.49 213.57.31.162 For sandbox or pre-production testing only: 63.33.139.133 --- ## Long-lived connection support The Commbox inbox uses persistent WebSocket connections to deliver real-time updates. Confirm with your network team that: - Idle TCP timeouts on egress proxies allow connections to remain open for at least **60 minutes**. - WebSocket upgrade headers (`Connection: Upgrade`, `Upgrade: websocket`) are not stripped by HTTP-inspecting proxies. - If TLS interception is in use, the proxy must present a certificate trusted by client browsers for `*.commbox.io`. --- ## Validation checklist After applying allowlist rules, verify the following from a workstation behind the firewall: 1. The Commbox web app loads completely with no missing fonts or blank UI tiles. 2. Login completes successfully (validates reCAPTCHA and authentication paths). 3. New messages appear in the inbox without a manual refresh (validates WebSocket connectivity). 4. For each channel in use, send and receive a test message end-to-end. 5. Run the following commands and confirm both succeed: apps-fileview.texmex_20260501.02_p0 commbox-network-requirements.html Displaying commbox-network-requirements.html.