System and Network Requirements - Amwell Carepoint Firewall Rules

These requirements have been updated on: 07/25/2023

Amwell Carepoint Firewall Rules

This article refers to all Amwell Proprietary Hardware devices - C250, C500, TV Kit 100 & 200

Quick Navigation

Hospital System Firewall requirements

Amwell Hospital Carepoints must be placed on a network that follows the rules listed below to allow for the appropriate incoming and outgoing traffic. Please supply your network administrator with the following mandatory details – these firewall permissions are needed for application functionality.

Firewall and Domain Permissions:
  • See the table below for specific domains and IP’s (where available) that need to be allow listed on your network
Ports:
  • The firewall must be configured for outbound HTTP/HTTPS requests on ports listed in the table below

Amwell Hospital Carepoints employ an explicit firewall allow listing protocol that restricts all traffic on the device to specific domains and ports.

Firewall Allow List Requirements

The Amwell Hospital platform requires mandatory firewall permissions for minimum application functionality.

Please find our instructions on Split-Tunnel Virtual Private Network set up Here - recommended for all Amwell products where providers are connecting via VPN.

Firewall and Domain Permissions:
  • *.amwell.com
  • *.avizia.io
  • *.avizia.com
  • *.amwell.systems
  • global.stun.twilio.com
  • global.turn.twilio.com
Ports:
  • The firewall must be configured for requests on the following ports:
REQUIRED SERVICE TRANSPORT PORTS RULE DESTINATION
Mandatory Standard web, redirect to HTTPS TCP 80 Outgoing
  • *.avizia.com
  • *.avizia.io
Mandatory Secure WebRTC TCP 443 Outgoing, Established
  • *.avizia.com
  • *.avizia.io
  • *.amwell.systems
  • 54.172.60.0 - 54.172.61.255
  • 34.203.250.0 - 34.203.251.255
  • 54.244.51.0 - 54.244.51.255**
  • 18.204.64.0-31
Mandatory DNS UDP 53 Outgoing
  • Local DNS server
Recommended Enhanced Fleet Service TCP 443 Outgoing, Established
  • 3.127.6.122 
  • 35.159.42.141
  • 3.66.25.214
  • 18.158.25.22
Mandatory Network Time Sync NTP 123 Outgoing
  • pool.ntp.org
Highly Recommended Preferred - Media (RTP/RTCP) UDP & TCP
  • 40000-49999
  • 33000-33499
 Outgoing, Established
  • *.avizia.io
Mandatory

(select either Preferred Media

or

Media (STUN/TURN) below)		 Preferred Media (RTP/RTCP)

Use for best performance and quality		 UDP & TCP
  • 40000-49999
  • 33000-33499
 Outgoing, Established
  • 34.75.154.64/26
  • 34.75.18.64/26
  • 34.75.114.64/26
  • 34.66.98.64/26
  • 34.132.19.0/26
  • 34.132.48.128/26
Media (STUN/TURN)*

Reduces number of ports required, however, increases connection time		 UDP & TCP 443, 3478 (UDP & TCP) 5349 TCP Outgoing, Established
  • 54.172.60.0 - 54.172.61.255,
  • 34.203.250.0 - 34.203.251.255
  • 54.244.51.0 - 54.244.51.255**

*Fail-over in case 40000-49999 cannot establish a connection.

**If using Amwell outside of the United States, please consult your Implementation Manager. STUN/TURN is not currently supported on the 210 Telemedicine cart.

†For the most restrictive networks. Note that you may see performance degradation in video quality. STUN/TURN is not currently supported on the 210 Telemedicine cart.

Converge Platform Firewall requirements

Please find our instructions on Split-Tunnel Virtual Private Network set up Here - recommended for all Amwell products where providers are connecting via VPN.

REQUIRED SERVICE TRANSPORT PORTS RULE DESTINATION
Mandatory Standard web, redirect to HTTPS TCP 80 Outgoing
  • *.avizia.com
  • *.avizia.io
Mandatory Secure WebRTC TCP 443 Outgoing, Established
  • global.vss.twilio.com
  • us1.vss.twilio.com
  • us2.vss.twilio.com
  • Sdkgw.us1.twilio.com
  • *.amwell.com
  • *.amwellnow.com
  • *.amwlnw.com
  • *.amwell.systems
  • firebasehostingproxy.page.link
Mandatory DNS UDP 53 Outgoing
  • Local DNS server
Recommended Enhanced Fleet Service TCP 443 Outgoing, Established
  • 3.127.6.122
  • 35.159.42.141
  • 3.66.25.214
  • 18.158.25.22
Mandatory Network Time Sync NTP 123 Outgoing
  • pool.ntp.org
Mandatory Preferred Media (RTP/RTCP)

Use for best performance and quality		 UDP & TCP TCP: 443, 3478, 5349, 10000-60000

---

UDP: 3478, 10000-60000		 Outgoing, Established
  • 34.203.254.0/24
  • 54.172.60.0/23
  • 34.203.250.0/23
  • 3.235.111.128/25
  • 34.216.110.128/27
  • 54.244.51.0/24
  • 44.234.69.0/25

 

Amwell TV Kit 200S Platform Firewall Requirements

The Amwell TV Kit 200 Carepoints must be placed on a network that follows the rules listed below to allow for the appropriate incoming and outgoing traffic. Please supply your network administrator with the following mandatory details – these firewall permissions are needed for application functionality. (These settings are required in addition to Amwell's Converge network setting, which can be reviewed HERE).

REQUIRED SERVICE TRANSPORT PORTS RULE DESTINATION IPs
Mandatory Device endpoints TCP 443 Outgoing, Established
  • login.solaborate.com
  • api.solaborate.com
  • signaling.solaborate.com
  • mobile.solaborate.com
  
Mandatory Amwell Application TCP 443 Outgoing, Established
  • amwell.solaborate.com
  
Mandatory Twilio STUN/TURN Servers (Primary) TCP & UDP


443 (TCP, UDP), 3478 (TCP, UDP) 5349 (TCP), 10,000-60,000 (UDP)

 Outgoing, Established
  • global.twilio.com
  • global.stun.twilio.com
  • global.turn.twilio.com

Region US East Coast 34.203.254.0 - 34.203.254.255, 54.172.60.0 - 54.172.61.255, 34.203.250.0 - 34.203.251.255, 3.235.111.128 - 3.235.111.255

 

Region US West Coast 34.216.110.128 - 34.216.110.159, 54.244.51.0 - 54.244.51.255, 44.234.69.0 - 44.234.69.127
Mandatory Xirsys STUN/TURN Servers (Secondary) TCP & UDP

443 (TCP, UDP), 
3478 (TCP, UDP) 
5349 (TCP), 
10,000-60,000 (UDP)

 Outgoing, Established
  • global.xirsys.net

US West - ws.xirsys.com

167.172.202.136, 138.68.227.172, 165.227.16.242

159.89.154.16, 104.248.215.23, 104.248.215.39

104.248.215.47, 104.248.215.54, 104.248.219.151

159.65.109.225

 

US East - us.xirsys.com

209.97.154.229, 157.245.221.120, 167.71.190.245

165.22.39.134, 167.172.255.29, 157.245.114.91

165.22.45.228, 104.248.6.243, 159.89.177.112

167.172.16.110, 142.93.184.130, 45.55.60.16

45.55.53.234, 68.183.115.118, 142.93.69.39

159.203.72.38, 159.203.79.110, 159.203.64.229

198.199.81.26
Mandatory Application Updates/App Center TCP 443 Outgoing, Established

 

  • api.mobile.azure.com
  • api.appcenter.ms
  • in.appcenter.ms
  
Mandatory Crash and Logs/Crashlytics TCP 443 Outgoing, Established
  • reports.crashlytics.com
  • update.crashlytics.com
  • settings.crashlytics.com
  • firebase-settings.crashlytics.com
  • crashlyticsreports-pa.googleapis.com
  • firebaseinstallations.googleapis.com
  
Mandatory Application Insights/Logs and metrics TCP 443 Outgoing, Established
  • dc.applicationinsights.azure.com
  • dc.applicationinsights.microsoft.com
  • dc.services.visualstudio.com
  
Mandatory Update Service TCP 443 Outgoing, Established

 

  • ota-distribution.solaborate.com
  
Mandatory Network Time Sync TCP & UDP

UDP: 123

 Outgoing, Established
  • time.android.com
  • 0.pool.ntp.org
  • time.android.com
  • time1.google.com
  • time2.google.com
  • time3.google.com
  • time4.google.com
 In case the client has their own NTP servers this section can opt-out
Mandatory Selective Forwarding Unit (SFU) WebRtc Media Servers UDP 10000-20000 Outgoing, Established
  • 52.185.30.96/27
  
Optional Google Captive TCP

80

443

80

  

http://connectivitycheck.gstatic.com/generate_204

https://www.google.com/generate_204

http://www.google.com/gen_204

In case TV Kit 200 is connected through ethernet then this section can opt-out

 

Amwell TV Kit 200L Platform Firewall Requirements

The Amwell TV Kit 200L Carepoint must be placed on a network that follows the rules listed below to allow for the appropriate incoming and outgoing traffic. Please supply your network administrator with the following mandatory details – these firewall permissions are needed for application functionality for LG Virtual Visit Services and eSitter functionality. (These settings are required in addition to Amwell’s Converge network setting, which can be reviewed HERE)

REQUIRED

SERVICE

TRANSPORT

PORTS

RULE

DESTINATION

Mandatory

NTP1) Server

UDP

123 (NTP)

Outgoing, Established

*.pool.ntp.org

Mandatory

 

DMS2) / CMS3) / Provider hosting server / Patient hosting Server / Hub hardware update servers4)

TCP & UDP

443 (HTTPS),

Outgoing, Established

*.lgdh-api.com

TCP

8883(MQTTS)

Outgoing, Established

a265y25nnswbi5-ats.iot.us-east-2.amazonaws.com

TCP

443 (HTTPS, WSS)

80 (HTTP)

Outgoing, Established

*.lgdh-procentric.com

lgdh-procentric-prod.s3.us-east-2.amazonaws.com

Mandatory

Twilio STUN/TURN Servers (Primary, East Coast)

TCP & UDP

443,

3478 (TCP & UDP),

5349 (TCP),

10,000-60,000 (UDP)

Outgoing, Established

*.twilio.com

34.203.254.0 - 34.203.254.255

54.172.60.0 - 54.172.61.255

34.203.250.0 - 34.203.251.255

3.235.111.128 - 3.235.111.255

Mandatory

Twilio STUN/TURN Servers (Secondary, West Coast)

TCP & UDP

443,

3478 (TCP & UDP),

5349 (TCP),

10,000-60,000 (UDP)

Outgoing, Established

*.twilio.com

34.216.110.128 - 34.216.110.159

54.244.51.0 - 54.244.51.255

44.234.69.0 - 44.234.69.127

Mandatory

DataDog5) logging

TCP & TLS

443 (HTTPS),

10516 (TCP)

Outgoing, Established

*.datadoghq.com

1)    NTP (“Network Time Protocol”) Server - The NTP server is required for device network time sync when device is initialized.
2)    DMS (“Device Management”) service – this is the device management server for all Set top box and Goldeneye devices. It is the LG service that sits between devices and the Enterprise device portal, relating to onboarding devices, device settings/configuration, etc. We only expect devices to connect to this service.
3)    CMS (“Call Management”) service – this is the service that handles all messaging and in-call related management. It is used for real-time signaling between Providers and Devices and manages any video/webRTC room / connection states, as well as application specific in-call messaging (PTZ controls, e.g.). Both devices and providers/call participants connect to this service. 
4)    Pro:centric Servers – these are for updating the device firmware serving the device frontend application code. These must be accessible by the device for the system to function. The tenant/customer specific Pro:centric servers will be subdomains of these listed URLs. 
5)    DataDog Logging Service - In order to ensure stable operation of the system and to quickly recognize and resolve failures, we collect device logs using the DataDog service. (Only device-related logs are collected, and no other data that can be considered personal information is collected).

 

Home Platform Firewall requirements

Please find our instructions on Split-Tunnel Virtual Private Network set up Here - recommended for all Amwell products where providers are connecting via VPN.

Firewall and Domain Permissions:
  • *.amwell.com
  • *.avizia.io
  • *.avizia.com
  • *.amwell.systems
  • global.stun.twilio.com
  • global.turn.twilio.com
Ports:
  • The firewall must be configured for requests on the following ports:
REQUIRED SERVICE TRANSPORT PORTS RULE DESTINATION
Mandatory Standard web, redirect to HTTPS TCP 80 Outgoing
  • *.avizia.com
  • *.avizia.io
Mandatory Secure WebRTC TCP 443 Outgoing, Established
  • *.avizia.com
  • *.avizia.io
  • *.amwell.systems
  • 54.172.60.0 - 54.172.61.255
  • 34.203.250.0 - 34.203.251.255
  • 54.244.51.0 - 54.244.51.255**
  • 18.204.64.0-31
Mandatory DNS UDP 53 Outgoing
  •  Local DNS server
Recommended Enhanced Fleet Service TCP 443 Outgoing, Established
  • 3.127.6.122
  • 35.159.42.141
  • 3.66.25.214
  • 18.158.25.22
Mandatory Network Time Sync NTP 123 Outgoing
  • pool.ntp.org
Highly Recommended Preferred - Media (RTP/RTCP) UDP & TCP 40000-49999

33000-33499		 Outgoing, Established
  • *.avizia.io
Mandatory

(select either Preferred Media

or

Media (STUN/TURN) below)		 Preferred Media (RTP/RTCP)

Use for best performance and quality		 UDP & TCP
  • 40000-49999
  • 33000-33499
 Outgoing, Established
  • 34.75.154.64/26
  • 34.75.18.64/26
  • 34.75.114.64/26
  • 34.66.98.64/26
  • 34.132.19.0/26
  • 34.132.48.128/26
Media (STUN/TURN)*

Reduces number of ports required, however, increases connection time		 UDP & TCP 443, 3478 (UDP & TCP) 5349 TCP Outgoing, Established
  • 54.172.60.0 - 54.172.61.255,
  • 34.203.250.0 - 34.203.251.255
  • 54.244.51.0 - 54.244.51.255**

*Fail-over in case 40000-49999 cannot establish a connection.

**If using Amwell outside of the United States, please consult your Implementation Manager.

†For the most restrictive networks. Note that you may see performance degradation in video quality.