System and Network Requirements - Amwell Carepoint Firewall Rules
This documentation was last updated on: 8/13/2024 2:31:04 PM (UTC).
Quick Navigation
Please find the System and Network requirements for Carepoint Firewall Rules below. Please click here to view Amwell’s full list of Products and their network requirements.
The most recent update to this page was on 11/01/2023 to add *.avizia.com to the list of destination links for port 443 under Amwell TV Kit 200S Platform Firewall Requirements. Please click here to view the complete System and Network Requirements change log.
Amwell Carepoint Firewall Rules
This article refers to all Amwell Proprietary Hardware devices – C250, C500, TV Kit 100 & 200
Hospital System Firewall requirements
Amwell Hospital Carepoints must be placed on a network that follows the rules listed below to allow for the appropriate incoming and outgoing traffic. Please supply your network administrator with the following mandatory details – these firewall permissions are needed for application functionality.
Firewall and Domain Permissions
- See the table below for specific domains and IPs (where available) that need to be allow listed on your network
Ports
- The firewall must be configured for outbound HTTP/HTTPS requests on ports listed in the table below
Amwell Hospital Carepoints employ an explicit firewall allow listing protocol that restricts all traffic on the device to specific domains and ports.
Firewall Allow List Requirements
The Amwell Hospital platform requires mandatory firewall permissions for minimum application functionality.
Please find our instructions on Split-Tunnel Virtual Private Network set up here – recommended for all Amwell products where providers are connecting via VPN.
Firewall and Domain Permissions
- *.amwell.com
- *.avizia.io
- *.avizia.com
- *.amwell.systems
- global.stun.twilio.com
- global.turn.twilio.com
Ports
- The firewall must be configured for requests on the following ports:
| REQUIRED | SERVICE | TRANSPORT | PORTS | RULE | DESTINATION |
|---|---|---|---|---|---|
| Mandatory | Standard web, redirect to HTTPS | TCP | 80 | Outgoing |
|
| Mandatory | Secure WebRTC | TCP | 443 | Outgoing, Established |
|
| Mandatory | DNS | UDP | 53 | Outgoing |
|
| Recommended | Enhanced Fleet Service | TCP | 443 | Outgoing, Established |
|
| Mandatory | Network Time Sync | NTP | 123 | Outgoing |
|
| Highly Recommended | Preferred – Media (RTP/RTCP) | UDP & TCP |
|
Outgoing, Established |
|
| Mandatory (select either Preferred Media or Media (STUN/TURN) below) |
Preferred Media (RTP/RTCP) Use for best performance and quality |
UDP & TCP |
|
Outgoing, Established |
|
| Media (STUN/TURN)* Reduces number of ports required, however, increases connection time |
UDP & TCP | 443, 3478 (UDP & TCP) 5349 TCP | Outgoing, Established |
|
*Fail-over in case 40000-49999 cannot establish a connection.
**If using Amwell outside of the United States, please consult your Implementation Manager. STUN/TURN is not currently supported on the 210 Telemedicine cart.
†For the most restrictive networks. Note that you may see performance degradation in video quality. STUN/TURN is not currently supported on the 210 Telemedicine cart.
Converge Platform Firewall requirements
Please find our instructions on Split-Tunnel Virtual Private Network set up here – recommended for all Amwell products where providers are connecting via VPN.
| REQUIRED | SERVICE | TRANSPORT | PORTS | RULE | DESTINATION |
|---|---|---|---|---|---|
| Mandatory | Standard web, redirect to HTTPS | TCP | 80 | Outgoing |
|
| Mandatory | Secure WebRTC | TCP | 443 | Outgoing, Established |
|
| Mandatory | DNS | UDP | 53 | Outgoing |
|
| Recommended | Enhanced Fleet Service | TCP | 443 | Outgoing, Established |
|
| Mandatory | Network Time Sync | NTP | 123 | Outgoing |
|
| Mandatory | Preferred Media (RTP/RTCP) Use for best performance and quality |
UDP & TCP | TCP: 443, 3478, 5349, 10000-60000 --- UDP: 3478, 10000-60000 |
Outgoing, Established |
|
Amwell TV Kit 200S Platform Firewall Requirements
The Amwell TV Kit 200 Carepoints must be placed on a network that follows the rules listed below to allow for the appropriate incoming and outgoing traffic. Please supply your network administrator with the following mandatory details – these firewall permissions are needed for application functionality. (These settings are required in addition to Amwell’s Converge network setting, which can be reviewed here).
Amwell has tested with a number of LG and Samsung TVs and conforms to LG’s MPI and Samsung’s ExLink specs, but there is some risk that certain models may have different or outdated specifications that may result in TV control incompatibilities. For LG models specifically, models that run on webOS versions less than webOS 4.5 are not capable of supporting MPI control while in FTG mode, which is a requirement for many clients based on how their LG TVs are installed and configured in their facilities.
| REQUIRED | SERVICE | TRANSPORT | PORTS | RULE | DESTINATION | IPs |
|---|---|---|---|---|---|---|
| Mandatory | Device endpoints | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Amwell Application | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Twilio STUN/TURN Servers (Primary) | TCP & UDP |
|
Outgoing, Established |
|
Region US East Coast 34.203.254.0 - 34.203.254.255, 54.172.60.0 - 54.172.61.255, 34.203.250.0 - 34.203.251.255, 3.235.111.128 - 3.235.111.255 Region US West Coast34.216.110.128 - 34.216.110.159, 54.244.51.0 - 54.244.51.255, 44.234.69.0 - 44.234.69.127 |
| Mandatory | Xirsys STUN/TURN Servers (Secondary) | TCP & UDP |
443 (TCP, UDP), |
Outgoing, Established |
|
US West – ws.xirsys.com 167.172.202.136, 138.68.227.172, 165.227.16.242 159.89.154.16, 104.248.215.23, 104.248.215.39 104.248.215.47, 104.248.215.54, 104.248.219.151 159.65.109.225
US East–us.xirsys.com 209.97.154.229, 157.245.221.120, 167.71.190.245 165.22.39.134, 167.172.255.29, 157.245.114.91 165.22.45.228, 104.248.6.243, 159.89.177.112 167.172.16.110, 142.93.184.130, 45.55.60.16 45.55.53.234, 68.183.115.118, 142.93.69.39 159.203.72.38, 159.203.79.110, 159.203.64.229 198.199.81.26 |
| Mandatory | Application Updates/App Center | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Crash and Logs/Crashlytics | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Application Insights/Logs and metrics | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Update Service | TCP | 443 | Outgoing, Established |
|
|
| Mandatory | Network Time Sync | TCP & UDP |
UDP: 123 |
Outgoing, Established |
|
In case the client has their own NTP servers this section can opt‑out |
| Mandatory | Selective Forwarding Unit (SFU) WebRTC Media Servers | UDP | 10000-20000 | Outgoing, Established |
|
|
| Optional | Google Captive | TCP |
80 443 80 |
http://connectivitycheck.gstatic.com/generate_204 https://www.google.com/generate_204 http://www.google.com/gen_204 |
In case TV Kit 200 is connected through ethernet then this section can opt‑out |
**As Amwell no longer partners with LG on the TV Kit 200L, the requirements for managing those kits have been removed from the page.**
1) NTP (“Network Time Protocol”) Server – The NTP server is required for device network time sync when device is initialized.
2) DMS (“Device Management”) service – this is the device management server for all Set top box and Goldeneye devices. It is the LG service that sits between devices and the Enterprise device portal, relating to onboarding devices, device settings/configuration, etc. We only expect devices to connect to this service.
3) CMS (“Call Management”) service – this is the service that handles all messaging and in‑call related management. It is used for real-time signaling between Providers and Devices and manages any video/webRTC room / connection states, as well as application specific in-call messaging (PTZ controls, e.g.). Both devices and providers/call participants connect to this service.
4) Pro:centric Servers – these are for updating the device firmware serving the device frontend application code. These must be accessible by the device for the system to function. The tenant/customer specific Pro:centric servers will be subdomains of these listed URLs.
5) DataDog Logging Service – In order to ensure stable operation of the system and to quickly recognize and resolve failures, we collect device logs using the DataDog service. (Only device-related logs are collected, and no other data that can be considered personal information is collected).
Home Platform Firewall requirements
Please find our instructions on Split-Tunnel Virtual Private Network set up here – recommended for all Amwell products where providers are connecting via VPN.
Firewall and Domain Permissions
- *.amwell.com
- *.avizia.io
- *.avizia.com
- *.amwell.systems
- global.stun.twilio.com
- global.turn.twilio.com
Ports
- The firewall must be configured for requests on the following ports:
| REQUIRED | SERVICE | TRANSPORT | PORTS | RULE | DESTINATION |
|---|---|---|---|---|---|
| Mandatory | Standard web, redirect to HTTPS | TCP | 80 | Outgoing |
|
| Mandatory | Secure WebRTC | TCP | 443 | Outgoing, Established |
|
| Mandatory | DNS | UDP | 53 | Outgoing |
|
| Recommended | Enhanced Fleet Service | TCP | 443 | Outgoing, Established |
|
| Mandatory | Network Time Sync | NTP | 123 | Outgoing |
|
| Highly Recommended | Preferred – Media (RTP/RTCP) | UDP & TCP | 40000-49999 33000-33499 |
Outgoing, Established |
|
| Mandatory (select either Preferred Media or Media (STUN/TURN) below) |
Preferred Media (RTP/RTCP) Use for best performance and quality |
UDP & TCP |
|
Outgoing, Established |
|
| Media (STUN/TURN)* Reduces number of ports required, however, increases connection time |
UDP & TCP | 443, 3478 (UDP & TCP) 5349 TCP | Outgoing, Established |
|
*Fail-over in case 40000-49999 cannot establish a connection.
**If using Amwell outside of the United States, please consult your Implementation Manager.
†For the most restrictive networks. Note that you may see performance degradation in video quality.