Internet Firewalls and Workspot

Last update: April 24, 2024 by Robert Plamondon

This document lists the Internet addresses and ports used by Workspot software in the context of firewalls. If these are blocked by the firewall, the affected products will not function. 

Note: The firewalling of LAN-to-LAN traffic is outside the scope of this document.

Contents

General (non-Workspot) Services

Like all network-based products, Workspot products rely on services like DNS and NTP. If these are not provided on your LAN they must be allowed through your Internet/WAN firewall. These include:

• DNS. If your devices are not configured to use only local DNS servers, TCP/UDP port 53 must be open on your firewalls or the Workspot services will not be able to resolve DNS addresses.
• NTP. If your devices are not configured to use only local timeservers, UDP port 123 must be open on your firewalls or clock drift may eventually interfere with Workspot operation.
• Other services. Any third-party services you have configured as part of your Workspot deployment must also be reachable, such as third-party identity providers.

URLs and Proxies

• Most Workspot services run as ordinary “https://” connections (TCP TLS connections) on port 443.
• In addition, the Workspot Client uses UDP port 3391 to connect to Workspot Gateways.
• With Control 18.2, regional Control instances are supported for data sovereignty. The initial regions are US and EU.
  • This changes the URLs used for Workspot products from their earlier values. See Sign-in Changes with Control 18.2 for details.
  • Table: Domain/URL Use by Product, below, lists the URLs/DNS subdomains used by each Workspot product.
• If you use a proxy for Internet connectivity, see Setting a Proxy Server.

Workspot Clients

Workspot Clients are applications that communicate with Workspot desktops, usually via Workspot RD Gateways. The URLs for these Gateways can be found in Control under "Setup > Gateways" and "Setup > RD Gateways."

• The following are all outbound connections to the desired resource. Workspot Clients do not listen for inbound connections.
• Thus, Client-side firewall rules do not need to open any inbound ports.

Ports

RD Gateways. Workspot Clients use standard ports to communicate with Workspot RD Gateways. The Clients use these ports to communicate with the Gateways on the WAN side and the Gateways relay this data to the Workspot desktops or app servers on the same ports on the LAN side:

• TCP Port 443
• UDP Port 3391

HTTPS. Workspot Clients also open HTTPS/TCP connections on Port 443 to the URLs shown below.

URLs

Workspot Clients use multiple URLs in the workspot.com domain to communicate with Workspot Control. See Table: Domain/URL Use by Product, below, for the list. 

Workspot Clients may also use the following non-Workspot URLs:

• Microsoft Azure AD service on port 443 (if Azure AD is enabled for your Workspot deployment).
• Other third-party identity providers' URLs (if configured in Control).
• https://s3.amazonaws.com:443 (Channel for downloading new software versions).
• https://sentry.io:443 (For uploading crash logs).

Workspot Desktops and Application Servers

Workspot desktops and application servers need whatever Internet connectivity is required by the OS and applications they run, plus the connectivity needed by the Workspot Agent, described below, and of the remote desktop connection, which uses:

• TCP Port 443
• UDP Port 3389

Workspot Agents

The Workspot Agents (Workspot Windows Desktop Agent, Workspot Linux Desktop Agent, and Workspot Gateway Agent) are services running on Workspot virtual machines (usually in the Azure or GCP clouds), serving as a gateway (technically a secure proxy) between your Workspot desktops and apps and Workspot Client users.  

Agents communicate with Workspot Control by opening multiple TCP connections:

• Connections to Workspot Control and other Workspot services, listed in Table: Domain/URL Use by Product, below.
• Connections to non-Workspot services:
  • https://data.workspot.com:443 (Collects usage and event data for use by your IT).
  • https://sentry.io:443 (For uploading crash logs).

Workspot Agents do not listen for incoming connections.

Workspot RD Gateways

A Workspot RD Gateway is a virtual machine running Remote Desktop Gateway Services and the Workspot Gateway Agent service.

On the WAN (Internet) side, Gateways listen for incoming WAN-side RDP connections on these standard RDP Gateway ports:

• TCP Port 443
• UDP Port 3391

Gateways also open multiple outbound WAN-side connections to Workspot services as listed in Table: Domain/URL Use by Product, below.

Workspot Enterprise Connector

The Workspot Enterprise Connector (also called Workspot Connector or simply Connector) is generally hosted in the same datacenter as your AD server. If so, its queries to your AD server do not traverse the Internet. If placed away from your AD server, it needs to be connected by a secure tunnel or VPN.

Workspot Enterprise Connector makes queries to your AD server using a Service Account that you set up with sharply limited, read-only permissions. This allows it to inform Workspot Control about active user accounts and groups. Control is usually configured to only allow users with active AD accounts to access Workspot resources. AD Group membership is usually used to determine which resources a given user is entitled to.

• TCP/UDP ports 389 for Communication with your AD server.

The standard AD protocols used by Connector are not suitable for unencrypted use over the Internet, so use a VPN or equivalent if you run Connector in a different datacenter from your AD server (not recommended).

Connector also opens outbound connections to multiple Workspot services as listed in Table: Domain/URL Use by Product, below.

Connector does not listen for inbound connections.

Table: Domain/URL Use by Product

Frequently Asked Questions (FAQ)

1. Can all of the communication between Workspot components and the Workspot management platform be routed through a firewall?
   Yes, of course. This is commonly done in environments with higher security requirements to maintain visibility of all outbound traffic. Please contact Workspot if you have any questions about your specific security requirements.
2. Do the Workspot Clients need to access the namespaces above?
   Yes.  Clients need to reach the namespaces above. Specifically, a Workspot Client needs to be able to connect to the URLs listed above and your Workspot RD Gateways to function properly. If you have a restricted network, please add the above to outbound access control list.
3. Can the firewall access control policy use IP addresses instead of DNS names? Yes, but the mapping from DNS names to IP addresses is dynamic and does not remain constant. Also, we may map multiple dynamic IPs to the same service. If you use IP addresses, ensure you have a process to monitor changes to the dynamic IPs.
4. Are your dynamic IPs hardened against spoofing and man-in-the-middle attacks? Yes.  Workspot services leverage the strongest private certificates to ensure identity and trust.

Related Documents

• Enterprise Connector Installation Guide
• Managed Gateways
• Setting a Proxy Server
• Sign-in Changes with Control 18.2 

     © 2024 Workspot