EnderDashEnderDash
Reference

Network Requirements

Exact hostnames, ports, and direct-connect rules for EnderDash signaling, STUN, TURN, downloads, and browser access.

Allowlist summary

Use this table when you need exact firewall, egress-policy, or network-policy entries.

Host or endpointRequired whenProtocols and portsPurpose
app.enderdash.comAlwaysTCP 443EnderDash application traffic.
signaling.enderdash.comAlways, unless you override the signaling hostTCP 443Signaling WebSocket at wss://signaling.enderdash.com/ws.
turn.cloudflare.comRecommended for restrictive networksUDP 3478, TCP 80, 3478, 443, 5349TURN relay fallback when direct WebRTC cannot connect.
stun.cloudflare.comRecommended for direct connectivityUDP 3478STUN discovery.
checkip.amazonaws.comOptionalTCP 443Agent-owned public-IP discovery for metadata and easier NAT debugging.
downloads.enderdash.comOptionalTCP 443Agent downloads and update checks.
enderdash.comOptionalTCP 443Docs and marketing site. Not required for the running agent.

Custom signaling host

If you override signalingUrl in the agent config, allow that host instead of signaling.enderdash.com.

Minimum egress sets

Minimum to register and signal

Allow outbound access to:

  • app.enderdash.com:443
  • signaling.enderdash.com:443

Minimum for restrictive environments that still need a working browser session

Also allow outbound access to:

  • turn.cloudflare.com
  • stun.cloudflare.com

That gives WebRTC relay and discovery support even when direct peer-to-peer traffic is blocked.

Direct connectivity rules

Direct browser-to-agent connectivity is not only a domain allowlist problem. After signaling succeeds, the browser and the agent try candidate IPs and ports directly.

That means:

  • FQDN allowlists alone are not enough for direct connectivity.
  • If you want direct connections, you must allow the agent's candidate ports through your firewall or router.
  • If you do nothing, the agent chooses ports dynamically.
  • If you want predictable ports, use a fixed range instead.

Example:

restrictPorts: true
webrtcMinPort: 10000
webrtcMaxPort: 10010

If you use a fixed range, allow both UDP and TCP for the same ports.

Public-address advertisement

In many environments the agent can discover its own public IP automatically. If that lookup is blocked or wrong for your NAT layout, configure the public address manually:

advertisePublicAddress: true
publicAddress: "203.0.113.50"

Use the public IP that actually forwards traffic to the runtime.

What you usually do not need

  • enderdash.com for the running runtime itself
  • checkip.amazonaws.com if relay fallback is acceptable and you do not care about public-IP metadata
  • any additional browser-to-agent hostnames beyond the runtime's own reachable IPs and ports

Was this page helpful?

Send a quick note if anything is missing or unclear.

Last updated on

Agent Commands

Command reference for the `enderdash` console surface on supported agent runtimes.

Server Panels

Reference for the panels that can appear in a server workspace and the capabilities or plan features that control their visibility.

On this page

Allowlist summary
Minimum egress sets
Minimum to register and signal
Minimum for restrictive environments that still need a working browser session
Direct connectivity rules
Public-address advertisement
What you usually do not need
Related pages