IBM Support

Opening Firewall or Proxy Ports for IBM Video Streaming Broadcasting and Viewing - EU cluster

General Page

This comprehensive guide details firewall configuration requirements for IBM Video Streaming services, covering both viewing and broadcasting scenarios. It specifies required outbound ports for DNS (UDP 53), web traffic (TCP 80/443), RTMP streaming (TCP 1935), and optional secure ingest ports. The document provides a complete list of IP address ranges that must be whitelisted, primarily located in Frankfurt, Germany. Additional sections cover ECDN server requirements including clock synchronization (UDP 123), OpenVPN access (TCP 443), and optional proxy configurations (TCP 3128). Domain name exclusion lists are provided for both control plane and data plane traffic to optimize proxy server performance. The guide includes FAQs addressing proxy service requirements, IP ownership, and change notification policies, plus step-by-step instructions for configuring firewall rules on Windows 10 and Mac OS X systems.

Overview

In order to broadcast or view streams, you will need to ensure that any firewall is configured to allow traffic on specific ports. A firewall can reside on your local machine, on your router, or as part of your corporate network.

Firewall Settings Needed for Viewing Streams

In order to watch IBM streams you have to create the following stateful firewall rules, assuming you have a regular internet connection:

  • Outgoing UDP destination port 53 to your nameserver or any IP for domain name resolution (DNS).
  • Outgoing TCP destination port 80, 443 to any IP for web.
  • Outgoing TCP destination port 1935 to any IP for streaming (RTMP).
  • Outgoing TCP destination ports 8001-8004 to IP ADDRESS RANGES below for web based chat.

Firewall Settings Needed for Broadcasting

In order to Broadcast via IBM Video Streaming you have to create the following stateful firewall rules, assuming you have a regular internet connection. In case you are behind a corporate firewall please ensure your IT department configures the firewall to accommodate these settings:

  • Outgoing UDP destination port 53 to your nameserver or any IP for domain name resolution (DNS).
  • Outgoing TCP destination port 80, 443 to IP ADDRESS RANGES below for web.
  • Outgoing TCP destination port 1935 to IP ADDRESS RANGES below for streaming (RTMP).

Optional: Secure Ingest Setup

If you have secure ingest setup for your account, you will need to open these additional ports:

  • Outgoing TCP destination port 4444 to IP ADDRESS RANGES below.
  • Outgoing UDP destination port 2070-2090 to IP ADDRESS RANGES below.

IP Address Ranges

List of IP address ranges you have to create firewall filters. In order to ensure a smooth experience, please whitelist all of the following IP address ranges regardless of which locations are closest to your streaming location.

IPLOCATION
149.81.152.236Frankfurt, Germany, Europe
149.81.152.43Frankfurt, Germany, Europe
149.81.154.66Frankfurt, Germany, Europe
149.81.157.92Frankfurt, Germany, Europe
149.81.160.184Frankfurt, Germany, Europe
149.81.161.63Frankfurt, Germany, Europe
149.81.161.69Frankfurt, Germany, Europe
149.81.162.158Frankfurt, Germany, Europe
149.81.162.159Frankfurt, Germany, Europe
149.81.165.69Frankfurt, Germany, Europe
149.81.165.72Frankfurt, Germany, Europe
149.81.165.73Frankfurt, Germany, Europe
149.81.166.116Frankfurt, Germany, Europe
158.177.11.16Frankfurt, Germany, Europe
158.177.11.224Frankfurt, Germany, Europe
158.177.12.189Frankfurt, Germany, Europe
158.177.12.253Frankfurt, Germany, Europe
158.177.13.241Frankfurt, Germany, Europe
158.177.15.23Frankfurt, Germany, Europe
158.177.2.103Frankfurt, Germany, Europe
158.177.2.105Frankfurt, Germany, Europe
158.177.4.19Frankfurt, Germany, Europe
158.177.6.112Frankfurt, Germany, Europe
158.177.9.135Frankfurt, Germany, Europe
158.177.9.211Frankfurt, Germany, Europe
158.177.9.31Frankfurt, Germany, Europe
158.177.9.93Frankfurt, Germany, Europe
161.156.161.167Frankfurt, Germany, Europe
161.156.163.110Frankfurt, Germany, Europe
161.156.166.57Frankfurt, Germany, Europe
161.156.166.95Frankfurt, Germany, Europe
161.156.167.206Frankfurt, Germany, Europe
161.156.168.45Frankfurt, Germany, Europe
161.156.168.87Frankfurt, Germany, Europe
161.156.169.171Frankfurt, Germany, Europe
161.156.173.111Frankfurt, Germany, Europe
161.156.175.205Frankfurt, Germany, Europe
161.156.175.56Frankfurt, Germany, Europe
169.50.20.44Frankfurt, Germany, Europe
169.50.20.46Frankfurt, Germany, Europe
161.156.171.17Frankfurt, Germany, Europe
149.81.5.141Frankfurt, Germany, Europe
161.156.83.167Frankfurt, Germany, Europe
149.81.165.86Frankfurt, Germany, Europe

Additional Firewall Settings Needed for ECDN Servers

ECDN servers are deployed behind customer firewalls. These servers act as local caches for the video streaming content. To pull down the content, they need outbound-to-Internet network connectivity. The list below indicates the IP address ranges on the Internet that should be reachable from the ECDN servers. No inbound connectivity from Internet is needed.

Clock Synchronization (Required)

Used for setting the clock on the ECDN servers - outgoing UDP port 123. Clock synchronization is needed for SSL connections to work. Either use a local NTP server(s) or open port 123 to: [0-3].ubuntu.pool.ntp.org

OpenVPN Traffic (Required)

Allow OpenVPN traffic over port 443 to terminator.deepcaching.com. Sometimes, during server upgrades or when customers need additional help in diagnosing the issues, there is a need for ECDN operations team to remotely login to the servers. ECDN Management Portal allows customers to selectively enable/disable a VPN connection from a ECDN server to an IBM Video ECDN server terminator.deepcaching.com in the cloud. When enabled, it allows ECDN operations team to remotely login to this ECDN server, and help with the diagnosis. The VPN tunnel establishes an OpenVPN connection via port 443. This requires the firewall to NOT block such outbound traffic via port 443 to terminator.deepcaching.com.

Child-Parent Proxy Feature (Optional)

Allow 3128 port when child-parent proxy feature is enabled. From the ECDN server version 2.4.2 (20190724) the Child ECDN servers can use Parent ECDNs as proxy for HTTPS calls to connect to Internet. This is an optional feature and can be enabled by IBM via customer request. When this feature is enabled then the port is used by Child servers to connect to the proxy services running on Parent ECDN nodes.

Domain Names

Many enterprise customers use a proxy server to manage the HTTP and HTTPS traffic within their intranet. These proxy servers can become overwhelmed if all video streaming traffic is also channeled through them. To avoid this, proxy servers allow you to define an exclude list of domain names, which allows any traffic to these domains to bypass the proxy server. IBM products uses several domain names as part of its service delivery. These domain names are categorized into:

Control Plane

Such as access to the web portal, support etc. - this traffic may flow via the proxy or bypass it.

  • ustream.tv
  • *.ustream.tv
  • ustreamstatic-a.akamaihd.net
  • ustvstaticcdn1-a.akamaihd.net

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSLQ0V","label":"IBM Video Streaming"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
05 June 2026

UID

ibm17275298

Page Feedback