Opening Firewall or Proxy Ports for IBM Video Streaming Broadcasting and Viewing

In order to broadcast or view streams, you will need to ensure that any firewall is configured to allow traffic on specific ports. A firewall can reside on your local machine, on your router, or as part of your corporate network.

Firewall settings needed for viewing streams

In order to watch IBM streams you have to create the following stateful firewall rules, assuming you have a regular internet connection:

  • Outgoing UDP destination port 53 to your nameserver or any IP for domain name resolution (DNS).
  • Outgoing TCP destination port 80, 443 to any IP for web.
  • Outgoing TCP destination port 1935 to any IP for streaming (RTMP).
  • Outgoing TCP destination ports 8001-8004 to IP ADDRESS RANGES below for web based chat.

Firewall settings needed for broadcasting

In order to Broadcast via IBM Video Streaming you have to create the following stateful firewall rules, assuming you have a regular internet connection. In case you are behind a corporate firewall please ensure your IT department configures the firewall to accommodate these settings:

  • Outgoing UDP destination port 53 to your nameserver or any IP for domain name resolution (DNS).
  • Outgoing TCP destination port 80, 443 to IP ADDRESS RANGES below for web.
  • Outgoing TCP destination port 1935 to IP ADDRESS RANGES below for streaming (RTMP).

Optional: If you have secure ingest setup for your account, you will need to open these additional ports.

  • Outgoing TCP destination port 4444 to IP ADDRESS RANGES below.
  • Outgoing UDP destination port 2070-2090 to IP ADDRESS RANGES below.

*Please note for RTMPS stream,  use the following url format in your encoder:

rtmps://CID.ingest.video.ibm.com/ustreamVideo/CID

IP Address Ranges

List of IP address ranges you have to create firewall filters. Also see changelog below for updates.

In order to ensure a smooth experience, please whitelist ALL of the following IP address ranges regardless of which locations are closest to your streaming location.

IP LOCATION
169.44.81.160/27 Dallas, TX, USA, North America
169.53.37.192/27 Dallas, TX, USA, North America
169.61.20.80/29 Dallas, TX, USA, North America
169.45.159.64/27 Dallas, TX, USA, North America
 169.45.133.0/27 Dallas, TX, USA, North America
169.45.132.160/27 Dallas, TX, USA, North America
169.46.140.144/28 Dallas, TX, USA, North America
169.46.172.32/27 Dallas, TX, USA, North America
 169.44.57.160/27 Dallas, TX, USA, North America
169.44.61.144/28

Dallas, TX, USA, North America

169.50.20.32/27

Frankfurt, Germany, Europe
161.202.59.160/27 Hong Kong, China, Asia
159.122.214.48/28 London, United Kingdom, Europe
169.50.194.128/27 London, United Kingdom, Europe
169.57.34.16/28 Querétaro, Mexico, North America
169.57.154.248/29 Sao Paulo, Brasil, South America
169.57.165.32/27 Sao Paulo, Brasil, South America
50.23.174.32/27 Seattle, WA, USA, North America
168.1.193.160/27 Sydney, Australia, Oceania
161.202.236.96/27 Tokyo, Japan, Asia
169.45.252.224/27 Washington, D.C., CO, USA, North America
169.47.38.32/27 Washington, D.C., CO, USA, North America
169.60.100.248/29 Washington, D.C., CO, USA, North America
169.38.91.128/28 Chennai, India, Asia
169.55.185.16/28 Toronto, Canada, North America
8.22.49.0/24 San Jose, CA, USA, North America
64.214.133.0/24 San Jose, CA, USA, North America
165.254.3.0/24 San Jose, CA, USA, North America
169.44.203.0/25 San Jose, CA, USA, North America
169.62.91.128/25 San Jose, CA, USA, North America
169.45.68.72/29 San Jose, CA, USA, North America
169.44.146.64/26 San Jose, CA, USA, North America
169.44.178.0/24 San Jose, CA, USA, North America
169.62.88.224/27 San Jose, CA, USA, North America
169.62.96.32/27 San Jose, CA, USA, North America
169.62.93.96/27 San Jose, CA, USA, North America
169.45.76.32/27 San Jose, CA, USA, North America
169.62.97.144/28 San Jose, CA, USA, North America
 169.62.84.80/28 San Jose, CA, USA, North America
161.202.195.128/27 Singapore, Singapore, Asia
169.56.78.32/27 Seoul, South Korea, Asia
169.44.27.192/29 Dallas, TX, USA, North America
169.44.90.96/29 Dallas, TX, USA, North America
169.44.141.136/29 San Jose, CA, USA, North America
169.44.144.8/29 San Jose, CA, USA, North America
52.118.151.188/32 Dallas, TX, USA, North America
52.116.198.189/32 Dallas, TX, USA, North America
169.48.92.75/32 Dallas, TX, USA, North America
169.47.93.207/32 Dallas, TX, USA, North America
169.47.93.203/32 Dallas, TX, USA, North America
52.116.206.166/32 Dallas, TX, USA, North America
52.116.142.254/32 Dallas, TX, USA, North America
52.116.143.27/32 Dallas, TX, USA, North America
52.118.149.126/32 Dallas, TX, USA, North America
52.118.79.184/32 Dallas, TX, USA, North America
52.117.7.183/32 Dallas, TX, USA, North America
52.117.9.9/32 Dallas, TX, USA, North America
169.48.92.58/32 Dallas, TX, USA, North America
169.55.4.192/26

Dallas, TX, USA, North America

150.240.166.168 Dallas, TX, USA, North America
150.239.171.217

Dallas, TX, USA, North America

Additional firewall settings needed for ECDN servers

ECDN servers are deployed behind customer firewalls. These servers act as local caches for the video streaming content. To pull down the content, they need outbound-to-Internet network connectivity. The list below indicates the IP address ranges on the Internet that should be reachable from the ECDN servers. No inbound connectivity from Internet is needed.

  • Used for setting the clock on the ECDN servers - outgoing UPD port 123. Required

    Clock synchronization is needed for SSL connections to work. Either use a local NTP server(s) or open port 123 to:

    [0-3].ubuntu.pool.ntp.org

  • Allow OpenVPN traffic over port 443 to terminator.deepcaching.com. Required

    Sometimes, during server upgrades or when customers need additional help in diagnosing the issues, there is a need for ECDN operations team to remotely login to the servers.

    ECDN Management Portal allows customers to selectively enable/disable a VPN connection from a ECDN server to an IBM  Video ECDN server terminator.deepcaching.com in the cloud.

    When enabled, it allows ECDN operations team to remotely login to this ECDN server, and help with the diagnosis.

    The VPN tunnel establishes an OpenVPN connection via port 443. This requires the firewall to NOT block such outbound traffic via port 443 to terminator.deepcaching.com.

  • Allow 3128 port when child-parent proxy feature is enabled. Optional
    From the ECDN server version 2.4.2 (20190724) the Child ECDN servers can use Parent ECDNs as proxy for HTTPS calls to connect to Internet. This is an optional feature and can be enabled by IBM via customer request.
    When this feature is enabled then the port is used by Child servers to connect to the proxy services running on Parent ECDN nodes.

Domain names

Many enterprise customers use a proxy server to manage the HTTP and HTTPS traffic within their intranet. These proxy servers can become overwhelmed if all video streaming traffic is also channeled through them. To avoid this, proxy servers allow you to define an exclude list of domain names, which allows any traffic to these domains to bypass the proxy server.

IBM products uses several domain names as part of its service delivery. These domain names are categorized into:

  • Control plane - such as access to the web portal, support etc. - this traffic may flow via the proxy or bypass it.
    ustream.tv
    .ustream.tv
    ustreamstatic-a.akamaihd.net
    ustvstaticcdn1-a.akamaihd.net
    ustvstaticcdn2-a.akamaihd.net
    *.deepcaching.com
    video.ibm.com
    *.video.ibm.com
    *.services.video.ibm.com
    *.ums.services.video.ibm.com
    *.ums.ustream.tv
    *.ecdn.video.ibm.com
    ubuntu.pool.ntp.org
  • Data plane - large volume of video data as pulled by the video player - this traffic should bypass the proxy.
    *.deepcaching.net
    vod-cdn.ustream.tv
    ustreamssl-a.akamaihd.net
    uhsakamai-a.akamaihd.net
    *.midgress.deepcaching.net
    *.fme.ustream.tv
    *.ingest.video.ibm.com

Frequently asked questions

My company uses a proxy service (like Zscaler) for all HTTP(S) traffic. Do I need to bypass all the IP address destinations listed on this page?

Yes. To reduce management overheads, we strongly recommend customers make firewall changes to ensure all IP addresses identified in this article to be are reachable. This is the minimal list.

IBM Video Streaming offers video streaming services to customers around the world. Most enterprise customers have presence in multiple regions. Our services use source IP address of the player to make routing decision to the nearest ECDN configured for that location, or to the external CDN provider in that region. Routing all playback traffic through a centralized proxy may result in sub-optimal performance.

If customers are using proxy services like Zscaler, then it is required that all traffic to the above list of IP addresses be bypassed. Doing so will enable us to accurately route all playback requests to their closest ECDN servers or external CDN servers most appropriate based on the player's IP address.

Who owns the IP addresses listed on this page?

Unless explicitly qualified, all the IP addresses shown on this page are owned and managed by IBM.

How often the do the IP addresses mention in this article change? How much notice do you provide to customers before this list is changed?

The IP addresses mentioned in this article rarely change. If we do make any changes, we will give you 30 days notice to make the changes to the firewall settings.

Setting up firewall rules on Microsoft Windows 10

  1. Open Control Panel (click on Start → Type "Control Panel" → Click on Control Panel app
  2. Click on System and Security then on Windows Defender Firewall
  3. On the left pane click on Advanced settings, this opens Windows Defender Firewall with Advanced Security window
  4. On the left pane right click on Outbound Rules → New Rule
  5. Select "Port" → "TCP" or "UDP" → specify the port → Allow the connection → select when does this rule apply based on your preferences → Name the rule

Setting up firewall rules on Mac OS X

Changelog 

  • 2020-07-02:
    Following IP ranges removed:
    199.66.236.0/22 San Jose, CA, USA, North America
    185.23.108.0/24 Amsterdam, Netherlands, Europe
  • 2020-06-12:
    Added the following IP address:

    169.55.4.192/26 Dallas, TX, USA, North America
  • 2020-04-06:
    Added the following IP addresses:
169.46.140.144/28 Dallas, TX, USA, North America
169.46.172.32/27 Dallas, TX, USA, North America
169.44.57.160/27 Dallas, TX, USA, North America
169.44.61.144/28  Dallas, TX, USA, North America
  • 2020-04-01:
    Added the following IP addresses:
    169.44.27.192/29  Dallas, TX, USA, North America
    169.44.90.96/29  Dallas, TX, USA, North America
    169.44.141.136/29  San Jose, CA, USA, North America
    169.44.144.8/29  San Jose, CA, USA, North America
    169.45.76.32/27 San Jose, CA, USA, North America
  • 2020-03-28:
    Added the following IP addresses
    169.62.88.224/27  San Jose, CA, USA, North America
    169.45.133.0/27  Dallas, TX, USA, North America
    169.45.132.160/27  Dallas, TX, USA, North America
    169.62.96.32/27  San Jose, CA, USA, North America
    169.62.93.96/27  San Jose, CA, USA, North America
    169.45.76.32/27  San Jose, CA, USA, North America
  • 2020-03-02
    Notice period extended to 30 days.
  • 2020-02-28
    Added the following IP addresses:

    169.62.97.144/28 San Jose, CA, USA, North America
    169.62.84.80/28 San Jose, CA, USA, North America
  • 2018-06-26: IRC based chat was replaced by web based chat tool. Removed references to outdated IRC ports. You may delete any entries previously created for ports 843, 6667, 8076.

     

  • 2018-05-11: Added the following IP addresses: 
    169.61.20.80/29 Dallas, TX, USA, North America
    169.60.100.248/29 Washington, D.C., CO, USA, North America

     

  • 2018-05-10: Removed the following IP addresses from the required list: 
    50.202.236.0/24 San Jose, CA, USA, North America
Powered by Zendesk