In order to broadcast or view streams, you will need to ensure that any firewall is configured to allow traffic on specific ports. A firewall can reside on your local machine, on your router, or as part of your corporate network.
Firewall settings needed for viewing streams
In order to watch IBM streams you have to create the following stateful firewall rules, assuming you have a regular internet connection:
- Outgoing UDP destination port
53
to your nameserver or any IP for domain name resolution (DNS). - Outgoing TCP destination port
80
,443
to any IP for web. - Outgoing TCP destination port
1935
to any IP for streaming (RTMP). - Outgoing TCP destination ports
8001-8004
toIP ADDRESS RANGES
below for web based chat.
Firewall settings needed for broadcasting
In order to Broadcast via IBM Video Streaming you have to create the following stateful firewall rules, assuming you have a regular internet connection. In case you are behind a corporate firewall please ensure your IT department configures the firewall to accommodate these settings:
- Outgoing UDP destination port
53
to your nameserver or any IP for domain name resolution (DNS). - Outgoing TCP destination port
80
,443
to IP ADDRESS RANGES below for web. - Outgoing TCP destination port
1935
to IP ADDRESS RANGES below for streaming (RTMP).
Optional: If you have secure ingest setup for your account, you will need to open these additional ports.
- Outgoing TCP destination port
4444
to IP ADDRESS RANGES below. - Outgoing UDP destination port
2070-2090
to IP ADDRESS RANGES below.
*Please note for RTMPS stream, use the following url format in your encoder:
rtmps://CID.ingest.video.ibm.com/ustreamVideo/CID
IP Address Ranges
List of IP address ranges you have to create firewall filters. Also see changelog below for updates.
In order to ensure a smooth experience, please whitelist ALL of the following IP address ranges regardless of which locations are closest to your streaming location.
IP | LOCATION |
169.44.81.160/27 |
Dallas, TX, USA, North America |
169.53.37.192/27 |
Dallas, TX, USA, North America |
169.61.20.80/29 |
Dallas, TX, USA, North America |
169.45.159.64/27 |
Dallas, TX, USA, North America |
169.45.133.0/27
|
Dallas, TX, USA, North America |
169.45.132.160/27 |
Dallas, TX, USA, North America |
169.46.140.144/28 |
Dallas, TX, USA, North America |
169.46.172.32/27 |
Dallas, TX, USA, North America |
169.44.57.160/27
|
Dallas, TX, USA, North America |
169.44.61.144/28 |
Dallas, TX, USA, North America |
|
Frankfurt, Germany, Europe |
161.202.59.160/27 |
Hong Kong, China, Asia |
159.122.214.48/28 |
London, United Kingdom, Europe |
169.50.194.128/27 |
London, United Kingdom, Europe |
169.57.34.16/28 |
Querétaro, Mexico, North America |
169.57.154.248/29 |
Sao Paulo, Brasil, South America |
169.57.165.32/27 |
Sao Paulo, Brasil, South America |
50.23.174.32/27 |
Seattle, WA, USA, North America |
168.1.193.160/27 |
Sydney, Australia, Oceania |
161.202.236.96/27 |
Tokyo, Japan, Asia |
169.45.252.224/27 |
Washington, D.C., CO, USA, North America |
169.47.38.32/27 |
Washington, D.C., CO, USA, North America |
169.60.100.248/29 |
Washington, D.C., CO, USA, North America |
169.38.91.128/28 |
Chennai, India, Asia |
169.55.185.16/28 |
Toronto, Canada, North America |
8.22.49.0/24 |
San Jose, CA, USA, North America |
64.214.133.0/24 |
San Jose, CA, USA, North America |
165.254.3.0/24 |
San Jose, CA, USA, North America |
169.44.203.0/25 |
San Jose, CA, USA, North America |
169.62.91.128/25 |
San Jose, CA, USA, North America |
169.45.68.72/29 |
San Jose, CA, USA, North America |
169.44.146.64/26 |
San Jose, CA, USA, North America |
169.44.178.0/24 |
San Jose, CA, USA, North America |
169.62.88.224/27 |
San Jose, CA, USA, North America |
169.62.96.32/27 |
San Jose, CA, USA, North America |
169.62.93.96/27 |
San Jose, CA, USA, North America |
169.45.76.32/27 |
San Jose, CA, USA, North America |
169.62.97.144/28 |
San Jose, CA, USA, North America |
169.62.84.80/28
|
San Jose, CA, USA, North America |
161.202.195.128/27 |
Singapore, Singapore, Asia |
169.56.78.32/27 |
Seoul, South Korea, Asia |
169.44.27.192/29 |
Dallas, TX, USA, North America |
169.44.90.96/29 |
Dallas, TX, USA, North America |
169.44.141.136/29 |
San Jose, CA, USA, North America |
169.44.144.8/29 |
San Jose, CA, USA, North America |
52.118.151.188/32 |
Dallas, TX, USA, North America |
52.116.198.189/32 |
Dallas, TX, USA, North America |
169.48.92.75/32 |
Dallas, TX, USA, North America |
169.47.93.207/32 |
Dallas, TX, USA, North America |
169.47.93.203/32 |
Dallas, TX, USA, North America |
52.116.206.166/32 |
Dallas, TX, USA, North America |
52.116.142.254/32 |
Dallas, TX, USA, North America |
52.116.143.27/32 |
Dallas, TX, USA, North America |
52.118.149.126/32 |
Dallas, TX, USA, North America |
52.118.79.184/32 |
Dallas, TX, USA, North America |
52.117.7.183/32 |
Dallas, TX, USA, North America |
52.117.9.9/32 |
Dallas, TX, USA, North America |
169.48.92.58/32 |
Dallas, TX, USA, North America |
169.55.4.192/26 |
Dallas, TX, USA, North America |
150.240.166.168 |
Dallas, TX, USA, North America |
150.239.171.217 |
Dallas, TX, USA, North America |
Additional firewall settings needed for ECDN servers
ECDN servers are deployed behind customer firewalls. These servers act as local caches for the video streaming content. To pull down the content, they need outbound-to-Internet network connectivity. The list below indicates the IP address ranges on the Internet that should be reachable from the ECDN servers. No inbound connectivity from Internet is needed.
-
Used for setting the clock on the ECDN servers - outgoing UPD port 123. Required
Clock synchronization is needed for SSL connections to work. Either use a local NTP server(s) or open port
[0-3].ubuntu.pool.ntp.org123
to:
-
Allow OpenVPN traffic over port
443
to terminator.deepcaching.com. RequiredSometimes, during server upgrades or when customers need additional help in diagnosing the issues, there is a need for ECDN operations team to remotely login to the servers.
ECDN Management Portal allows customers to selectively enable/disable a VPN connection from a ECDN server to an IBM Video ECDN server
terminator.deepcaching.com
in the cloud.When enabled, it allows ECDN operations team to remotely login to this ECDN server, and help with the diagnosis.
The VPN tunnel establishes an OpenVPN connection via port 443. This requires the firewall to NOT block such outbound traffic via port
443
toterminator.deepcaching.com
. -
Allow 3128 port when child-parent proxy feature is enabled. Optional
From the ECDN server version 2.4.2 (20190724) the Child ECDN servers can use Parent ECDNs as proxy for HTTPS calls to connect to Internet. This is an optional feature and can be enabled by IBM via customer request.
When this feature is enabled then the port is used by Child servers to connect to the proxy services running on Parent ECDN nodes.
Domain names
Many enterprise customers use a proxy server to manage the HTTP and HTTPS traffic within their intranet. These proxy servers can become overwhelmed if all video streaming traffic is also channeled through them. To avoid this, proxy servers allow you to define an exclude list of domain names, which allows any traffic to these domains to bypass the proxy server.
IBM products uses several domain names as part of its service delivery. These domain names are categorized into:
-
Control plane - such as access to the web portal, support etc. - this traffic may flow via the proxy or bypass it.
ustream.tv
.ustream.tv
ustreamstatic-a.akamaihd.net
ustvstaticcdn1-a.akamaihd.net
ustvstaticcdn2-a.akamaihd.net
*.deepcaching.com
video.ibm.com
*.video.ibm.com
*.services.video.ibm.com
*.ums.services.video.ibm.com
*.ums.ustream.tv
*.ecdn.video.ibm.com
ubuntu.pool.ntp.org -
Data plane - large volume of video data as pulled by the video player - this traffic should bypass the proxy.
*.deepcaching.net
vod-cdn.ustream.tv
ustreamssl-a.akamaihd.net
uhsakamai-a.akamaihd.net
*.midgress.deepcaching.net
*.fme.ustream.tv
*.ingest.video.ibm.com
Frequently asked questions
My company uses a proxy service (like Zscaler) for all HTTP(S) traffic. Do I need to bypass all the IP address destinations listed on this page?
Yes. To reduce management overheads, we strongly recommend customers make firewall changes to ensure all IP addresses identified in this article to be are reachable. This is the minimal list.
IBM Video Streaming offers video streaming services to customers around the world. Most enterprise customers have presence in multiple regions. Our services use source IP address of the player to make routing decision to the nearest ECDN configured for that location, or to the external CDN provider in that region. Routing all playback traffic through a centralized proxy may result in sub-optimal performance.
If customers are using proxy services like Zscaler, then it is required that all traffic to the above list of IP addresses be bypassed. Doing so will enable us to accurately route all playback requests to their closest ECDN servers or external CDN servers most appropriate based on the player's IP address.
Who owns the IP addresses listed on this page?
Unless explicitly qualified, all the IP addresses shown on this page are owned and managed by IBM.
How often the do the IP addresses mention in this article change? How much notice do you provide to customers before this list is changed?
The IP addresses mentioned in this article rarely change. If we do make any changes, we will give you 30 days notice to make the changes to the firewall settings.
Setting up firewall rules on Microsoft Windows 10
- Open Control Panel (click on Start → Type "Control Panel" → Click on Control Panel app
- Click on System and Security then on Windows Defender Firewall
- On the left pane click on Advanced settings, this opens Windows Defender Firewall with Advanced Security window
- On the left pane right click on Outbound Rules → New Rule
- Select "Port" → "TCP" or "UDP" → specify the port → Allow the connection → select when does this rule apply based on your preferences → Name the rule
Setting up firewall rules on Mac OS X
- http://support.apple.com/kb/HT1507?viewlocale=en_US&locale=en_US- You have to replace the port numbers while creating the rules listed in our article above.
- http://portforward.com/networking/static-Mac10.4.htm
Changelog
-
2020-07-02:
Following IP ranges removed:
199.66.236.0/22 San Jose, CA, USA, North America
185.23.108.0/24 Amsterdam, Netherlands, Europe - 2020-06-12:
Added the following IP address:
169.55.4.192/26 Dallas, TX, USA, North America -
2020-04-06:
Added the following IP addresses:
169.46.140.144/28 | Dallas, TX, USA, North America |
169.46.172.32/27 | Dallas, TX, USA, North America |
169.44.57.160/27 | Dallas, TX, USA, North America |
169.44.61.144/28 | Dallas, TX, USA, North America |
-
2020-04-01:
Added the following IP addresses:
169.44.27.192/29 Dallas, TX, USA, North America 169.44.90.96/29 Dallas, TX, USA, North America 169.44.141.136/29 San Jose, CA, USA, North America 169.44.144.8/29 San Jose, CA, USA, North America 169.45.76.32/27 San Jose, CA, USA, North America -
2020-03-28:
Added the following IP addresses
169.62.88.224/27 San Jose, CA, USA, North America 169.45.133.0/27 Dallas, TX, USA, North America 169.45.132.160/27 Dallas, TX, USA, North America 169.62.96.32/27 San Jose, CA, USA, North America 169.62.93.96/27 San Jose, CA, USA, North America 169.45.76.32/27 San Jose, CA, USA, North America -
2020-03-02
Notice period extended to 30 days. -
2020-02-28
Added the following IP addresses:
169.62.97.144/28
San Jose, CA, USA, North America 169.62.84.80/28
San Jose, CA, USA, North America
-
2018-06-26: IRC based chat was replaced by web based chat tool. Removed references to outdated IRC ports. You may delete any entries previously created for ports
843, 6667, 8076
. -
2018-05-11: Added the following IP addresses:
169.61.20.80/29
Dallas, TX, USA, North America 169.60.100.248/29
Washington, D.C., CO, USA, North America -
2018-05-10: Removed the following IP addresses from the required list:
50.202.236.0/24
San Jose, CA, USA, North America