Skip to main content

Network Requirements

Share these endpoints with your network admins so that they can ensure ManageXR traffic and other hardware-specific endpoints are allowed

Westley Heagy avatar
Written by Westley Heagy
Updated over a month ago

Depending on what hardware and software combination you're using for your XR deployment, allowing ManageXR endpoints will solve most issues. However, we've seen many networks (especially in Education) block hardware/software-specific websites. For example, most schools already block Facebook (Meta) and TikTok (ByteDance) servers, which can disallow casting and firmware updates and potentially cause other issues with Meta Quest and Pico VR devices.

Network restrictions can even take that a step further by blocking app services like Engage or even blocking devices at the MAC address level. The solution is to work with on-site network admins to ensure these services and hardware manufacturers aren't blocked or restricted. If you're unsure whether your network is restricted or not, you can check the ManageXR web console for a Network Error device alert.

ManageXR Endpoint List

ManageXR uses the internet to communicate with its servers and keep devices in sync with configurations set by ManageXR organization admins. When connected to a network that uses a firewall, ManageXR's web traffic will be routed through your firewall and you must allow this traffic to ensure that ManageXR can operate as intended.

Common issues you may see on a restricted network include but are not limited to:

  • Blocking the installation of ManageXR on a device

  • Devices not syncing properly or at all

  • Inability to communicate with devices via the web console

  • Inability to log in to the web console

  • Inability to add new users to the web console

  • Inability to utilize API

Allow-List Rule

Port

Protocol

Why

mighty-platform-prod.appspot.com

443

TCP (HTTPS)

Communication with the ManageXR API

us-central1-mighty-platform-prod.cloudfunctions.net

443

TCP (HTTPS)

Communication with the ManageXR API

mighty-platform-prod.firebaseio.com

443

TCP (HTTPS)

Communication with the ManageXR API

managexrapi.com

443

TCP (HTTPS)

Communication with the ManageXR API

*.managexr.com

443

TCP (HTTPS)

Communication with the ManageXR API

*.googleapis.com

443

TCP (HTTPS / WebSockets)

Communication with the Google Cloud Platform APIs used by ManageXR

*.crashlytics.com

80, 443

TCP (HTTP / HTTPS)

ManageXR error reporting

We use port 80 for error reporting from our admin app via a tool called Firebase Crashlytics. We need to be able to diagnose issues with devices. If this is a security concern, districts may keep it closed as it is not mission-critical, and closing it won't interfere with the day-to-day use of the platform or devices.

openrelay.metered.ca

80, 443

UDP, TCP (HTTP / HTTPS)

Used for Realtime Device Streaming

The mighty-platform-prod. firebase.com endpoint is both inbound and outbound. This setting is required for devices to sync properly and for them to receive device commands sent from the web console.

Meta Endpoint List

In order for Meta Home to connect properly to Meta/Facebook servers, the following domains must be accessible on a given network: meta.com, facebook.com, fbcdn.net, and akamaihd.net. If these domains are not whitelisted in secured networks (such as schools, workplaces, or private networks), users may experience network connection issues when installing or downloading device updates and may even experience core device functionality issues.

Port

Protocol

Why

443

TCP

Determine the communication between clients and servers to reliably transmit data in an organized way

3478

TCP

Determine the communication between clients and servers to reliably transmit data in an organized way

ports 50000-59999

UDP

Same as above + UDP is especially useful for time-sensitive transmissions such as video playback

time.facebook.com

NTP

Facebook employs a multi-tiered time server architecture. The public NTP server, time.facebook.com, allows Meta devices to maintain accurate time synchronization.

In addition to the endpoints and domains above, there are more network considerations for Quest devices enrolled via Meta Horizon Managed Services. View the complete list of Meta requirements here.


Pico Endpoint List

connectivitycheck.picovr.com

443

TCP (HTTPS)

Pico devices on PUI 4 determine if they have internet access by pinging this endpoint. Allowing the device to access this endpoint can fix some internet-related issues and is necessary on ManageXR Admin App v1.7.21 and below. (Allowing this endpoint is not necessary on Admin App v1.7.22+)

connectivitycheck-global.picovr.com

443

TCP (HTTPS)

Pico devices on PUI 5 determine if they have internet access by pinging this endpoint. Pico devices also use this endpoint to get the current time, which can be necessary for a successful internet connection.

If allowing access to these hardware/software entities on main networks is out of the question, it's best to create an entirely new hidden network that only on-site XR devices will use.

FAQs

Does ManageXR work with closed/on-prem networks?

ManageXR is a cloud-based platform and will not work on closed/on-prem networks. If security is a concern, we recommend reviewing our Security Policy and addendums. If you have specific questions about a complex deployment, reach out to support@managexr.com.

Need more help?

Talk to a member of our team using the chat bubble in the bottom right of your screen, or reach out to support@managexr.com

Related Articles
Admin App Changelog
ManageXR’s USB Screencasting Tool
Device Alerts
Network Deployment Guide
Meta Quest Device Enrollment
Did this answer your question?