1.4 Firewall and Proxy Setup Information for Sync
Below you will find all the information needed to set up your firewall to allow Sync to function on your firewall secured network. You will also find how to configure the Sync App to use your network proxy for network communication.
Table of contents
Sync App connections to Sync Service
Protocol
Ports
FQDN
Usage of the endpoint
HTTPS
443
Sync service web site.
HTTPS
443
OTA Service domain
- API endpoint servicing Logitech VC SW/FW related requests.
HTTPS
443
Sync Service API domain
- A REST API endpoint to handle Sync client's requests
HTTPS
443
Sync Service API domain
- Same API endpoint as raiden.vc.logitech.com servicing Sync API requests.
HTTPS
443
Release note domain
- Allows the Sync App access to the latest product release note.
HTTPS
443
3rd party: AWS authentication API domain
- Authenticates Sync App user's credential.
MQTT/TCP
443
a3fejkt9utwjk2-ats.iot.us-west-2.amazonaws.com
raiden.iot.us-west-2.vc.logitech.com
* May be whitelisted by the domain name specified from the SNI header of TLS Hello Message or
the ip address ranges published by AWS (See AWS IP address range)
3rd party: AWS IOT service API domain
- A persistent channel between the Sync App and IOT service for real time device events and commands.
- This channel uses MQTT over TCP instead of HTTPS.
HTTPS
443
3rd party: Youtube service endpoint
- for playing public Sync service related video.
HTTPS
443
Browser
HTTPS
443
Browser
- SSO endpoint to logon to Sync.
Web Browser Connections to Sync Portal
Protocol
Ports
FQDN
Usage of the endpoint
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser, also launched by Sync App
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser, also launched by Sync App
HTTPS
443
Browser, also launch by Sync App
HTTPS
443
Browser, also launched by Sync App
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Browser
HTTPS
443
Launched from Sync App
Sync App Supported Proxy Configurations
Sync App currently supports the following the proxy configurations so that the traffic initiated from the application will be forwarded to the specified proxy in your network. Sync App doesn't recognize any other configurations.
- The user must make any of the supported configurations with the Administrator privileges.
- When multiple supported configurations have been specified, Sync App takes precedence according to the order of the list below.
- Sync App currently supports proxy configuration on Windows only.
Warning: proxy settings which are set by Windows "Proxy settings -> Manual proxy setup" page are not supported - they are applied to current user only and are not applied to system services.
Config Methods
Config Details
Proxy PAC File
Create a regular text file called ProxyAutoConfigUrl.txt in the folder C:\ProgramData\Logitech\LogiSync\
Specify a PAC url on the file.
example:http://wpad.mycompany.com/wpad.dat
Automatic Proxy Detection
If the network is configured to support Web Proxy Auto-Discovery(WPAD),
go to Settings-> Network & Internet -> Proxy -> enable 'Automatically detect settings'
Manual Proxy Specification
Run Windows cmd.exe and issue 'netsh' command to specify the proxy address:
netsh winhttp set proxy <proxyserver IP>:<proxyserver PORT>
Regional Sync support
Sync supports regional data storage in addition to our global site which stores data in the US. Learn more about Sync regional data storage here. Below we list the required ports and IP addresses for each supported region.
Sync Europe
Protocol
Ports
FQDN
Region
Usage of the endpoint
HTTPS
443
EU
Sync service web site.
HTTPS
443
Global
OTA Service domain
- API endpoint servicing Logitech VC SW/FW related requests.
HTTPS
443
EU
Sync Service API domain
- A REST API endpoint to handle Sync client's requests
HTTPS
443
Global
API endpoint for core device services
- Same API endpoint as updates.vc.logitech.com
HTTPS
443
Global
Release note domain
- Allows the Sync App access to the latest product release note.
HTTPS
443
EU
3rd party: AWS authentication API domain
- Authenticates Sync App user's credential.
MQTT/TCP
443
raiden-eu.iot.eu-central-1.vc.logitech.com
* May be whitelisted by the domain name specified from the SNI header of TLS Hello Message or
the ip address ranges published by AWS (See AWS IP address range)
EU
3rd party: AWS IOT service API domain
- A persistent channel between the Sync App and IOT service for real time device events and commands.
- This channel uses MQTT over TCP instead of HTTPS.
HTTPS
443
Global
3rd party: YouTube service endpoint
- for playing public Sync service related video.
HTTPS
443
EU
Browser
HTTPS
443
EU
Browser
- SSO endpoint to logon to Sync.
Sync France
Protocol
Ports
FQDN
Region
Usage of the endpoint
HTTPS
443
FR
Sync service portal web site.
HTTPS
443
Global
OTA Service domain
- API endpoint servicing Logitech VC SW/FW related requests.
HTTPS
443
FR
Sync Sevice API domain
- A REST API endpoint to handle Sync client's requests
HTTPS
443
Global
Sync Service API domain
- Same API endpoint asraiden.vc.logitech.com servicing Sync API requests.
HTTPS
443
Global
Release note domain
- Allows Sync client pulling out the latest product release note.
HTTPS
443
FR
3rd party: AWS authentication API domain
- Authenticates Sync client user's credential.
MQTT/TCP
443
raiden-fr.iot.eu-west-3.vc.logitech.com
* May be whitelisted by the domain name specified from the SNI header of TLS Hello Message or
the ip address ranges published by AWS (See AWS IP address range)
FR
3rd party: AWS IOT service API domain
- A persistent channel between the Sync client and IOT service for real time device events and commands.
- This channel uses MQTT over TCP instead of HTTPS.
HTTPS
443
Global
3rd party: Youtube service endpoint
- for playing public Sync service related video.
HTTPS
443
FR
Browser
HTTPS
443
FR
Browser
- SSO endpoint to logon to Sync.
Sync Canada
Protocol
Ports
FQDN
Region
Usage of the endpoint
HTTPS
443
CA
Sync service portal web site.
HTTPS
443
Global
OTA Service domain
- API endpoint servicing Logitech VC SW/FW related requests.
HTTPS
443
CA
Sync Sevice API domain
- A REST API endpoint to handle Sync client's requests
HTTPS
443
Global
Sync Service API domain
- Same API endpoint asraiden.vc.logitech.com servicing Sync API requests.
HTTPS
443
Global
Release note domain
- Allows Sync client pulling out the latest product release note.
HTTPS
443
CA
3rd party: AWS authentication API domain
- Authenticates Sync client user's credential.
MQTT/TCP
443
raiden-ca.iot.ca-central-1.vc.logitech.com
* May be whitelisted by the domain name specified from the SNI header of TLS Hello Message or
the ip address ranges published by AWS (See AWS IP address range)
CA
3rd party: AWS IOT service API domain
- A persistent channel between the Sync client and IOT service for real time device events and commands.
- This channel uses MQTT over TCP instead of HTTPS.
HTTPS
443
Global
3rd party: Youtube service endpoint
- for playing public Sync service related video.
HTTPS
443
CA
Browser
HTTPS
443
CA
Browser
- SSO endpoint to logon to Sync.
Configuring Sync on CollabOS devices
With the CollabOS 1.7 release, Sync on CollabOS devices are proxy aware on PAC proxy configurations only. Click here for Sync firewall setup: Firewall and Proxy Setup Information for Sync.
Supported Proxy Configurations:
There are 2 ways in which CollabOS devices can be provisioned to Sync when devices are in Proxy enabled networks.
Using SOCKS proxy
Using HTTP Proxy
Rules required on the network
The network infrastructure should be set up to enable connections to and from these specified URLs and ports.
Ports
MQTT: 8883
Required when using SOCKS proxy
HTTPS: 443
Port 443 is used when no proxy is involved.
When a proxy is required, the device uses 8883 instead of 443.
URL
Using SOCKS Proxy
The network needs to have a dedicated SOCKS proxy with the rules mentioned in the example
No additional CollabOS settings need to be enabled
PAC file entry example:
Copy
if(localHostOrDomainIs(host,“a3fejkt9utwjk2-ats.iot.us-west-2.amazonaws.com”) ||
localHostOrDomainIs(host,“raiden.iot.us-west-2.vc.logitech.com”) {
return “SOCKS <PROXY SERVER HOST>:<PORT>“;
}
Using HTTP Proxy
Available for CollabOS devices running version 1.13.154 or later.
Learn more about this here.
CollabOS firewall settings
Instructions for CollabOS here
FAQs
Q: Should firewall ports be open unidirectionally or bidirectionally?
A: The Sync App always initiates connections to the internet. No remote services would initiate connection to the app. Only unidirectional (outgoing) should be sufficient
Q: While configuring the firewall, should the source IP address correspond to the VLAN IP address?
A: The IP address of a device running the Sync App is not sensitive or will not impact any functionality. Whether those devices have corresponding VLAN addresses, it can be decided for networking policies.
Q: Is it possible to inspect the Sync data traffic on CollabOS-based devices?
A: The traffic between CollabOS devices and servers cannot be inspected.