search

Firewall

Playback of videos hosted on the 3Q platform does not require any special firewall configuration. Video and media delivery is handled via standard HTTP(S) and works without additional port releases.

If content uploads or live stream ingestion are performed from a restricted or secured network, additional firewall rules may be required as described below.

hashtag
Video Player Requirements (Web SDK)

To ensure successful video playback using the 3Q Web SDK, the following conditions must be met:

hashtag
Domain Accessibility

The following domains must be reachable via HTTP and HTTPS on standard ports (80/443), including all subdomains:

  • 3qsdn.com

  • 3q.video

hashtag
Browser Support

The browser in use must be a vendor-supported, up-to-date version of a common web browser. Only officially supported browsers are recommended for production use.

hashtag
Content Ingest

hashtag
On-Demand Uploads

On-demand video content is uploaded exclusively via HTTPS. No additional protocols or ports are required beyond standard HTTPS connectivity.

hashtag
Livestream Ingest

For livestream delivery to the 3Q platform, the following protocols are supported:

  • RTMP

  • RTMPS

  • SRT

The corresponding protocols and ports must be allowed in the firewall configuration of the encoder or ingesting system.

RTMP

  • Protocol: TCP

  • Destination Port: 1935

  • Destination Hosts:

    • de-origin-ingest-live.3qsdn.com

    • de-origin-ingest-live-02.3qsdn.com

    • at-origin-ingest-live.3qsdn.com

    • us-origin-live-nyk-01.3qsdn.com

RTMPS

  • Protocol: TCP

  • Destination Port: 443

  • Destination Hosts:

    • de-origin-ingest-live.3qsdn.com

    • de-origin-ingest-live-02.3qsdn.com

    • at-origin-ingest-live.3qsdn.com

    • us-origin-live-nyk-01.3qsdn.com

SRT

  • Protocol: UDP

  • Destination Port:

    • Individually assigned per livestream

    • Port range: 1024–65535

  • Destination Hosts:

    • de-origin-ingest-live.3qsdn.com

    • de-origin-ingest-live-02.3qsdn.com

    • at-origin-ingest-live.3qsdn.com

    • us-origin-live-nyk-01.3qsdn.com

hashtag
Firewall Configuration Using IP Addresses

If DNS-based firewall rules are not supported in your environment, it is recommended to allow outbound connections for the required destination ports without restricting the destination address.

If your corporate security policies require explicit destination addresses, the following IP ranges may be used.

IPv4 Address Ranges

  • 31.7.178.128/27

  • 31.7.180.96/28

  • 31.7.180.128/27

  • 31.7.185.0/28

  • 31.7.187.0/27

  • 35.231.219.190/32

  • 37.58.30.0/23

  • 91.242.173.0/24

  • 167.235.244.250/32

  • 185.175.64.0/24

IPv6 Address Ranges

  • 2a14:30c0::/32

  • 2a14:30c1::/32

  • 2001:67c:6d8::/48

  • 2a01:4a0:5::/48

Important: These address ranges include all possible IPs used for livestream ingest. HTTP and HTTPS access cannot be reliably restricted by IP address and must always be permitted based on domain names.

hashtag
Recommendation

Based on operational experience, maintaining manual IP-based firewall rules carries a significant risk of service disruption due to infrastructure changes.

For this reason, it is strongly recommended to:

  • Use DNS-based firewall rules whenever possible, or

  • Allow the encoder system unrestricted outbound connections on the required destination ports

This approach ensures long-term stability and uninterrupted content delivery.

PreviousWebhooks

Last updated