⚠️ This page applies only to cloud streaming (and on-premises streaming over a corporate network).
It describes the corporate / network-level firewall rules required for the Innoactive cloud streaming platform.
If you are running Innoactive Spatial Runtime on a local workstation and streaming to a headset on the same local network (e.g. an Apple Vision Pro connected over Wi-Fi), the rules on this page do not apply. See Firewall settings for CloudXR Server workstations instead.
What changed with CloudXR 6
Starting with CloudXR 6, the session signaling channels are TLS-encrypted (HTTPS) at the application layer, so a separate VPN-style tunnel is no longer required to encrypt cloud streaming.
These rules cover every supported headset. Today Apple Vision Pro streams over CloudXR 6, while Meta Quest, Pico, and HTC Vive still stream over CloudXR 4. The CloudXR 4 ports are a strict subset of the CloudXR 6 ports listed below, so opening the rules below covers all current devices and continues to cover Quest and Pico once they move to CloudXR 6.
Required ports — CloudXR 6 cloud streaming
| Description | Direction* | Protocol | Port | IP addresses |
|---|---|---|---|---|
| Spatial Runtime (HTTPS) — TLS-encrypted | Outbound | TCP | 42085 | Dynamic IPs from pre-defined ranges per default Fixed IPs on request |
| CloudXR Signaling (HTTPS) — TLS-encrypted | Outbound | TCP | 48322 | |
| CloudXR Apple Vision Pro foveated streaming session management | Outbound | TCP | 55000 | |
| CloudXR Control | Outbound | UDP | 47999 | |
| CloudXR Audio | Outbound | UDP | 48000 | |
| CloudXR Video | Outbound | UDP | 47998, 48005, 48008, 48012, 47995, 48001 | |
| CloudXR Microphone | Outbound | UDP | 48002 | |
| CloudXR RTSP | Outbound | TCP | 48010 | |
| CloudXR Control | Inbound | UDP | 49006 | |
| CloudXR Audio | Inbound | UDP | 49003 | |
| CloudXR Video | Inbound | UDP | 49005, 50000-55000 | |
| CloudXR Microphone | Inbound | UDP | 49004 | |
| CloudXR RTSP | Inbound | TCP | 49007 | |
| Innoactive Health Agent** | Outbound | TCP | 53089 | |
| WebRTC STUN/TURN (optional) | Outbound | UDP, TCP | 3478, 80 | 162.55.53.5157.90.22.86 |
| DCV | Outbound | TCP | 443 |
*From client perspective
**Required for on-premises deployment only