Firewall configuration and IP / Port whitelisting for Cloud streaming

Corporate firewall rules — UDP and TCP ports, protocols, and directions — required for CloudXR 6 cloud streaming on the Portal platform.

⚠️ This page applies only to cloud streaming (and on-premises streaming over a corporate network).

It describes the corporate / network-level firewall rules required for the Innoactive cloud streaming platform.

If you are running Innoactive Spatial Runtime on a local workstation and streaming to a headset on the same local network (e.g. an Apple Vision Pro connected over Wi-Fi), the rules on this page do not apply. See Firewall settings for CloudXR Server workstations instead.

What changed with CloudXR 6

Starting with CloudXR 6, the session signaling channels are TLS-encrypted (HTTPS) at the application layer, so a separate VPN-style tunnel is no longer required to encrypt cloud streaming.

These rules cover every supported headset. Today Apple Vision Pro streams over CloudXR 6, while Meta Quest, Pico, and HTC Vive still stream over CloudXR 4. The CloudXR 4 ports are a strict subset of the CloudXR 6 ports listed below, so opening the rules below covers all current devices and continues to cover Quest and Pico once they move to CloudXR 6.

Required ports — CloudXR 6 cloud streaming

​DescriptionDirection*ProtocolPortIP addresses
Spatial Runtime (HTTPS) — TLS-encryptedOutboundTCP42085Dynamic IPs from pre-defined ranges per default​ ​ Fixed IPs on request
CloudXR Signaling (HTTPS) — TLS-encryptedOutboundTCP48322
CloudXR Apple Vision Pro foveated streaming session managementOutboundTCP55000
CloudXR ControlOutboundUDP47999
CloudXR AudioOutboundUDP48000
CloudXR VideoOutboundUDP47998, 48005, 48008, 48012, 47995, 48001
​CloudXR MicrophoneOutboundUDP48002
CloudXR RTSPOutboundTCP48010
CloudXR ControlInboundUDP49006
CloudXR AudioInboundUDP49003
CloudXR VideoInboundUDP49005, 50000-55000
​CloudXR MicrophoneInboundUDP49004
CloudXR RTSPInboundTCP49007
Innoactive Health Agent​**OutboundTCP53089
​WebRTC STUN/TURN (optional)OutboundUDP, TCP​3478, 80162.55.53.5​157.90.22.86
DCVOutboundTCP443

*From client perspective

**Required for on-premises deployment only