GA
GlueArrow

GA-NETFIRE-1.0

Network & Firewall Guide

Every port, protocol, and outbound destination the platform uses — with copy-paste firewall allowlist for enterprise networks.

Document ID
GA-NETFIRE-1.0
Last reviewed
2026-04-24
Next review
2026-07-24
Downloads

Network & Firewall Guide

GlueArrow Box OS — Broadcast Operations Platform Document version: 1.0 · Applies to Box OS 1.6.0+

1. Audience and Purpose

This guide is written for the network engineer or IT administrator responsible for deploying a GlueArrow Box OS instance within a station's network. It specifies every port, protocol, and outbound destination the platform uses, along with firewall allowlists, DNS and NTP requirements, proxy configurations, and bandwidth expectations.

GlueArrow Box OS is offline-first: the box continues to broadcast, log proof-of-play, and serve the station's control panel with no internet connectivity. The cloud connection enhances the platform — it does not gate core operation.

2. Architecture at a Glance

          Station LAN (10/100/1000 Mbps)
┌────────────────────────────────────────────────────┐
│                                                    │
│   ┌────────────┐       ┌──────────────┐            │
│   │   Phones   │       │  Workstations│            │
│   │  Tablets   │───────▶│   Browsers  │            │
│   │ (Control)  │       │  (Control)   │            │
│   └────────────┘       └──────────────┘            │
│          │                    │                    │
│          │    HTTPS/WSS       │                    │
│          ▼    TCP 5002        ▼                    │
│     ┌─────────────────────────────┐                │
│     │   GlueArrow Box OS          │                │
│     │   • Control panel           │                │
│     │   • HLS relay               │                │
│     │   • Proof-of-play ledger    │                │
│     │   • Local SQLite state      │                │
│     └──────────────┬──────────────┘                │
└────────────────────┼───────────────────────────────┘
                     │
                     │    HTTPS (outbound only)
                     ▼
     ┌───────────────────────────────┐
     │      GlueArrow Cloud          │
     │      (us-central1)            │
     └───────────────────────────────┘

3. Inbound Connections (listeners on the box)

Only one port is required for normal operation. All listeners bind to the LAN — no ports need to be forwarded from the public internet.

Port Protocol Purpose Required? Scope
5002 TCP (HTTP/WSS) Control panel (web UI + Socket.IO) Required LAN-local
5002 TCP (SSE) Scanner live feed (discovery / batch scan progress) Required LAN-local
5002 HTTP /metrics (Prometheus scrape endpoint) Optional Monitoring VLAN
5002 HTTP /health (load balancer health check) Optional LAN-local
5353 UDP mDNS advertisement (zeroconf) for automatic box discovery Optional LAN-local

Recommendations:

  • Place the box in a dedicated broadcast VLAN or trust subnet.
  • Restrict port 5002 access to authenticated staff workstations.
  • For remote access (producers working from home, field reporters), use the station's VPN or the GlueArrow Cloud dashboard — never expose port 5002 to the public internet.

4. Outbound Connections (box → external)

All outbound connections use HTTPS on TCP 443 unless otherwise noted. TLS 1.2 minimum; TLS 1.3 preferred.

4.1 Required (cloud sync and OTA updates)

Destination Port Protocol Purpose
cloud.gluearrow.com 443 HTTPS Primary cloud API: station registration, schedule sync, ad delivery, proof-of-play push, speaker sync, heartbeat
app.gluearrow.com 443 HTTPS Station pairing redirects and owner account linking
accounts.gluearrow.com 443 HTTPS Single sign-on (SAML/OTP) for staff access
storage.googleapis.com 443 HTTPS Signed over-the-air (OTA) software updates — SHA-256 verified
music.gluearrow.com 443 HTTPS Music catalogue and offline submission queue
pool.ntp.org (or customer NTP) 123 UDP Time synchronization — required for proof-of-play validity

4.2 Required (DNS)

Destination Port Protocol Purpose
Customer recursive resolver 53 UDP/TCP DNS lookups. DNS-over-HTTPS via Cloudflare (1.1.1.1) or Google (8.8.8.8) is supported.

4.3 Optional (enable per station policy)

Destination Port Protocol Purpose Why it may be disabled
api.audd.io 443 HTTPS Third-tier music identification fallback Some stations prefer local-only identification
api.restream.io 443 HTTPS Multi-destination RTMP aggregation Only if the station uses Restream.io
a.rtmp.youtube.com (and similar) 1935 RTMP Live stream publishing to YouTube Live Only when streaming to YouTube
live-api-s.facebook.com 443 HTTPS/RTMPS Facebook Live stream publishing Only when streaming to Facebook
live.twitch.tv RTMP ingest endpoints 1935 RTMP Twitch stream publishing Only when streaming to Twitch
ip-api.com 443 HTTPS One-time country auto-detection at first boot Can be suppressed by setting STATION_COUNTRY manually

4.4 Optional (AI features)

Destination Port Protocol Purpose
api.anthropic.com 443 HTTPS AI-assisted show script generation (only when a presenter invokes the feature)

Disabling AI features: leave ANTHROPIC_API_KEY unset in the environment. The feature becomes unavailable in the UI; no outbound call is made.

5. Bandwidth Planning

Scenario Sustained upload Burst
Radio only (no video simulcast) 1 Mbps 3 Mbps
Radio + single 720p RTMP simulcast 5 Mbps 10 Mbps
Radio + 1080p RTMP simulcast 8 Mbps 15 Mbps
Radio + 1080p RTMP + HLS relay 12 Mbps 25 Mbps
Multi-destination simulcast (3 platforms at 1080p) 25 Mbps 45 Mbps
Scenario Sustained download
Ad delivery sync (background) 0.1 Mbps average, 5 Mbps burst during new campaign downloads
OTA software update 30-50 MB per release; throttled to avoid saturating station uplink

Baseline recommendation: 25 Mbps symmetric, <100 ms latency to the nearest cloud region. Below 10 Mbps sustained upload, disable RTMP simulcast or reduce to 720p.

6. Firewall Allowlist (copy-paste ready)

6.1 Minimal allowlist (box must operate normally)

# Outbound TCP 443 (HTTPS)
cloud.gluearrow.com
app.gluearrow.com
accounts.gluearrow.com
music.gluearrow.com
storage.googleapis.com

# Outbound UDP 123 (NTP)
pool.ntp.org
# ... or your corporate NTP server

# Outbound UDP 53 (DNS)
# ... your corporate DNS resolver

6.2 Full allowlist (box + optional features)

Append to the minimal list, as needed:

# Optional music identification
api.audd.io:443

# Optional AI features
api.anthropic.com:443

# Optional geographic auto-detect (first boot only)
ip-api.com:443

# RTMP publishing (only destinations you actually use)
a.rtmp.youtube.com:1935
live-api-s.facebook.com:443
live.twitch.tv:1935
# ... and any custom RTMP endpoint you publish to

6.3 Deny-by-default posture

For enterprise networks with explicit allow-list firewall policies, the above list is sufficient. The box makes no outbound connection to any destination not listed above.

7. TLS and Certificate Validation

  • All HTTPS connections require valid, publicly trusted TLS certificates. The box uses the system certificate store.
  • TLS interception proxies (such as Blue Coat, Zscaler, Cisco Umbrella) are supported if the interception CA is installed in the OS trust store and in the box's Python certificate bundle (certifi at /opt/gluearrow-box-os/venv/lib/python3.11/site-packages/certifi/cacert.pem).
  • Certificate pinning is not used in the current release. This is a roadmap item for 2026 Q3.

8. Proxy Support

The box honors standard proxy environment variables. To route outbound traffic through a corporate proxy, set in /etc/gluearrow-box-os/environment (Linux) or .env (Windows):

HTTPS_PROXY=http://proxy.example.corp:8080
HTTP_PROXY=http://proxy.example.corp:8080
NO_PROXY=localhost,127.0.0.1,.gluearrow.com

Authenticated proxies are supported via URL-embedded credentials or via the system's proxy authentication (NTLM/Kerberos on Windows Server deployments).

9. Quality of Service (QoS) Recommendations

For stations running live simulcasts, prioritize broadcast traffic in the switch and edge router:

Traffic class DSCP Priority
Control panel (TCP 5002) CS3 (24) High
RTMP out (TCP 1935) AF41 (34) High
Cloud sync + OTA (TCP 443 to gluearrow.com) AF31 (26) Normal
Background music library sync CS1 (8) Bulk

The engine sets DSCP markings on Windows via sync_engine.py at boot using Set-NetQosPolicy. On Linux, configure QoS at the switch/router level — the box does not mark outbound packets at the OS layer.

10. Network Hardening Checklist

For enterprise deployments:

  • Box placed on a dedicated broadcast VLAN, isolated from general office traffic
  • Port 5002 access restricted to authenticated staff subnet
  • Outbound firewall configured with allowlist from §6
  • DNS resolver uses DNSSEC validation
  • NTP configured against at least two time sources
  • Log forwarding enabled to station SIEM (see security-whitepaper.md §7)
  • Monthly firewall rule audit includes the allowlist above
  • Staff VPN is the only remote path to port 5002

11. Troubleshooting Connectivity

11.1 Box reports "Offline Mode" continuously

Verify in order:

  1. curl https://cloud.gluearrow.com/health from the box — should return HTTP 200.
  2. DNS: dig cloud.gluearrow.com or nslookup cloud.gluearrow.com.
  3. NTP: chronyc tracking (Linux) or w32tm /query /status (Windows) — clock skew must be under 2 seconds.
  4. Proxy: test curl -x $HTTPS_PROXY https://cloud.gluearrow.com/health.

Diagnostic endpoint on the box: GET http://<box-ip>:5002/api/connectivity returns reachability status, queued submission count, and last successful sync timestamp.

11.2 RTMP stream drops frames

Typically indicates upstream bandwidth saturation or packet loss. Check:

  1. Sustained upload capacity against §5 bandwidth table.
  2. Wired Ethernet connection (Wi-Fi is not recommended for RTMP).
  3. QoS classification at the edge router.

11.3 OTA update fails

  1. Verify storage.googleapis.com is reachable from the box.
  2. Check local disk space: the update staging path needs 500 MB free.
  3. SHA-256 mismatch: the box refuses the update and retains the current version. Check the update log at /var/log/gluearrow/update.log (Linux) or %LOCALAPPDATA%\GlueArrow Box OS\update.log (Windows).

12. Offline Operation Guarantees

When the cloud is unreachable, the box:

  • Continues broadcasting from local schedule
  • Continues logging proof-of-play to the local ledger (local_station.db)
  • Serves the control panel from LAN clients
  • Caches ad impressions for later cloud reconciliation
  • Retries cloud sync every 30 seconds with exponential backoff (up to 5 minutes between attempts)
  • Rejoins automatically when connectivity returns — no manual intervention required

The offline duration is bounded only by local disk space. Proof-of-play entries are pushed to the cloud in timestamp order once connectivity is restored.

13. Contact

GlueArrow Inc. — 1111B S Governors Ave # 50266, Dover, DE 19904, United States Document identifier: GA-NETFIRE-1.0 · Last reviewed: 2026-04-24

Questions about this document? Email enterprise@gluearrow.com or for security-specific inquiries, security@gluearrow.com.