Firewall Settings

Owned by Alon Men
Last updated: 02 Apr 2023
2 min read

As a general security best practice, you should minimize the amount of ports that are opened on the Firewall. The initiating side can be behind an NAT, and doesn’t need to be publicly reachable. The Zixi Broadcaster should have a publicly reachable address.  


Source IP address may be filtered to come only from certain allowed sources.

Make sure to open outgoing TCP 80 to license.zixi.com and UDP  53 to your DNS server.


Network Port Settings

Network Settings for Zixi Broadcaster as Streaming Server

Port
Type
Direction
Description
Protocol

2088/7088

***

UDP

Inbound*

Push input from a Zixi enabled feeding software **Zixi

2077/7077

***

UDP

Inbound*

Pull output by Zixi enabled receiving software **

Zixi

2088/7088

***

UDP

Outbound*

Push output to a Zixi Broadcaster or AWS MediaConnect

Zixi

2077/7077

***

UDP

Outbound*

Pull input from a Zixi Broadcaster or AWS MediaConnect

Zixi

1935

TCP

Inbound*

Push input from RTMP enabled software

RTMP

1935

TCP

Outbound*

Push output to CDN origin server or RTMP enabled software

RTMP

7777

TCP

Inbound*

Pull output from HTML5 video player or CDN caching software

HLS or DASH

4444

TCP

Inbound*

Web management UI

HTTP
80/443

TCP


Outbound*

Communication to Zixi License server - license.zixi.com

For Zixi Broadcaster v. 16.1 and above ONLY - license2.zixi.com

- 52.72.218.41

- 34.195.97.223

ZEN Master Backend Servers

  • 18.210.103.157

  • 23.20.44.73

  • 34.200.88.233

  • 34.238.1.65

  • 35.170.111.151

  • 52.4.9.203

HTTP/HTTPS
53TCP & UDPOutbound*Communication to Domain Name Server

* Return traffic must be enabled.

** The maximum recommended throughput per port is 1Gbps. If more throughput is expected through the Broadcaster, additional ports for the Zixi protocol can be defined on the General page under the Settings tab.

*** 7077 and 7088 use DTLS encryption



For ZEC operating as a feeder device to a remote Zixi Broadcaster or AWS MediaConnect, the following ports must be opened on your Firewall(s) as described below:

Network Settings for ZEC as a Feeder Device

PortTypeDirectionDescriptionProtocol
2088/7088***UDPOutbound*Push output to a Zixi Broadcaster or AWS MediaConnectZixi
1935TCPInbound*Push input from RTMP enabled softwareRTMP
4444TCPInbound *

Web management UI

HTTP
80/443

TCP


Outbound*

Communication to Zixi License server - license.zixi.com

- 52.72.218.41

- 34.195.97.223

ZEN Master Backend Servers

  • 18.210.103.157

  • 23.20.44.73

  • 34.200.88.233

  • 34.238.1.65

  • 35.170.111.151

  • 52.4.9.203

HTTP/HTTPS

53TCP & UDPOutbound*Communication to Domain Name Server

* Return traffic must be enabled.

** The maximum recommended throughput per port is 1Gbps. If more throughput is expected through the Broadcaster, additional ports for the Zixi protocol can be defined on the General page under the Settings tab.

*** 7077 and 7088 use DTLS encryption


For the ZEC operating as a receiver device, the following ports must be opened on your Firewall(s) as described below:


Network Settings for ZEC as a Receiver Device

PortTypeDirectionDescriptionProtocol

2077/7077

***		UDPOutbound*Pull input from a Zixi Broadcaster or AWS MediaConnectZixi
1935TCPInbound*Push output to CDN origin server or RTMP enabled softwareRTMP
7777TCPInbound*

Pull output from HTML5 video player or CDN caching software

HLS or DASH
4444TCPInbound*Web management UIHTTP
80/443

TCP


Outbound*

Communication to Zixi License server - license.zixi.com

- 52.72.218.41

- 34.195.97.223

ZEN Master Backend Servers

  • 18.210.103.157

  • 23.20.44.73

  • 34.200.88.233

  • 34.238.1.65

  • 35.170.111.151

  • 52.4.9.203

HTTP/HTTPS
53TCP & UDPOutbound*Communication to Domain Name Server

* Return traffic must be enabled.

** The maximum recommended throughput per port is 1Gbps. If more throughput is expected through the Broadcaster, additional ports for the Zixi protocol can be defined on the General page under the Settings tab.

*** 7077 and 7088 use DTLS encryption


iptables example rules when the listening port is UDP 2088:

iptables -A INPUT -p udp --dport 2088  -j ACCEPT
iptables -A OUTPUT -p udp --sport 2088 -m state --state ESTABLISHED -j ACCEPT

iptables rules example, with target port 2088:

iptables -A OUTPUT -p udp --dport 2088 -j ACCEPT 
iptables -A INPUT -p udp --sport 2088 -m state --state ESTABLISHED -j ACCEPT

On this page: