Browser Isolation with firewall
If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect.
Isolated pages are served by the remoting client — the software component in the user's browser that loads, displays, and communicates with the remote browser session. This client communicates to Cloudflare's network via HTTPS and WebRTC.
The remoting client provides static assets and API endpoints. For Browser Isolation to function, you must allow:
- HTTPS traffic to
*.browser.runon port443
Users connecting through Clientless Web Isolation also require connectivity to Cloudflare Access. For users to connect to Access, you must allow:
- HTTPS traffic to
https://<team-name>.cloudflareaccess.comon port443
Browser Isolation uses WebRTC (a real-time communication protocol) for low-latency communication between the local browser and the remote browser. WebRTC uses UDP rather than TCP, which means this traffic does not flow through standard HTTP/HTTPS proxy settings. The connecting device must have direct UDP connectivity to the IP ranges listed below.
In order to pass WebRTC traffic, the remoting client must be able to connect to the following IP addresses:
| IP range | Port range | Protocol |
|---|---|---|
IPv4: 162.159.201.10 - 162.159.201.255 IPv4: 172.64.73.0 - 172.64.73.255 IPv6: 2606:4700:f2::/48 | 10000 - 59999 | UDP |
Each remote browser instance is randomly assigned a port, and the port that a user is allocated to will change often and without notice.