Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Browser Isolation with firewall

If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect.

​​ Remoting client

Isolated pages are served by the remoting client. This client communicates to Cloudflare’s network via HTTPS and WebRTC.

​​ Remoting Client (Services)

The remoting client provides static assets and API endpoints. For Browser Isolation to function, you must allow:

  • HTTPS traffic to * on port 443

​​ Clientless Web Isolation

Users connecting through Clientless Web Isolation also require connectivity to Cloudflare Access. For users to connect to Access, you must allow:

  • HTTPS traffic to https://<team-name> on port 443

​​ WebRTC channel

Browser Isolation uses WebRTC for low-latency communication between the local browser and the remote browser.

In order to pass WebRTC traffic, the remoting client must be able to connect to the following IP addresses:

  • IPv4 Range: -
  • IPv6 Range: 2606:4700:f2::/48

The entire port range of these IP addresses is required. Each remote browser instance is randomly assigned a port, and the port that a user is allocated to will change often and without notice.