Network Security - explicitly allowing services

Some networks have security restrictions on outbound (egress) internet traffic using firewalls, proxy servers or switches.  In this case, the firewall or proxy server will need to be configured to explicitly the streaming devices on the network to access the following Cloud Cover Music and Amazon Web Service hostnames/domains on port 443 only (TLS 1.2):

  • cloudcovermusic.com
  • connect.cloudcovermusic.com
  • tune.cloudcovermusic.com
  • api.cloudcovermusic.com
  • api2.cloudcovermusic.com
  • api3.cloudcovermusic.com
  • api-sonos.cloudcovermusic.com
  • api5.cloudcovermusic.com
  • media.cloudcovermusic.com
  • media2.cloudcovermusic.com
  • sqs.us-east-1.amazonaws.com
  • queue.amazonaws.com
  • cognito-identity.us-east-1.amazonaws.com
  • hr97cab2ci.execute-api.us-east-1.amazonaws.com

Note: allowing the wildcards for *.cloudcovermusic.com and *.amazonaws.com saves adding separate entries if compliant with company security policies. 

The CloudBox also needs to connect to an NTP server on port 123 to get the time and date, which is used for the certificate to verify and connect over https.

  • Depending on the generation (model) of the CloudBox, it will require either specifically time.cloudcovermusic.com on port 123UDP or from a NTP pool (multiple NTP sources). Support can confirm the specific NTP based on the generation of the CloudBox.

The CloudBox’s MAC address may also need to be specifically listed as a device to be allowed. The unique MAC address is labeled on the Box, and will resemble 00:40:63:1C:AE:38. The CloudBox will need to be power cycled before the new 'allow' settings are applied.

If your firewall/proxy or endpoints have content filters installed, the following audio file types need to be allowed: OGG, MP4 (AAC Codec) and MP3

Did this answer your question?