Network Configuration: Whitelisting & Firewall Requirements

Modified on Tue, 10 Feb at 1:37 AM

Target Audience: IT Administrators & Network Engineers

For Citadel players to download content and report their status, they must be able to communicate outbound to our cloud servers. If your device has an active internet connection but still shows "Offline" in the dashboard, it is likely being blocked by a corporate firewall or network security filter.

1. Whitelisting Strategy (FQDN vs. IP)

Important: Citadel infrastructure is hosted on AWS (Amazon Web Services) and uses Route 53 for DNS management. This means our IP addresses are dynamic and subject to change without notice.

Do NOT use IP-based whitelisting.

You must whitelist our services by Domain Name (FQDN). Attempting to restrict access to specific IP addresses will result in service interruptions.

2. Required Domains (Allow List)

Please ensure the following wildcard domains are allowed through your firewall and content filters:

*.citadeldigitalsignage.com
*.amazonaws.com (Used for content storage and delivery)

Note for Deep Packet Inspection (DPI): If your network inspects SSL traffic, please exclude Citadel devices from inspection, as this can interrupt the secure handshake required for the player to authenticate with our servers.

3. Required Ports

Citadel devices primarily communicate over standard web ports.

Protocol	Port	Direction	Usage
TCP	443	Outbound	HTTPS: Primary communication channel for content downloads, logs, and heartbeat checks.
TCP	80	Outbound	HTTP: Used for initial connectivity checks and captive portal detection.
UDP	123	Outbound	NTP (Network Time Protocol): CRITICAL. Players must be able to sync their internal clocks to play scheduled content accurately.

Find the MAC Address: This is printed on the sticker label on the physical device/box. It is also visible in the Citadel Player app settings on the boot screen.