I don’t understand why Plex requires so many subdomains, Google analytics, and AWS services from all over the world to happily operate. But that’s a whole other topic…
My main question is this: Where can I find a full list of the FQDNs needed for Plex to work locally AND Remote Access (even if it’s an Indirect connection)? Also, are 80, 443, and 32400 the only ports needed to keep the server happily logged in and allow media playback? Are other ports needed when running Remote & Relay operations?
Basically, I want to create a Firewall rule to allow the Plex server to phone home to Plex for all that it needs; and that’s it; but it seems like a giant list of URLs are needed to make that happen and I can’t find a list anywhere.
Almost everything Plex does is hosted on Amazon AWS. That said, *.amazonaws.com and *.plex.tv will give you the hosts to run PMS with exception of of UPNP or manual port forwarding for Remote Access from modem/firewall to the server itself
If you want your phone to reach your server, the simpler rule is to allow ‘all hosts’ to port 32400 of your machine (or whatever external port you select and forward manually). This is normal Remote Access. ONLY port 32400 is required for devices to reach your server.
Thanks. Unfortunately Palo Alto firewalls do not allow wild card FQDNs; I’d need to create a separate address object for every iteration of the AWS servers which I imagine is dynamically changing from time-to-time.
I could create a URL filtering security policy with wildcard URLs, but it only really blocks HTTP & HTTPS…
Yeah, you would think with a $15,000+ enterprise firewall, wildcard FQDNs would be possible… not so with Palo Alto. Great firewall for everything else, though. And I’m guessing they don’t allow it for some logical reason from a security standpoint…
I seemed to have gotten it working by the following list; though I assume I’ll need to update the AWS objects from time to time. Not sure what the 184.105.148.xxx IPs are really for. Best I can find is Hurricane Electric ISP; but they’re definitely needed for Remote (thru Indirect Relay) to work…
For palo alto : If plex phones over http/https (which i forgot if it does) then you can use * for web and application filtering. See palo alto Custom Application Signatures and block keywords *.plex.tv should be no issue (http/https traffic) AND like chuck posted. It does work.
OK. I think I was able to do it well enough. A top-level deny-all rule for the PMS takes care of blocking anything and everything; then an allow rule for only 80, 8080, 443, and 32400 while using a URL Filter policy that blocks all URL Categories except an allow list of “.amazonaws.com/", “plex.tv”, ".plex.tv”, “*.plex.tv/”
I think effectively, this means that only those ports above are allowed out to those URLs; everything else is denied. Palo Alt has an application App-ID for Plex, but if I put that in the “allow” rule, PMS stops working.
I think I’m OK enough with this set up. But couldn’t Plex use “.plex.tv” subdomains to point to the various AWS services it needs? It’s a little loosey-goosey to have the wildcard of the entire Amazon AWS… I’m not familiar enough with that kind of developer stuff so maybe it’s impossible or unwanted. It would be great if everything needed for PMS was tied to plex.tv subdomains.
