FirmFlow Network & Firewall Requirements¶
FirmFlow is designed to be installed on-premise, granting you total data sovereignty. However, our SmartRequestAI™ engine and update telemetry require specific, hardened outbound communication.
1. Inbound Requirements (Local Network)¶
To allow staff and clients to access FirmFlow, open the following ports on your host firewall or reverse proxy:
| Port | Protocol | Purpose |
|---|---|---|
80 |
TCP | HTTP Traffic (Should immediately redirect to 443) |
443 |
TCP | HTTPS Traffic (Client Portal & Dashboard) |
Note: The Next.js container natively listens on port 3000. You should use a reverse proxy like Nginx or Traefik to expose it on 443.
2. Outbound Requirements (External Gateway)¶
Your firewall must allow outbound connections to the following endpoints for the application to function properly. All traffic is secured via TLS 1.3.
2.1 AI Hybrid Bridge (SmartRequestAI™ & SmartTax™)¶
FirmFlow uses the Google Gemini Engine for high-performance reasoning over your unstructured vault data.
* Host: generativelanguage.googleapis.com
* Port: 443 (TCP)
* Requirement: Mandatory if AI features are licensed.
2.2 Billing & License Validation¶
FirmFlow validates your enterprise node-locked license against our licensing server to prevent tampering.
* Host: api.firmflow.ng
* Port: 443 (TCP)
* Requirement: Mandatory. Without this, the software will enter a lock-out state after the grace period.
2.3 Mobile Push Notifications (FCM)¶
For realtime alerts to the Client Portal.
* Host: fcm.googleapis.com
* Port: 443 (TCP)
* Requirement: Recommended for real-time mobile UX.
3. Zero-Trust Architecture¶
We recommend placing the FirmFlow Docker host in a DMZ, completely isolated from internal data networks, except for:
1. LDAP/AD Server: Port 389 or 636 (Inbound to internal network).
2. NAS/SMB Mount: Port 445 (Inbound to internal storage array), if storing vault documents externally.