Skip to main content

Running ngrok Behind a Corporate Firewall

When you need to deploy ngrok behind a corporate firewall, there may be additional steps that you will need to take to make sure ngrok is working properly.

As background, this is usually not an issue. Firewalls usually allow outbound connections, which is what an ngrok Agent makes in order to establish a session with the ngrok service and subsequently your tunnel.

However, certain corporate firewalls have more restrictions around outbound connections. For example, we've seen that ngrok may be blocked on Fortinet firewalls.

If you're having trouble using the ngrok agent to start a tunnel, the first step is to run ngrok diagnose which will produce a report that will help you identify connection issues.

$ ngrok diagnose
Testing ngrok connectivity...

Internet Connectivity
Name Resolution [ OK ]
TCP [ OK ]
TLS [ OK ]
Ngrok Connectivity
Name Resolution [ OK ]
TCP [ OK ]
TLS [ OK ]
Tunnel Protocol [ OK ]

Successfully established ngrok connection! (region: 'us', latency: 54.895145ms)

To resolve these issues, you have a couple options:

  • Work with the network team in charge of the corporate firewall to provide exceptions that allow ngrok to make the necessary outbound connections.
  • Set up a custom ingress domain.

When working with the network team, you'll want to set up the following exceptions and allow:

  • Tunnel ingress domains (our default is connect.ngrok-agent.com, but there is one for each region), so that the ngrok agent can connect with our servers
  • Our update URL (the default is update.equinox.io), so that the ngrok agent can quickly update itself

Setting up a custom ingress domain can be useful because it ensures that no one can bring their own ngrok account. In this case, the network admins could continue to block traffic to our normal ingress domains and only allow the custom branded ingress domains. For this, you'll need to: