Networking requirements for devices enrolled in Meta Horizon managed services
Domains used by Meta Horizon managed services
Desktops need access to the following domains to access Admin Center and managed Meta accounts and to manage devices:
Meta Quest devices need access to the following domains during setup and enrollment and when installing updates:
Desktops need access to the following domains to manage devices, and Quest devices need access to fetch configurations:
Desktops need access to the following domains to view a Meta Quest device cast:
Desktops need access to the following domains to use Meta Quest PC Link app:
Desktops and Meta Quest devices need access to the following domains to connect to the Meta Quest Remote Desktop app:
You may also need to add app-specific URLs to your network allowlist to ensure that all required endpoints are reachable. These URLs need to be provided by the app developer.
Update a 802.1x Enterprise Wi-Fi Configuration
As part of Google’s Android mainline update, Wi-Fi authentication for 802.1x Enterprise networks will fail if a domain suffix match and matching Root certificate has not been provided in the configuration.
If no alternative network is available, such as WPA2 or Open Network, the device may lose network connectivity.
To add the domain suffix and root certificate:
- Obtain the Root Certificate: Get the Root certificate from the Authentication server and the correct Domain name suffix/value of your RADIUS server certificate.
- Update the Enterprise Network:
- Go to Admin Center then Devices and then Networks
- Update the active Enterprise (EAP-TLS & EAP- PEAP) network with the updated RADIUS server domain name for the certificates.
- Repeat this for each Enterprise SSID to be configured.
To avoid failure while updating the configuration, you can configure a backup network that is a non-Enterprise Wi-Fi profile (WPA2 PSK, Open Network) which will allow the Android agent to re-establish its connection if the 802.1x Enterprise network cannot be verified.
Note: If your device is running OS version v72 or higher and has an MDM component version of 111.x, this update will apply to you. All new or updated Wi-Fi network configurations will require a RADIUS server domain name to be created or changed.
Additional ports requirements
As well as ports 80/443, consider unblocking the following Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports so devices involved in your organization’s Meta Quest devices can communicate with each other:
- TCP: 3478; 3479; 8080.
- UDP: 40003; 40005; 40007; 40008. We’d also recommend unblocking 50000-59999 for additional range.
IP ranges used by Meta Horizon managed services
Meta Horizon managed services dynamically manages network traffic, so allowlisting by IP is not recommended. Meta’s Autonomous System (AS) number is AS32934. If your organization’s firewall can only be configured with IP addresses, we recommend using the following command to return IPv4 and IPv6 subnets:
- whois -h whois.radb.net -- ‘-i origin AS32934’
This command should be run at least once a month to keep the IP addresses up to date.
Validate Meta Quest device access to domains and ports
To validate desktop or device access or debug access failures, your desktop needs to have Wireshark. You also need your Meta Quest device and a data USB cable.
Then:
- Connect your Meta Quest device to your desktop using a data USB cable.
- Open a terminal window and verify Android Debug Bridge (adb) devices displays the Quest device’s serial number.
- Run a tcpdump to take an ongoing packet capture.
- Complete the desired test case scenario.
- End the ongoing tcpdump.
- Pull the .pcap file from the Quest device to your desktop using the following command:
- > adb pull /sdcard/[FILENAME].pcap
- Use the following commands to identify the domains and ports used:
- > tshark -r [FILENAME].pcap -T fields -e dns.qry.name -e http.host -e tcp.dstport -e udp.dstport “dsn.qry.name != \”\”” > [OUTPUT-FILE].txt
- View the domains and ports in the [OUTPUT-FILE].txt file.
