DisplaySync

Network ports

This is the lookup reference for venue IT. For the prose explanation (why outbound-only, bandwidth, latency tolerance), see Network requirements.

Required outbound destinations

Every DisplaySync kiosk needs these reachable.

DestinationPortProtocolPurposeDirection
api.displaysync.live443HTTPSREST API, claim flow, health checksOutbound
api.displaysync.live443WSSReal-time WebSocket — heartbeats, commands, content updatesOutbound
updates.displaysync.live443HTTPSUpdate binaries (Cloudflare R2)Outbound
*.ingest.us.sentry.io443HTTPSError tracking (specific subdomain: o4511146214752256.ingest.us.sentry.io)Outbound
Microsoft Update servers443HTTPSWindows security patchesOutbound
Time servers (time.windows.com or pool.ntp.org)123NTP/UDPClock synchronizationOutbound

Required only when Tailscale is part of your deployment.

DestinationPortProtocolDirectionPurpose
controlplane.tailscale.com443HTTPSOutboundCoordination server
login.tailscale.com443HTTPSOutboundAuthentication
*.derp.tailscale.com443HTTPS / TCPOutboundEncrypted DERP relay (fallback when peer-to-peer fails)
(peer endpoints, learned dynamically)3478UDPOutboundSTUN — NAT traversal probe used to establish direct peer-to-peer connections
(peer endpoints, learned dynamically)41641UDPInbound (optional)Direct WireGuard peer-to-peer (preferred path; falls back to DERP if blocked)
pkgs.tailscale.com443HTTPSOutboundTailscale binary downloads (only during install/update)

If only port 443 is allowed (UDP 3478 / 41641 blocked), Tailscale falls back to DERP relays over TCP/443 — slightly higher latency, still works. Most venues don't need UDP 41641 inbound; the direct path negotiates outbound from both peers via STUN.

Content origin

Required only for the URLs you assign as content. There's no fixed list — these are wherever your content actually lives.

DestinationPortProtocolPurpose
Whatever your assigned content URLs resolve to443 (typically)HTTPSThe pages signs display

If your content is at demo.displaysync.live, that needs to be reachable too.

Strict-allowlist environments

If the venue can only allowlist specific hostnames (no wildcards), this is the minimum set:

api.displaysync.live
updates.displaysync.live
o4511146214752256.ingest.us.sentry.io
controlplane.tailscale.com
login.tailscale.com
<your content origin host(s)>

Tailscale's DERP relays auto-discover the closest one. On a strict allowlist that doesn't include *.derp.tailscale.com, signs may all funnel through a single relay rather than the closest one. Functional, slightly higher latency.

What kiosks do not need

DirectionStatus
Inbound from internetNone. Block everything.
Inbound from venue LANNone except optional remote access over the Tailscale interface.
Public IPNot required. RFC1918 / NAT is fine.
Domain joinNot required. Local accounts only.

DHCP / DNS / NTP

ServiceBehavior
DHCPStandard. Static IPs not required, but useful for documentation.
DNSStandard. Whatever the venue hands the kiosk works. Public resolvers (1.1.1.1, 8.8.8.8) are fine if you set them statically.
NTPRequired. Kiosks need correct time for TLS handshakes and the 30s command-token freshness window. Default: time.windows.com. Switch to pool.ntp.org or a venue-provided server if needed.

Protocol/port detail for venue IT:

ProtocolPortDirectionPurpose
UDP53OutboundDNS — resolves backend, Tailscale, OS update endpoints
TCP53OutboundDNS fallback (large responses; less common)
UDP123OutboundNTP — clock sync (must succeed within 30s of sign:command_ack window)
TCP37OutboundNTP fallback (rare; some firewalled venues)

Why these specific ports

  • All HTTPS over 443 is intentional — most venue firewalls leave 443 open by default, so kiosks are deployable on aggressively locked-down networks.
  • No port 80 anywhere. DisplaySync is HTTPS-only end to end.
  • No SMB / RDP / VNC required from the venue network. Hands-on access happens over Tailscale.
  • NTP over UDP 123 is the one non-443 outbound. If venue IT blocks UDP entirely, switch to a different time source (some NTP servers also serve time over TCP on port 37 — last-resort).

OCSP / CRL revocation caveat: some venue firewalls block plain HTTP/80 entirely. OCSP/CRL revocation checks for fresh CA certificates may use HTTP/80; Tailscale and DisplaySync's own traffic don't depend on this, but a TLS handshake to a fresh-CA endpoint (rare) may stall when HTTP/80 is fully blocked. If you hit a "TLS handshake stuck" symptom that doesn't match a normal allowlist gap, this is a possible cause.

Verifying connectivity from a kiosk

# Backend reachable
Test-NetConnection api.displaysync.live -Port 443

# Updates host
Test-NetConnection updates.displaysync.live -Port 443

# Sentry
Test-NetConnection o4511146214752256.ingest.us.sentry.io -Port 443

# Tailscale (if installed)
Test-NetConnection controlplane.tailscale.com -Port 443
& "C:\Program Files\Tailscale\tailscale.exe" netcheck

Each should respond. If any fail, the venue is blocking that destination — work with IT to allowlist before continuing.

Sentry DSN structure

The desktop sign reports errors to Sentry via a DSN of the form:

https://<key>@<org-id>.ingest.sentry.io/<project-id>
EnvironmentProject IDRoutes to
Production4511158032728064Production Sentry dashboard
Staging4511158035152896Staging Sentry dashboard

Same hostname (sentry.io); different project IDs route reports to different dashboards. The DSN is set at build time per the desktop-sign release channel. Venue firewalls only need to allow *.ingest.sentry.io (or the specific subdomain in the Strict-allowlist environments list above) — no per-project allowlisting required.

Captive portal addendum

If the venue WiFi uses a captive-portal redirect (a "click here to accept terms" splash before internet access), DisplaySync kiosks can't auto-acknowledge it. Effects:

  • The kiosk's first reachability check fails until the portal is acknowledged.
  • The QR-setup screen will not be able to load, because it depends on backend reachability.
  • The Network diagnostics overlay (Ctrl+Shift+N) will show internet check red even on a working venue Wi-Fi.

Workarounds:

  • Pre-claim the venue Wi-Fi from a phone using the same Tailscale-tagged credentials before deploying the kiosk. This acknowledges the portal at the network-credential level.
  • Some captive portals rebind on each device — in that case, manual portal acknowledgment per-kiosk is unavoidable. Pull a keyboard, exit kiosk mode via Ctrl+Shift+C → "Exit for Maintenance", open Edge, accept the portal, restart the sign app.

For the local diagnostic flow, see Hotkeys → Ctrl+Shift+N.

See also