Overview
Splashtop On-Prem is a self-hosted remote access solution. Unlike Splashtop's cloud-based products, all session traffic flows through your own Splashtop Gateway server — no external Splashtop cloud relay infrastructure is involved during remote sessions. This means your firewall configuration is centered on allowing traffic to and from the Gateway itself, rather than permitting access to third-party domains.
This article applies to all Splashtop On-Prem deployments, including Sovereign Cloud (private cloud) instances, as they share the same Gateway architecture and network requirements.
Note: If you are using Splashtop's cloud-based products (Splashtop Business, Splashtop Enterprise, etc.), please refer to What Are the Firewall Exceptions and IP Addresses of Splashtop Servers/Services? instead.
External Port (Firewall Rule Required)
Only one TCP port needs to be open through your network firewall for Splashtop On-Prem to function:
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 443 (default) | TCP | Inbound and Outbound | Main port used by the Gateway to communicate with Streamers, On-Prem client apps, SOS apps, and the web management console. |
This single port carries all traffic: client authentication, session relay, web console access, and Streamer registration.
Configurable: The default port 443 can be changed to a different port via the Gateway web console under System → Network → Change Port. If you change it, ensure the new port is permitted in your firewall rules and is not occupied by another service. All Streamers and client apps must then specify the new port (e.g.,
https://gateway-ip:8443).
Internal Ports (Loopback Only)
The following ports are used internally by the Gateway server for inter-process communication. They do not require any inbound or outbound firewall rules, but they must not be occupied by other applications running on the same machine:
| Port | Protocol | Purpose |
|---|---|---|
| 9080 | TCP (loopback) | Internal Gateway service |
| 5432 | TCP (loopback) | Embedded PostgreSQL database |
| 7080 | TCP (loopback) | Internal service communication |
| 7081 | TCP (loopback) | Internal service communication |
| 5080 | TCP (loopback) | Internal service communication |
Optional Ports
| Port | Protocol | Purpose |
|---|---|---|
| 7, 9 | UDP | Wake-on-LAN — required only if you use the Wake-on-LAN feature to power on remote computers |
| 6783 | TCP | LAN direct connection — used for point-to-point sessions between the client app and Streamer when both are on the same local network, bypassing the relay |
Making the Gateway Accessible Across Networks
If your Streamers or client apps need to reach the Gateway from outside the LAN (e.g., remote workers over the Internet), you must ensure the Gateway has a reachable address. Common approaches include:
- Public IP assigned directly to the Gateway server.
- Port forwarding on your edge firewall or router — forward the external port to the Gateway's internal IP and port.
- DMZ deployment with dual network interfaces — one facing the internal LAN, one facing the Internet.
- FQDN mapping — map a domain name to the Gateway's public IP for convenience and SSL certificate compatibility.
For detailed deployment guidance, refer to How to Make Splashtop Gateway Accessible from the Internet.
URL Path Prefixes (For Web Application Firewalls or Reverse Proxies)
If your environment routes traffic through a Web Application Firewall (WAF) or reverse proxy that inspects or filters by URL path, the following path prefixes on the Gateway must be permitted:
| Path Prefix | Function |
|---|---|
/api/fulong/v1/ |
Core API endpoints used by clients and Streamers |
/shortcut/remote/ |
Quick-launch remote session links |
/web/assets/ |
Static assets for the Gateway web console |
/api/saml/acs |
SAML SSO Assertion Consumer Service endpoint (required only if using SAML-based single sign-on) |
/web/assets/sso/ |
SSO-related web assets (required only if using SSO) |
If you are not using a WAF or path-based filtering, these prefixes are served automatically through the Gateway's single service port and no additional configuration is needed.
Outbound Internet Access
Splashtop On-Prem does not require Internet access for remote session traffic or software updates — updates for Streamers and client apps are hosted and distributed through the Gateway itself.
However, outbound Internet access is required for license validation depending on your license type:
-
Online license — the Gateway must be able to reach Splashtop's licensing servers on an ongoing basis to validate your license. Allow outbound traffic to
*.splashtop.comon port 443. - Offline license — the Gateway does not require Internet access after activation. This option is available for environments that must remain fully air-gapped. Contact Splashtop support for offline license activation.
Verifying Connectivity
Splashtop On-Prem connectivity can be verified by simply accessing the Gateway web console from the endpoint device:
- Open a browser on the device in question.
- Navigate to
https://<gateway-address>:<port>(e.g.,https://192.168.1.100orhttps://gateway.company.com). - If the Gateway login page loads, the network path is clear.
- If the page does not load, check that the Gateway's port is permitted in the firewall and that the correct IP/FQDN and port are being used.
You can also test from the command line:
# Windows PowerShell Test-NetConnection -ComputerName <gateway-address> -Port 443 # macOS / Linux curl -Ik https://<gateway-address>:<port>
Summary
For Splashtop On-Prem deployment, the minimum firewall requirement is:
- Allow TCP port 443 (or your configured port) inbound and outbound to/from the Gateway server's IP address.
- Ensure loopback ports 9080, 5432, 7080, 7081, and 5080 are not occupied on the Gateway machine.
-
Allow outbound traffic to
*.splashtop.comon port 443 for online license validation. (Not required for offline licenses.)