Hi Somjeat,

The one outbound internet port required* is for Laserfiche Directory Server to activation.laserfiche.com over 443/HTTPS for license activation and renewal. The public IP address for that endpoint is currently 66.172.16.139.

We try to keep the IP address for the activation service static, however it is subject to (infrequent) change. I recommend running the following in PowerShell/cmd to verify the service IP before configuring firewall rules.

nslookup activation.laserfiche.com

If Laserfiche Directory Server cannot reach activation.laserfiche.com, it cannot activate or renew its primary license through normal means. You would have to use the manual alternate process of running the standalone license activation utility on an internet-connected computer, generating the license file, copying it to the LFDS server, and uploading it. I do not recommend this. Put in the limited firewall exception. In my experience, InfoSec teams rarely take issue with allowing HTTPS to a single known IP for license activation purposes.

It's also important that you request a domain-locked license through your Solution Provider or Laserfiche Sales contact. Domain-locking is an alternative validation mechanism that looks at the Active Directory domain of the servers the software is installed on rather than a machine-specific hardware fingerprint. With GCP/AWS/Azure cloud servers, those hardware fingerprints can change frequently and "break", while the AD domain is fixed even if the VMs get moved around. There's no charge for this - all you need to do is provide the AD domain name for the new environment for us to fulfill the request.

Cheers,
Sam