Network Requirements
This page details the network connectivity requirements for a self-hosted Atrium deployment.
Inbound access
| Port | Protocol | Source | Purpose |
|---|---|---|---|
| 80 | TCP | Internet | HTTP → HTTPS redirect. Required for Let's Encrypt HTTP-01 challenge. |
| 443 | TCP | Internet / LAN | HTTPS — dashboard, API, kiosk, agent WebSocket. |
Port 80 can be closed if you use DNS-01 challenge or custom certificates. Port 443 must be accessible from everywhere that needs to reach Atrium: admin browsers, kiosk tablets, and the Atrium Agent.
Outbound access
The Atrium server needs outbound HTTPS (port 443) to several destinations:
Required
| Destination | Purpose | Impact if blocked |
|---|---|---|
ghcr.io, *.ghcr.io | Container image pulls | Cannot update. Current version continues to work. |
cp.atrium.sprocksystems.de | Control Plane check-in | License grace period starts (30 days). After grace period: read-only mode. |
ACME CA (acme-v02.api.letsencrypt.org) | TLS certificate issuance/renewal | Certificate renewal fails. Use custom certificates instead. |
Conditional (depends on configuration)
| Destination | Purpose | When needed |
|---|---|---|
| Your SMTP server | Email delivery | If SMTP is configured |
Your OIDC provider (e.g., login.microsoftonline.com) | User authentication | If using external IdP |
CRM APIs (e.g., *.salesforce.com) | CRM integration | If CRM integration is configured |
Calendar APIs (e.g., graph.microsoft.com) | Calendar integration | If calendar integration is configured |
Agent-to-Server connectivity
The Atrium Agent connects to the Atrium Server over WebSocket (WSS — port 443). This is an outbound connection from the Agent's perspective. No inbound ports need to be opened on the Atrium server for Agent connectivity — the Agent initiates the connection.
If the Agent is on a different network segment than the server:
- Ensure outbound HTTPS from the Agent to the server.
- If there's a proxy, it must support WebSocket upgrades.
Air-gapped operation
Atrium can operate without internet access, with these limitations:
| Feature | Behavior without internet |
|---|---|
| Core operations | Fully functional. Visitor management, check-in, documents, and kiosk all work locally. |
| License | Valid for the grace period (default: 30 days from last successful check-in). After that, the instance enters read-only mode — existing data is accessible but new check-ins are blocked. |
| Updates | No automatic updates. Images must be transferred manually (export/import). |
| TLS certificates | Must be provided manually. Let's Encrypt is not available. |
| Only if an SMTP server is reachable on the local network. | |
| CRM / Calendar | Not available (these require external API access). |
| OIDC | Only if the IdP is reachable on the local network (e.g., on-premises Keycloak or ADFS). The built-in IdP works fully offline. |
For extended air-gapped operation, contact support about offline licensing arrangements.
DNS resolution
All containers use Docker's built-in DNS for inter-container communication. No custom DNS configuration is needed for the stack itself. The server only needs external DNS for outbound connections (SMTP, IdP, CRM, Control Plane).