Network Allow-List¶
PolicyClue is designed to run in restricted, on-premise networks. Most external connections come from optional modules - disable the module and the hostname disappears from this list. This page lists every external host the stack contacts, the direction (inbound/outbound), the protocol/port to allow, and how to turn each one off.
Each section is labelled with its network role so firewall rules and documentation stay unambiguous.
Inbound - end users and Microsoft¶
| Direction | Port | Source | Purpose |
|---|---|---|---|
| Inbound | TCP/80 | End users / Let's Encrypt | HTTP entry point on Traefik. With the ACME override, used for the HTTP-01 challenge and a redirect to HTTPS. Without the override, this is the portal entry point - keep it behind your own TLS terminator. |
| Inbound | TCP/443 | End users | HTTPS entry point. Only opened on the host when the docker-compose-acme.yml override is active or you terminate TLS at Traefik yourself. |
| Inbound | TCP/443 | Microsoft Graph | Webhook delivery to /api/m365/notifications. Only when M365 DLP is configured. See the Microsoft Teams DLP section in Deployment for narrow path-only exposure. |
Outbound - always required¶
| Direction | Host | Port | Purpose |
|---|---|---|---|
| Outbound | registry.khost.ch |
TCP/443 (HTTPS) | Container image registry. Only contacted on docker compose pull / up. Mirror to a private registry to avoid runtime egress. |
| Outbound | github.com |
TCP/443 (HTTPS) | Periodic update of public hostlist sources. |
| Outbound | raw.githubusercontent.com |
TCP/443 (HTTPS) | Periodic update of public hostlist sources. |
| Outbound | gist.githubusercontent.com |
TCP/443 (HTTPS) | Periodic update of public hostlist sources. |
Without the GitHub hosts, hostlists stay on the last cached version - the portal keeps working.
Outbound - reverse proxy / TLS¶
| Direction | Host | Port | When |
|---|---|---|---|
| Outbound | acme-v02.api.letsencrypt.org (or your ACME_CASERVER) |
TCP/443 (HTTPS) | Only when docker-compose-acme.yml is enabled. Skip if you terminate TLS at an upstream proxy or use a private CA. |
The HTTP-01 challenge also requires inbound TCP/80 to be reachable from the public internet during certificate issuance and renewal.
Outbound + Inbound - Microsoft 365 (SSO and DLP modules)¶
Active when MSENTRA_CLIENT_ID, MSENTRA_CLIENT_SECRET, and
MSENTRA_TENANT_ID are set, or when any tenant has the M365 DLP module
configured.
| Direction | Host | Port | Purpose |
|---|---|---|---|
| Outbound | login.microsoftonline.com |
TCP/443 (HTTPS) | Entra ID authentication. |
| Outbound | graph.microsoft.com |
TCP/443 (HTTPS) | Microsoft Graph API. |
| Inbound | Portal (/api/m365/notifications) |
TCP/443 (HTTPS) | Microsoft Graph webhook delivery. If the portal is not publicly reachable, expose only this path through a tunnel or reverse proxy. |
To disable: leave the three MSENTRA_* variables empty.
Outbound - vulnerability data (Security module)¶
| Direction | Host | Port | Purpose |
|---|---|---|---|
| Outbound | vuln.kgq.ch |
TCP/443 (HTTPS) | Vulnerability data feed. Override with VULN_API_URL to point at an internal mirror. |
To disable: leave KS_LICENSE empty.
Outbound - SMTP (transactional mail and BAS)¶
The stack does not connect to a fixed SMTP host - mail delivery uses customer-provided servers. The port depends on the security mode you configure:
| Mode | Typical port | Notes |
|---|---|---|
Implicit TLS (MAIL_SECURITY=tls) |
TCP/465 | Default in .env.example. |
STARTTLS (MAIL_SECURITY=starttls) |
TCP/587 | Submission port. |
Plain (MAIL_SECURITY=none) |
TCP/25 | Internal relays only - never use to a public MTA. |
| Direction | Variable | Notes |
|---|---|---|
| Outbound | MAIL_HOST + MAIL_PORT |
Transactional mail. Allow whatever host/port pair you set. |
| Outbound | PHISHING_SENDING_PROFILES[*].host + .port |
One entry per BAS sending profile; each can have its own host/port/security mode. Allow every combination listed in the JSON. |
To disable: leave MAIL_HOST empty for transactional mail; leave
PHISHING_SENDING_PROFILES empty to disable BAS sending.
Outbound - LLM gateway (AI features)¶
Active when LLM_ENABLED=true. The host depends on the backend you choose
via LLM_BASE_URL. All listed providers use HTTPS on TCP/443.
| Direction | Backend | Host to allow | Port |
|---|---|---|---|
| Outbound | Self-hosted Ollama (default, via docker-compose-ollama.yml) |
None at runtime - internal Docker network only. First-time model pull only: registry.ollama.ai. |
TCP/443 (HTTPS) for the model pull |
| Outbound | OpenAI | api.openai.com |
TCP/443 (HTTPS) |
| Outbound | Anthropic (via LiteLLM) | api.anthropic.com (and your LiteLLM host) |
TCP/443 (HTTPS) |
| Outbound | Azure OpenAI (via LiteLLM) | *.openai.azure.com (and your LiteLLM host) |
TCP/443 (HTTPS) |
| Outbound | LiteLLM proxy | The proxy hostname only - it talks to providers on your behalf. | TCP/443 (HTTPS), or whatever the proxy listens on |
To disable: LLM_ENABLED=false (default).
What the portal does not contact¶
To keep the allow-list short:
- No analytics, error-reporting, or product-telemetry services.
- No public CDNs from the webapp. Fonts, icons, charting, grids, and the rich-text editor are vendored into the webapp image and served from the portal itself - no third-party asset hosts in browser traffic.
- No license verification servers. Licensing is validated locally.
Quick reference¶
Minimal on-prem¶
No SSO, no Security module, no AI, no BAS.
| Direction | Host | Port | Purpose |
|---|---|---|---|
| Inbound | Portal | TCP/80 (and/or TCP/443 if you terminate TLS) | End-user access |
| Outbound | registry.khost.ch |
TCP/443 | Container image registry |
| Outbound | github.com |
TCP/443 | Hostlist sources |
| Outbound | raw.githubusercontent.com |
TCP/443 | Hostlist sources |
| Outbound | gist.githubusercontent.com |
TCP/443 | Hostlist sources |
Full on-prem¶
Everything enabled - Entra SSO, M365 DLP, Security module, BAS, Ollama LLM, Let's Encrypt TLS.
| Direction | Host | Port | Purpose |
|---|---|---|---|
| Inbound | Portal | TCP/80 | ACME HTTP-01 challenge + HTTPS redirect |
| Inbound | Portal | TCP/443 | End-user HTTPS access |
| Inbound | Portal /api/m365/notifications |
TCP/443 | Microsoft Graph webhooks |
| Outbound | registry.khost.ch |
TCP/443 | Container image registry |
| Outbound | github.com |
TCP/443 | Hostlist sources |
| Outbound | raw.githubusercontent.com |
TCP/443 | Hostlist sources |
| Outbound | gist.githubusercontent.com |
TCP/443 | Hostlist sources |
| Outbound | acme-v02.api.letsencrypt.org |
TCP/443 | Let's Encrypt certificate issuance |
| Outbound | login.microsoftonline.com |
TCP/443 | Entra ID authentication |
| Outbound | graph.microsoft.com |
TCP/443 | Microsoft Graph API |
| Outbound | vuln.kgq.ch |
TCP/443 | Vulnerability data feed |
| Outbound | registry.ollama.ai |
TCP/443 | Ollama model pull (first time only) |
| Outbound | <your MAIL_HOST> |
TCP/465 (TLS) or TCP/587 (STARTTLS) | Transactional mail |
| Outbound | <each PHISHING_SENDING_PROFILES host> |
Per-profile (typically TCP/587) | BAS phishing-simulation sending |