Firewall Configuration
Configure your firewall and proxy to allow the Ambient endpoint agent to connect.
Last updated: February 22, 2026
The Ambient endpoint agent communicates with the Ambient cloud over HTTPS. This guide lists all required firewall rules and proxy configuration options.
Required Outbound Rules
All connections are outbound from the endpoint. No inbound firewall rules are required.
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
api.ziviso.africa | 443 | HTTPS | Agent API (policy sync, content delivery, analytics) |
cdn.ziviso.africa | 443 | HTTPS | Wallpaper, screensaver, and lockscreen asset delivery |
auth.ziviso.africa | 443 | HTTPS | SSO / identity token validation |
updates.ziviso.africa | 443 | HTTPS | Auto-update manifest and installer download |
All connections use TLS 1.2+. Certificate pinning is not used — standard corporate CA roots are respected.
Proxy Support
If your environment routes HTTPS traffic through a proxy:
// C:\ProgramData\Ambient\agent-config.json
{
"serverUrl": "https://api.ziviso.africa/api/v1",
"proxyUrl": "http://proxy.yourcompany.com:8080",
"proxyBypass": "localhost;127.0.0.1;*.internal.company.com"
}Authenticated proxies (NTLM / Basic):
{
"proxyUrl": "http://DOMAIN\\username:password@proxy.yourcompany.com:8080"
}Note: Store proxy credentials securely. On Windows, use the Windows Credential Manager integration rather than plaintext passwords where possible.
SSL Inspection (TLS Interception)
If your proxy performs SSL/TLS inspection, you must add your proxy’s root CA certificate to the system trust store on each endpoint:
Windows:
Import-Certificate -FilePath "C:\Certs\ProxyRoot.cer" -CertStoreLocation Cert:\LocalMachine\RootLinux:
sudo cp ProxyRoot.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesThe Ambient agent uses the OS certificate store — importing to the system root is sufficient.
Windows Defender Application Control (WDAC) / AppLocker
If your environment uses application allow-listing:
- Process name:
AmbientAgent.exe - Publisher: Ziviso (Pty) Ltd —
CN=Ziviso (Pty) Ltd, O=Ziviso, C=ZA - Installation path:
C:\Program Files\Ambient\
Add the publisher or path as an allowed rule in your WDAC/AppLocker policy.
Network Diagnostic
To test connectivity from a device before deploying the agent:
# PowerShell - test API reachability
Invoke-WebRequest -Uri "https://api.ziviso.africa/health" -UseBasicParsing
# Expected: StatusCode 200If this fails, check your proxy and firewall logs for blocked requests.
On-Premise / Private Cloud
Enterprise plans support private cloud deployment where the Ambient API runs in your own infrastructure. In this configuration, only your internal API endpoint needs to be reachable. Contact sales@ziviso.africa for on-premise deployment options.