Do I need to open ports or change the firewall on the remote machine?
No. You don’t open any inbound ports, you don’t forward anything, and you don’t touch NAT. The remote machine only needs to be able to reach the internet outbound — the same access it already uses for updates or a browser.
The agent dials out
An LRO agent never listens for an incoming connection. It opens an outbound WebSocket connection to the LRO core and keeps it alive with periodic keepalives. Outbound is the direction firewalls and NAT already permit by default, so there is nothing to configure on the machine or its network. To the firewall it looks like ordinary outbound web traffic.
What you do not have to do
- No inbound firewall rules to add.
- No port forwarding on the router.
- No public IP and no static address.
- No DMZ, no NAT reconfiguration, no VPN client.
Why this is safer by default
Because nothing on the remote machine is exposed to the public internet, there is no new inbound attack surface to defend. The machine reaches out to the core; the core never reaches in. When you open a tunnel, traffic flows over that already-established outbound channel, and it is end-to-end encrypted between the agents.
Reach a machine without opening a single inbound port.
Create an account →