Last Modified: 11.07.2023
When using Bitrix24 On-premise, network administrator must consider an option within the security policy to grant network access for REST-applications.
The following must be opened for Bitrix24:
- Outbound requests to oauth.bitrix.info (for app mechanism).
- *.bitrixsoft.com. The "Developers" section for creating integrations and webhooks is restricted without access to this resource.
- Inbound requests from app servers (addresses depend from specific applications).
The following permissions must be granted for an app at the developer's server:
- Outbound https requests to oauth.bitrix.info.
- Outbound https requests to Bitrix24 Self-hosted server.
- Inbound https requests from server group mp_actions.*, when app uses event mechanisms, automation rules or custom workflow actions.
Inbound http/s queries will be received from dynamic(scale-based) server group with different IP-addresses. List of these IP-addresses can be retrieved beforehand by querying the address https://dl.bitrix24.com/webhook/app-world.json
Example of query using curl:
$ curl https://dl.bitrix24.com/webhook/app-world.json
"nodes": ["188.8.131.52", "184.108.40.206"]
Use the retrieved list of nodes array's IP addresses to update firewall rules for inbound connections in the corporate network or self-hosted VM.
Sampling frequency: 1 per minute max, but preferable once each 5-10 minutes. VM pool scaling mechanism is designed to pre-list 5-10 minutes before retrieving webhooks from a new address.
Note: Previously Bitrix24 listed specific IPs to be opened for queries. But, due to these addresses changing, it's recommended to work with IP addresses with indicated resolved domain names.