# Gateway Network Configuration The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Destination EndpointPorts NeededMore Info

Keeper Cloud
keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)

Keeper Router
connect.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443Communicates with Keeper Router to establish secure, real-time WebSocket connections

Keeper Stun/Turn Service

krelay.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TCP and UDP opened on Port 3478

Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted WebRTC connections between end-user's vault and target systems via the Gateway
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/gateway-network-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.