Web Server

In front of the Grape Application, you need a web server that has a valid TLS certificate for the domain where grape will run (e.g. You can either provide this on a separate machine or install a web server on the machine that runs Grape. If the web server that does the TLS termination runs on a separate machine, the network connection between the two machines should be encrypted.

The step-by-step install guides contain a section on how to setup an nginx webserver to work with Grape.

Edge Server

Optionally, you can setup a second Grape Web Server as an Edge Server. This server can stay in the DMZ and allow users from the outside to connect to Grape without using VPN - this is particularly useful when some mobile devices have no VPN set up but still need to access Grape without compromising security.

The Edge Server is a HTTP reverse proxy and can be set up by the client or by our networking team. It needs to be able to connect to the internal Grape reverse-proxy on port 443 as well as accept the internal reverse-proxy’s SSL certificate as valid.


External (required)

These ports must be open to the internet

Service Direction Protocol Ports Hostnames/IPs
Grape In TCP 443
your Grape Server
GCM (Android Push Notifications) [1] Out TCP 443
  Out TCP 443
  Out TCP 443
or allow those IPs(Google IPs list)
APNs (iOS Push Notifications) [2]
In & Out TCP 443 (
HTTP/2, TLS 1.2
WNS (Windows Phone 8.1 Push) [3] Out TCP 443
Grape Docker Registry Out TCP 443 Out TCP 443
Grape Docker Image Distribution Out TCP 443
Jitsi Clients Connection Out UDP 11100-11200

External Search Integrations (optional)

All built-in External Search Integrations use HTTPS. For more information on how to set them up see Built-in External Search Integrations

The Server will try to generate a preview for the links posted in the chat, this will often require additional hostnames/URLs to be whitelisted, hence the list of hostnames for each service.

Service Direction Protocol Ports Hostnames/URLs
(All) Out TCP 443
YouTube Out TCP 443,
Wikipedia Out TCP 443
StackOverflow Out TCP 443
Spotify Out TCP 443
Imgur Out TCP 443
Google Maps Out TCP 443
Giphy Out TCP 443, https://*


Depending on your setup, Grape also needs to be able to communicate internally in your network:

  • Active Directory server
  • File server
  • SMTP server
  • All integrated services (Sharepoint, Exchange, …)
Service Direction Protocol Ports Note
SMTP Out TCP 25/587 You can configure the SMTP port in the grape setup
Exchange Integration In & Out TCP 443 HTTPS requests need to work in both directions
Netapp Integration Out TCP 139 SMB 2.0
Sharepoint 2013 Out TCP 80/443