Solving Firewall-related issues

Domains & ports:

Schoolshape requires access to the following domains on port 443 to work:


If you have a custom language laboratory using another domain name, this also must be added to the above list.

All connections occur over encrypted SSL connections.


Schoolshape uses websockets which can occasionally be blocked by older firewalls.  If this is the case, then the software should automatically diagnose the problem and notify the user on login.  Blocking can be caused by two separate problems:

  • Response caching.  If the firewall attempts to cache the entire https response, then it should be disabled for access to Schoolshape domains.
  • HTTPS certificate proxying combined with header stripping.  If your firewall has a "decrypt and scan", or "HTTPS proxy" function or similar, it should be turned off for connections to "" and "".  It can remained enabled for other Schoolshape domains.

Guidance for specific firewalls

Sophos XG Firewall

First, the firmware should be updated to SFOS 16.05.6 MR-6 or newer.

In "Web filter" settings, "HTTPS Decryption" and "Policy Checks" should be skipped (by ticking the corresponding boxes in the version we tested) for all schoolshape domains listed above.

Watchguard Firewall

If HTTPS proxying is disabled for schoolshape domains, no special configuration is needed.

If you must enable HTTPS proxying, your firewall also needs to allow all Access-Control headers to be passed through, which modern browsers require to ensure security when accessing a content delivery network in a mixed security environment. Here is how to allow these headers in Watchguard:

From the Watchguard GUI interface, choose Setup -> Actions -> Proxies

  • Choose HTTP Client -> Edit
  • Choose HTTP Response -> Header fields
  • Add the new rule allowing all Headers starting with &;Access-&;