Overview
In order to log into and use an itopia CloudApps Classroom Lab, a few steps may need to be taken by the District Administrators in order to allow for proper functionality. This includes:
Outbound access from within the school district network
Inbound access from static itopia CloudApps Classroom IPs for access to network license servers
Application access approvals from your Google Workspace tenant
Proper licensing for applications
In this article, we'll review:
Network access to itopia services
School networks are often protected with multiple layers of networking security to prevent access to unauthorized content and protect internal resources. These protections typically include network firewalls and content filtering devices.
To ensure your students and instructors can access their CloudApps sessions, ensure that your network security platforms are configured to permit outbound traffic to the following addresses and domains.
Content filtering
If your network includes content filtering devices (sometimes called reverse proxies), it may be necessary to exclude itopia CloudApps from filter rules. This is commonly done by adding a set of DNS domains to an allow list (previously called whitelist) to ensure that traffic destined for those domains is not blocked or inspected.
Domain Allow List
To ensure that on-network devices can access all itopia CloudApps functionality, make sure that the following domains are allowed:
Global access
# Admin and User Portals
labs.itopia.com
labs-admin.itopia.com
labs-api.itopia.com
labs-auth.itopia.com
US region
iap-istio-us-central1.labs.itopia.app
iap-istio-us-east1.labs.itopia.app
iap-istio-us-west1.labs.itopia.app
# Cluster endpoints
broker-us-central1.labs.itopia.app
broker-us-east1.labs.itopia.app
broker-us-west1.labs.itopia.app
# Speed test feature
speedtest-us-central1.labs.itopia.app
speedtest-us-east1.labs.itopia.app
speedtest-us-west1.labs.itopia.app
Australia region
iap-istio-us-central1.labs.itopia.app
# Cluster endpoints
broker-australia-southeast1.labs.itopia.app
# Speed test feature
k12-speedtest-australia-southeast1-ssedzsxdcq-ts.a.run.app
Packet inspection / SSL decryption
If your content filtering device performs packet inspection and/or SSL decryption, these technologies will significantly impact the performance of CloudApps desktop sessions. It is highly recommended to disable this functionality for the domains listed above.
itopia CloudApps can provide desktop-level monitoring and filtering solutions to ensure that students do not access unauthorized material from within their CloudApps sessions. Contact your itopia Account Executive to discuss available options.
Network firewall
itopia CloudApps requires only standard, outbound HTTP(S) connectivity to the domains listed above.
If you are performing strict outbound firewall filtering, ensure that the following IP addresses can be accessed on the following ports for the itopia STUN/TURN traffic.
TCP
80
443
3478
25000-65535
UDP
80
443
3478
25000-65535
US region
199.36.158.100
34.135.61.130
34.139.192.93
34.139.192.193
35.233.184.98
35.244.13.127
34.105.58.65
Australia region
34.160.189.35- signal
35.197.183.181 - turn
Inbound connectivity
US region
35.247.99.83
34.105.58.65
34.136.237.224
34.72.27.102
34.73.162.139
34.73.72.8
Australia region
34.151.107.138
35.244.106.60
Network bandwidth and performance
itopia CloudApps is designed to dynamically adapt to clients' network performance and deliver the best available experience. However, itopia recommends the following minimum network connectivity specifications to ensure a stable and performant session for users.
Metric | Recommendation | Explanation |
Download speed / bandwidth | Graphics-accelerated sessions (e.g., Adobe Creative Cloud or Blender):
4 Mbps or higher
Non-accelerated sessions (e.g., Microsoft Office or Computer Science):
2 Mbps or higher | Download speed refers to the rate that data can be received by the client. Higher bandwidth allows CloudApps to stream the desktop with less compression and higher framerate, resulting in a smoother, clearer image. |
Upload speed / bandwidth | 1 Mbps or higher | Upload speed refers to the rate that data can be transmitted from the client. Typically, upstream data is restricted to keyboard and mouse input and therefore does not require much bandwidth. |
Latency (round-trip): | Recommended: 60ms or less
Maximum: 200ms or less | Latency refers to the delay between data being sent from CloudApps and received by the client, or vice-versa. Lower latency means that user input (keystrokes or mouse movement) are represented more quickly in the CloudApps session. |
Packet Loss | 0.25% or less | Packet loss refers to the number of data packets that must be re-transmitted between CloudApps and the client and reflects the stability of the client's connection to the CloudApps environment. Higher rates of packet loss mean more data has to be re-sent, resulting in intermittent delays or garbled displays. |
Users can view their network status from within their CloudApps session using the "flyout" menu on the right hand side of their browser window. This menu monitors the metrics listed above and is useful for troubleshooting poor connectivity issues. Users are automatically notified if CloudApps detects persisting network performance issues.
Application access approval
If you are a Google Workspace district, users designated under age 18 may receive the following message when they try to access the student portal (https://labs.itopia.com):
If this happens, please log into your Google Workspace admin console and head to:
Security > API Controls > App Access Control
Look for the app called “App Launcher”. The ID for the itopia app will start with 429027536837.
App name | ID |
App Launcher | 429027536837-othm9k8skdiakiqhko4u4u8dtlhffqis.apps.googleusercontent.com |
The App Access Control page should look like this:
Once the app is approved students will be able to log in to https://labs.itopia.com using their Google account.
Application licensing
For all application licensing information, check out this article.
📝 Note
Some applications allow the use of both a named user license and a network license, such as Autodesk, others only allow strictly named user licenses such as Adobe Creative Cloud. |