Only the Lapdev controller will serve traffic to end users, more specifically, the HTTP traffic to the Dashboard and API, and the SSH/HTTP traffic to the Proxy. The workspace hosts are not directly exposed to the end user at all, and they only need to accept network traffic from the controller and other workspace hosts for inter workspace RPC.

The firewall rules need to be configured as follows:

• allow TCP port 80 443 2222 from end users to Lapdev Controller

• allow TCP port 6123 from Lapdev Controller to Workspace Host

• allow TCP port 6122 from Workspace Host to Workspace Host