For LemonadeLXP to function correctly, it must be served exactly as intended. Security appliances, sandboxing environments, web proxies, and local "scan-and-serve" antivirus appliances can cause significant issues.
Critical Consideration: The term "scan-and-serve" refers to proxied scanning of HTTPS traffic on port 443. Some security appliances decrypt payloads and responses locally before data reaches its endpoint. While the scanning itself poses no problem, the proxying does. When these requirements aren't met, the typical result is a CORS failure.
SSL Scanning Exemptions
First, whitelist your LemonadeLXP instance's primary domain. If you have the Academy add-on, whitelist its domain as well.
Once complete, you must ensure that resources from the following domains bypass your SSL scanning appliances. Without these exemptions, the platform may become inoperable.
Important: Whitelist the domains themselves, not their resolved IP addresses. IP-based whitelisting will not work reliably.
lemonade-user-data.s3.amazonaws.com
lemonade-cdn.s3.amazonaws.com
lemonade-scorm-drop.s3.amazonaws.com
lemonade-attachment-drop.s3.amazonaws.com
lemonade-transcoder-drop.s3.amazonaws.com
content.lemonadelxp.com
amazonaws.com
cloudflare.com
Secondary Features
Some platform features rely on third-party services. While LemonadeLXP can operate without them, we recommend whitelisting these domains as well to ensure full functionality.
Important: Here too, whitelist the domains themselves, not their resolved IP addresses. IP addresses should always be considered temporary/transient as cloud providers often rotate them. Enumerating the IP addresses behind a hostname, is not possible.
googleapis.com, required for use with StepYoutube (without which, YouTube integrations are likely to break)
intercomcdn.com, whose client API is used by your learners and administrators to connect with our support staff.
intercom.io, whose websockets are used for live connections between the Intercom platform, and your users.
apis.google.com, required for Google SSO
api.deepgram.com, required by StepChat
Internal DNS Requirements
If you are fenced inside internal DNS, make sure that Cloudflare DNS queries are whitelisted at your internal firewall.
As example, if your assigned NS addresses are josh.ns.cloudflare.com and sue.ns.cloudflare.com - you would want to ensure that the firewall is not:
blocking name resolution for josh.ns.cloudflare.com
blocking name resolution for sue.ns.cloudflare.com
blocking josh.ns.cloudflare.com on port 53, TCP
blocking josh.ns.cloudflare.com on port 53, UDP
blocking sue.ns.cloudflare.com on port 53, TCP
blocking sue.ns.cloudflare.com on port 53, UDP
No Double Proxies
We host all LemonadeLXP infrastructure through Cloudflare. Placing a second reverse proxy in front of Cloudflare can cause multiple issues — for example, proxying LemonadeLXP behind Akamai or similar services.
If you use an internal proxy or caching system on your network, add your LemonadeLXP domain to its bypass list.
This ensures only one reverse proxy (Cloudflare) exists in the chain.
⚠️ VPN and Static IP Configuration
If you use a VPN appliance or tunneling strategy that routes your organization's traffic through specific static IP addresses, please inform us so we can configure these in our firewall. This is especially important if your fixed IPs belong to:
ASNs (Autonomous System Numbers) on our threat monitoring list
Public cloud providers
Email Delivery Configuration
LemonadeLXP sends various emails to your learners during normal operation. Some are mission-critical, including:
New account creation notifications
Password recovery emails
To ensure reliable delivery, please whitelist [email protected] (our email sending domain) in your mail transfer agent (MTA).
Account Provisioning Best Practice
Always ensure that user email inboxes exist before provisioning their LemonadeLXP accounts. If an account is created before its corresponding inbox exists, our MTA (Mailgun) will detect the bounce and soft-ban that email address, preventing future delivery.
Best practice: Verify email inbox availability before account creation.