diff --git a/server/lib/traefik/TraefikConfigManager.ts b/server/lib/traefik/TraefikConfigManager.ts
index 42baf41b5..cc7299ff7 100644
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -511,6 +511,12 @@ export class TraefikConfigManager {
         let traefikConfig;
         try {
             const currentExitNode = await getCurrentExitNodeId();
+
+            const maintenancePort = config.getRawConfig().server.next_port;
+            const maintenanceHost =
+                config.getRawConfig().server.internal_hostname;
+            const pangolinUIUrl = `http://${maintenanceHost}:${maintenancePort}`;
+
             // logger.debug(`Fetching traefik config for exit node: ${currentExitNode}`);
             traefikConfig = await getTraefikConfig(
                 // this is called by the local exit node to get its own config
@@ -521,7 +527,8 @@ export class TraefikConfigManager {
                 build == "saas"
                     ? false
                     : config.getRawConfig().traefik.allow_raw_resources, // dont allow raw resources on saas otherwise use config
-                build != "oss" // generate browser gateway targets on cloud and enterprise
+                pangolinUIUrl, // generate maintenance pages on cloud and hybrid
+                pangolinUIUrl // generate browser gateway targets on cloud and hybrid
             );
 
             const domains = new Set<string>();
diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts
index 48eb03638..c63b5b718 100644
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -44,8 +44,8 @@ export async function getTraefikConfig(
     filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
     generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
     allowRawResources = true,
-    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
-    allowBrowserGatewayResources = true
+    maintenancePageUiUrl: string | null = null, // UNUSED BUT USED IN PRIVATE
+    browserGatewayUiUrl: string | null = null // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources
diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts
index e81715d3b..c188178a3 100644
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -84,8 +84,8 @@ export async function getTraefikConfig(
     filterOutNamespaceDomains = false,
     generateLoginPageRouters = false,
     allowRawResources = true,
-    allowMaintenancePage = true,
-    allowBrowserGatewayResources = true
+    maintenancePageUiUrl: string | null = null,
+    browserGatewayUiUrl: string | null = null
 ): Promise<any> {
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources
@@ -317,7 +317,7 @@ export async function getTraefikConfig(
         BrowserGatewayResourceEntry
     >();
 
-    if (allowBrowserGatewayResources) {
+    if (browserGatewayUiUrl) {
         for (const row of resourcesWithTargetsAndSites) {
             if (!["ssh", "vnc", "rdp"].includes(row.mode)) {
                 continue;
@@ -630,7 +630,7 @@ export async function getTraefikConfig(
                 }
             }
 
-            if (showMaintenancePage && allowMaintenancePage) {
+            if (showMaintenancePage && maintenancePageUiUrl) {
                 const maintenanceServiceName = `${key}-maintenance-service`;
                 const maintenanceRouterName = `${key}-maintenance-router`;
                 const rewriteMiddlewareName = `${key}-maintenance-rewrite`;
@@ -646,15 +646,11 @@ export async function getTraefikConfig(
                     ? `*.${domainParts.slice(1).join(".")}`
                     : fullDomain;
 
-                const maintenancePort = config.getRawConfig().server.next_port;
-                const maintenanceHost =
-                    config.getRawConfig().server.internal_hostname;
-
                 config_output.http.services[maintenanceServiceName] = {
                     loadBalancer: {
                         servers: [
                             {
-                                url: `http://${maintenanceHost}:${maintenancePort}`
+                                url: maintenancePageUiUrl
                             }
                         ],
                         passHostHeader: true
@@ -1027,7 +1023,7 @@ export async function getTraefikConfig(
         }
     }
 
-    if (allowBrowserGatewayResources) {
+    if (browserGatewayUiUrl) {
         // Generate Traefik config for browser gateway resources
         const browserGatewayPort = 39999;
         for (const [, bgResource] of browserGatewayResourcesMap.entries()) {
@@ -1119,7 +1115,7 @@ export async function getTraefikConfig(
                 }
             }
 
-            if (showBgMaintenancePage && allowMaintenancePage) {
+            if (showBgMaintenancePage && maintenancePageUiUrl) {
                 const bgMaintenanceServiceName = `bg-r${bgResource.resourceId}-maintenance-service`;
                 const bgMaintenanceRouterName = `bg-r${bgResource.resourceId}-maintenance-router`;
                 const bgRewriteMiddlewareName = `bg-r${bgResource.resourceId}-maintenance-rewrite`;
@@ -1129,10 +1125,6 @@ export async function getTraefikConfig(
                 const entrypointHttps =
                     config.getRawConfig().traefik.https_entrypoint;
 
-                const maintenancePort = config.getRawConfig().server.next_port;
-                const maintenanceHost =
-                    config.getRawConfig().server.internal_hostname;
-
                 if (!config_output.http.services)
                     config_output.http.services = {};
                 if (!config_output.http.middlewares)
@@ -1144,7 +1136,7 @@ export async function getTraefikConfig(
                     loadBalancer: {
                         servers: [
                             {
-                                url: `http://${maintenanceHost}:${maintenancePort}`
+                                url: maintenancePageUiUrl
                             }
                         ],
                         passHostHeader: true
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index c6be3e7d1..8beea35f0 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -277,6 +277,8 @@ hybridRouter.get(
             );
         }
 
+        const pangolinUIUrl = config.getRawConfig().app.dashboard_url; // points to the dashboard to serve from there
+
         try {
             const traefikConfig = await getTraefikConfig(
                 remoteExitNode.exitNodeId,
@@ -284,8 +286,8 @@ hybridRouter.get(
                 true, // But don't allow domain namespace resources
                 false, // Dont include login pages,
                 true, // allow raw resources
-                false, // dont generate maintenance page
-                false // dont generate browser gateway targets
+                pangolinUIUrl, // dont generate maintenance page
+                pangolinUIUrl // generate browser gateway targets
             );
 
             return response(res, {
diff --git a/server/routers/newt/handleNewtGetConfigMessage.ts b/server/routers/newt/handleNewtGetConfigMessage.ts
index d78fa6f71..ff5d83799 100644
--- a/server/routers/newt/handleNewtGetConfigMessage.ts
+++ b/server/routers/newt/handleNewtGetConfigMessage.ts
@@ -54,7 +54,7 @@ export const handleNewtGetConfigMessage: MessageHandler = async (context) => {
         // TODO: somehow we should make sure a recent hole punch has happened if this occurs (hole punch could be from the last restart if done quickly)
     }
 
-    if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 5) {
+    if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 12) {
         logger.warn(
             `Site last hole punch is too old; skipping this register. The site is failing to hole punch and identify its network address with the server. Can the site reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 3b0e1637a..9fe09736f 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -348,7 +348,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     // this prevents us from accepting a register from an olm that has not hole punched yet.
     // the olm will pump the register so we can keep checking
     // TODO: I still think there is a better way to do this rather than locking it out here but ???
-    if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
+    if (now - (client.lastHolePunch || 0) > 12 && sitesCount > 0) {
         logger.warn(
             `[handleOlmRegisterMessage] Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`,
             { orgId: client.orgId, clientId: client.clientId }
diff --git a/server/routers/traefik/traefikConfigProvider.ts b/server/routers/traefik/traefikConfigProvider.ts
index 5da8eba4b..04cb30530 100644
--- a/server/routers/traefik/traefikConfigProvider.ts
+++ b/server/routers/traefik/traefikConfigProvider.ts
@@ -17,13 +17,18 @@ export async function traefikConfigProvider(
         // Get the current exit node name from config
         const currentExitNodeId = await getCurrentExitNodeId();
 
+        const maintenancePort = config.getRawConfig().server.next_port;
+        const maintenanceHost = config.getRawConfig().server.internal_hostname;
+        const pangolinUIUrl = `http://${maintenanceHost}:${maintenancePort}`;
+
         const traefikConfig = await getTraefikConfig(
             currentExitNodeId,
             config.getRawConfig().traefik.site_types,
             build == "oss", // filter out the namespace domains in open source
             build != "oss", // generate the login pages on the cloud and and enterprise,
             config.getRawConfig().traefik.allow_raw_resources,
-            build != "oss" // generate browser gateway resources on cloud and enterprise
+            pangolinUIUrl,
+            pangolinUIUrl
         );
 
         if (traefikConfig?.http?.middlewares) {