diff --git a/charts/visual-tom/Chart.yaml b/charts/visual-tom/Chart.yaml
index c535a41..b82f61f 100644
--- a/charts/visual-tom/Chart.yaml
+++ b/charts/visual-tom/Chart.yaml
@@ -7,7 +7,7 @@ description: >
 type: application
 
 # Chart version (follows SemVer). Increment on every chart change.
-version: 0.2.2
+version: 0.2.3
 
 # Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml.
 appVersion: "7.3.2c"
diff --git a/charts/visual-tom/templates/common/networkpolicy.yaml b/charts/visual-tom/templates/common/networkpolicy.yaml
index c0d41d1..1b7c0e6 100644
--- a/charts/visual-tom/templates/common/networkpolicy.yaml
+++ b/charts/visual-tom/templates/common/networkpolicy.yaml
@@ -99,13 +99,13 @@ spec:
         - port: {{ .Values.vtom.ports.svtnotifier }}
           protocol: TCP
 
-{{- if .Values.vtom.apiserverExternalEgress.port }}
+{{- if .Values.vtom.apiserverExternalEgress }}
 ---
-# vtom-apiserver sends outbound traffic on dedicated external port
+# vtom-apiserver outbound rules to external endpoints
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-apiserver-external-port
+  name: allow-egress-apiserver-external
   namespace: {{ include "vtom.namespace" . }}
   labels:
     {{- include "vtom.labels" . | nindent 4 }}
@@ -116,12 +116,14 @@ spec:
   policyTypes:
     - Egress
   egress:
+    {{- range .Values.vtom.apiserverExternalEgress }}
     - to:
         - ipBlock:
-            cidr: {{ .Values.vtom.apiserverExternalEgress.cidr }}
+            cidr: {{ .cidr | quote }}
       ports:
-        - port: {{ .Values.vtom.apiserverExternalEgress.port }}
-          protocol: TCP
+        - port: {{ .port }}
+          protocol: {{ .protocol | default "TCP" }}
+    {{- end }}
 {{- end }}
 
 ---
diff --git a/charts/visual-tom/values-client-template.yaml b/charts/visual-tom/values-client-template.yaml
index 050b633..5655655 100644
--- a/charts/visual-tom/values-client-template.yaml
+++ b/charts/visual-tom/values-client-template.yaml
@@ -3,12 +3,7 @@
 #
 # This file contains ONLY the values specific to your deployment.
 # It is layered on top of the chosen cloud profile (values-azure.yaml, etc.)
-#
-# Deployment:
-#   helm install vtom ./helm/vtom \
-#     -f values-azure.yaml \           ← cloud profile (choose the right one)
-#     -f values-mycompany.yaml \       ← this file renamed
-#     --namespace vtom-<client> --create-namespace
+# See README.md / README-fr.md for full deployment instructions.
 # =============================================================================
 
 # Target Kubernetes namespace — REQUIRED (must match the --namespace of helm install)
@@ -32,11 +27,13 @@ vtom:
     repository: "visual-tom-core"
     tag: ""         # TODO: VTOM version, e.g.: "7.3.2a"
 
-  # Internal VTOM server name — must match the VTOM registration
-  # and the license (the license is tied to this name).
-  # DO NOT change even if multiple instances coexist on the cluster:
-  # each instance is in a different namespace, so the K8s FQDN is unique
-  # (e.g.: vtom-server.vtom-client-a.svc.cluster.local).
+  # Short hostname of the VTOM server — used as the K8s Service name and pod hostname.
+  # Must be a simple DNS label (lowercase, hyphens only — no dots, no FQDN).
+  # External agents must be able to resolve this name (set it to serverService.hostname
+  # or the LoadBalancer IP if no DNS hostname is assigned). The default K8s service name
+  # "vtom-server" is only reachable inside the cluster.
+  # Tip: add a "DomainName = mycompany.com" entry in the server's vtom.ini to have VTOM
+  # automatically send "<serverName>.<DomainName>" to agents instead of just serverName.
   serverName: vtom-server
 
   # Domain name for the web interface (vtom-apiserver)
@@ -52,7 +49,8 @@ vtom:
   database:
     name: vtom      # TODO: PostgreSQL VTOM database name (e.g.: vtom, visual_tom)
 
-  # LoadBalancer Service for the VTOM Desktop Client (TCP ports 30xxx)
+  # LoadBalancer Service for external VTOM access (TCP ports 30xxx):
+  # VTOM Desktop Client (IHM Java), external agents returning job status, vtom CLI
   serverService:
     # Static IP — pre-reserve in your cloud provider to survive LB reprovisioning.
     # Leave empty to let the cloud assign a dynamic IP.
@@ -80,12 +78,13 @@ vtom:
   # nodeSelector:
   #   agentpool: vtom
   # affinity: {}
-  # Outbound traffic from vtom-apiserver to an external endpoint.
-  # TODO: change only if your external service uses a different TCP port.
-  apiserverExternalEgress:
-    port: ""   # TODO: e.g.: 30034 (leave empty to disable this rule)
-    # TODO: restrict to the target CIDR whenever possible (avoid 0.0.0.0/0 in production).
-    cidr: "0.0.0.0/0"
+  # Outbound rules from vtom-apiserver to external endpoints (e.g. MFT on a remote cluster).
+  # Each entry creates one egress NetworkPolicy rule. Leave empty (default) to disable.
+  # TODO: restrict cidr to the target subnet whenever possible (avoid 0.0.0.0/0 in production).
+  apiserverExternalEgress: []
+  # - port: 30034       # TODO: port of the target service
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"
 
 # -----------------------------------------------------------------------------
 # ITC (Visual TOM User Portal)
diff --git a/charts/visual-tom/values.yaml b/charts/visual-tom/values.yaml
index 08e801c..49e2220 100644
--- a/charts/visual-tom/values.yaml
+++ b/charts/visual-tom/values.yaml
@@ -43,8 +43,9 @@ vtom:
     pullPolicy: IfNotPresent
 
   # Internal VTOM name: hostname of the server pod and name of the K8s server Service.
-  # VTOM registers with this name; the agent calls back the server via this hostname.
-  # ITC connects to vtom-apiserver via this name (+ port 30002).
+  # Must be a valid DNS label (lowercase, hyphens only — no dots, no FQDN).
+  # Tip: add a "DomainName = mycompany.com" entry in the server's vtom.ini to have VTOM
+  # automatically send "<serverName>.<DomainName>" to agents instead of just serverName.
   serverName: vtom-server
 
   # Timezone shared by all VTOM components
@@ -155,13 +156,12 @@ vtom:
   tolerations: []
   nodeSelector: {}
   affinity: {}
-  # Dedicated outbound rule for vtom-apiserver (external integration endpoint).
-  apiserverExternalEgress:
-    # Leave empty to disable this dedicated egress rule.
-    port: ""
-    # Destination CIDR allowed for the dedicated outbound rule above.
-    # Keep as narrow as possible in production.
-    cidr: "0.0.0.0/0"
+  # Outbound rules for vtom-apiserver to external endpoints (e.g. MFT on another cluster).
+  # Each entry creates one egress NetworkPolicy rule. Leave empty to disable.
+  apiserverExternalEgress: []
+  # - port: 30034
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"   # restrict to the target CIDR whenever possible
 
 # -----------------------------------------------------------------------------
 # ITC (Visual TOM User Portal)