Skip to content

Latest commit

 

History

History
45 lines (30 loc) · 2.75 KB

firewall-and-security.md

File metadata and controls

45 lines (30 loc) · 2.75 KB

Firewall & Security

{% hint style="success" %} Connections are initiated in the outbound direction. There is no requirement for ports to be open inbound and there are no port forwarding requirements. The following information can be set as outbound rules only. {% endhint %}

ServiceSourceDestination portProtocol
Whereby signaling (wss)browser-device443TCP
Whereby TURN relay (TCP/TLS)browser-device443TCP
Whereby TURN relay (UDP)browser-device443UDP
Whereby TURN/SFU highportbrowser-device1024-65535UDP

Domain Whitelisting

If your firewall or proxy requires or allows whitelisting via domain, the following are relevant domains:

  • *.sfu.whereby.com
  • *.sfu.svc.whereby.com
  • *.srv.whereby.com
  • *.svc.whereby.com
  • *.appearin.net
  • *.turn.whereby.com
  • *.turn.svc.whereby.com

IP Whitelisting

Whereby servers don't currently have a static range of IP addresses. We can provide a list of current server IPs to our annual an enterprise customers upon request. Partner with your dedicated Success Manager or Solutions Engineer to obtain relevant information for your clients and discuss eligibility.

Additional Info

Signaling (wss)

Control messages between the clients and Whereby servers when in a call ("signaling") is transmitted over secure websockets (wss). These utilize the same ports as HTTPS, but will set up persistent two-way connections. Proxies and firewalls that intercept HTTPS traffic should be configured to allow websocket traffic towards these hosts/domains:

  • *.sfu.whereby.com
  • *.sfu.svc.whereby.com
  • *.srv.whereby.com
  • *.svc.whereby.com
  • *.appearin.net

TURN/SFU (media)

In order to transmit video and audio, participants must be allowed to send and receive packets containing media content. The optimal path for these packets is directly between participants, but where this is not possible or allowed Whereby provides a network of TURN servers that act as relays.

These servers are placed across the globe and participants will connect to the closest ones. Participants will connect to port 443 on these servers, using either UDP or TCP. For call quality and experience, UDP is the preferred protocol. The TURN servers are identified by the hostname patterns:

  • *.turn.whereby.com
  • *.turn.svc.whereby.com
  • turnserver.appearin.net