Firewall configuration for SecureVideo

Support Center > Tips and Settings

Published 12/18/2013 at 6:51pm UTC

Page viewed 69007 times

Details

What firewall changes do I need to make so that my organization can use SecureVideo?

 

If you would like notifications when changes are made to these rules, please sign up for our IP address changes announcement list.

 

Answer

 

If your organizational firewall(s) implement egress (outbound request) filtering, your IT team will need to add whitelist rules: one set of rules in order to use the SecureVideo application, and then additional whitelist rules specific to the video engine(s) your organization will use with SecureVideo.

 

SecureVideo Application Firewall Settings

The below whitelist rules are required for all organizations using egress (outbound request) filtering regardless of the video engine(s) in use:

  • Allow outbound TCP 443 to securevideo.com and *.securevideo.com
  • Allow outbound TCP 443 to pubnub.com, *.pubnub.com, *.pndsn.com, *.pubnub.net and *.pubnub.io

Please also ensure that if your organization's browsers are configured to check certificate status online (using OCSP, Chrome CRLSet, or equivalent), that you allow outbound TCP 80 to *.digicert.com.

 

Video Engine Firewall Settings

SecureVideo supports 2 different video engines:

  • Zoom 
  • One-Click

If your organization uses egress (outbound request) filtering, please ensure that the firewall settings applicable to the video engine(s) you are using with SecureVideo are implemented prior to testing/using SecureVideo.

Note: all video engines prefer to use UDP by default. While most engines can workaround using TCP, in all cases the call quality will be markedly suboptimal, and will impact the provider/patient experience. In addition to whitelisting the appropriate UDP ports, please be aware that some firewalls have a UDP default timeout. If your calls are consistently being dropped after a specific period of time, this may be happening on your network, and the UDP timeout must be removed or greatly increased for the below UDP ports used by your video engine(s).

 

 

Zoom Firewall Settings

It is functionally mandatory to apply all rules to outbound connections. To avoid TURN relay latency, it is recommended to apply all rules to inbound connections.

  • allow TCP 80 and TCP 443 to (zoom.us, *.zoom.us)
  • allow (TCP 443, TCP 8801-8802, UDP 3478-3479, and UDP 8801-8810) to (3.7.35.0/25, 3.21.137.128/25, 3.25.41.128/25, 3.80.20.128/25, 3.96.19.0/24, 3.101.52.0/25, 3.104.34.128/25, 3.120.121.0/25, 3.127.194.128/25, 3.208.72.0/25, 3.211.241.0/25, 3.235.69.0/25, 3.235.71.128/25, 3.235.72.128/25, 3.235.73.0/25, 3.235.82.0/23, 3.235.96.0/23, 4.34.125.128/25, 4.35.64.128/25, 8.5.128.0/23, 13.52.6.128/25, 13.52.146.0/25, 13.114.106.166/32, 15.220.80.0/24, 15.220.81.0/25, 16.63.30.0/24 18.157.88.0/24, 18.205.93.128/25, 18.254.23.128/25, 18.254.61.0/25, 20.203.158.80/28, 20.203.190.192/26, 50.239.202.0/23, 50.239.204.0/24, 52.61.100.128/25, 52.84.151.0/24, 52.197.97.21/32, 52.202.62.192/26, 52.215.168.0/25, 65.39.152.0/24, 64.69.74.0/24, 64.125.62.0/24, 64.211.144.0/24, 69.174.57.0/24, 69.174.108.0/22, 64.224.32.0/19, 99.79.20.0/25, 101.36.167.0/24, 103.122.166.0/23, 109.94.160.0/24, 109.244.18.0/25, 109.244.19.0/24, 111.33.115.0/25, 115.110.154.192/26, 115.114.56.192/26, 115.114.115.0/26, 115.114.131.0/26, 120.29.148.0/24, 129.151.1.128/27, 129.151.1.192/27, 129.151.2.0/27, 129.151.3.160/27, 129.151.7.96/27, 129.151.11.128/27, 129.151.12.0/27, 129.151.11.64/27, 129.151.13.64/27, 129.151.15.224/27, 129.151.16.0/27, 129.151.31.224/27, 129.151.40.0/25, 129.151.40.160/27, 129.151.40.192/27, 129.151.41.0/25, 129.151.41.192/26, 129.151.42.0/27, 129.151.42.64/27, 129.151.42.128/26, 129.151.42.224/27, 129.151.43.0/27, 129.151.43.64/26, 129.151.48.0/27, 129.151.48.160/27, 129.151.49.0/26, 129.151.49.96/27, 129.151.49.128/27, 129.151.49.192/26, 129.151.50.0/27, 129.151.50.64/27, 129.151.52.128/26, 129.151.53.32/27, 129.151.53.224/27, 129.151.55.32/27, 129.151.56.32/27, 129.151.57.32/27, 129.151.60.192/27, 129.159.2.32/27, 129.159.2.192/27, 129.159.3.0/24, 129.159.4.0/23, 129.159.6.0/27, 129.159.6.96/27, 129.159.6.128/26, 129.159.6.192/27, 129.159.160.0/26, 129.159.160.64/27, 129.159.163.0/26, 129.159.163.160/27, 129.159.208.0/21, 129.159.216.0/26, 129.159.216.64/27, 129.159.216.128/26, 130.61.164.0/22, 132.226.176.0/25, 132.226.176.128/26, 132.226.177.96/27, 132.226.177.128/25, 132.226.178.0/27, 132.226.178.128/27, 132.226.178.224/27, 132.226.179.0/27, 132.226.179.64/27, 132.226.180.128/27, 132.226.183.160/27, 132.226.185.192/27, 134.224.0.0/16, 140.238.128.0/24, 140.238.232.0/22, 144.195.0.0/16, 147.124.96.0/19, 149.137.0.0/17, 150.230.224.0/25, 150.230.224.128/26, 150.230.224.224/27, 152.67.20.0/24, 152.67.118.0/24, 152.67.168.0/22, 152.67.180.0/24, 152.67.184.32/27, 152.67.240.0/21, 152.70.0.0/25, 152.70.0.128/26, 152.70.0.224/27, 152.70.1.0/25, 152.70.1.128/26, 152.70.1.192/27, 152.70.2.0/26, 152.70.7.192/27, 152.70.10.32/27, 152.70.224.32/27, 152.70.224.64/26, 152.70.224.160/27, 152.70.224.192/27, 152.70.225.0/25, 152.70.225.160/27, 152.70.225.192/27, 152.70.226.0/27, 152.70.227.96/27, 152.70.227.192/27, 152.70.228.0/27, 152.70.228.64/27, 152.70.228.128/27, 156.45.0.0/17, 158.101.64.0/24, 158.101.184.0/23, 158.101.186.0/25, 158.101.186.128/27, 158.101.186.192/26, 158.101.187.0/25, 158.101.187.160/27, 158.101.187.192/26, 159.124.0.0/16, 160.1.56.128/25, 161.199.136.0/22, 162.12.232.0/22, 162.255.36.0/22, 165.254.88.0/23, 166.108.64.0/18, 168.138.16.0/24, 168.138.48.0/24, 168.138.56.0/21, 168.138.72.0/24, 168.138.74.0/25, 168.138.80.0/25, 168.138.80.128/26, 168.138.80.224/27, 168.138.81.0/24, 168.138.82.0/23, 168.138.84.0/25, 168.138.84.128/27, 168.138.84.192/26, 168.138.85.0/24, 168.138.86.0/23, 168.138.96.0/22, 168.138.116.0/27, 168.138.116.64/27, 168.138.116.128/27, 168.138.116.224/27, 168.138.117.0/27, 168.138.117.96/27, 168.138.117.128/27, 168.138.118.0/27, 168.138.118.160/27, 168.138.118.224/27, 168.138.119.0/27, 168.138.119.128/27, 168.138.244.0/24, 170.114.0.0/16, 173.231.80.0/20, 192.204.12.0/22, 193.122.16.0/25, 193.122.16.192/27, 193.122.17.0/26, 193.122.17.64/27, 193.122.17.224/27, 193.122.18.32/27, 193.122.18.64/26, 193.122.18.160/27, 193.122.18.192/27, 193.122.19.0/27, 193.122.19.160/27, 193.122.19.192/27, 193.122.20.224/27, 193.122.21.96/27, 193.122.32.0/21, 193.122.36.0/22, 193.122.40.0/22, 193.122.44.0/24, 193.122.45.32/27, 193.122.45.64/26, 193.122.45.128/25, 193.122.46.0/23, 193.122.208.96/27, 193.122.216.32/27,193.122.222.0/27, 193.122.223.128/27, 193.122.226.160/27, 193.122.231.192/27, 193.122.232.160/27, 193.122.237.64/27, 193.122.244.160/27, 193.122.244.224/27, 193.122.245.0/27, 193.122.247.96/27, 193.122.252.192/27, 193.123.0.0/19, 193.123.40.0/21, 193.123.44.0/22, 193.123.128.0/19, 193.123.168.0/21, 193.123.192.224/27, 193.123.193.0/27, 193.123.193.96/27, 193.123.194.96/27, 193.123.194.128/27, 193.123.194.224/27, 193.123.195.0/27, 193.123.196.0/27, 193.123.196.192/27, 193.123.197.0/27, 193.123.197.64/27, 193.123.198.160/27, 193.123.198.64/27, 193.123.199.64/27, 193.123.200.128/27, 193.123.201.32/27, 193.123.201.224/27, 193.123.202.64/27, 193.123.202.128/26, 193.123.203.0/27, 193.123.203.160/27, 193.123.203.192/27, 193.123.204.0/27, 193.123.204.64/27, 193.123.205.128/27, 193.123.206.32/27, 193.123.206.128/27, 193.123.207.32/27, 193.123.208.160/27, 193.123.209.0/27, 193.123.209.96/27, 193.123.210.64/27, 193.123.211.224/27, 193.123.212.128/27, 193.123.215.192/26, 193.123.216.64/27, 193.123.216.128/27, 193.123.217.160/27, 193.123.219.64/27, 193.123.220.224/27, 193.123.222.64/27, 193.123.222.224/27, 198.251.128.0/17, 198.251.192.0/22, 202.177.207.128/27, 202.177.213.96/27, 204.80.104.0/21, 204.141.28.0/22, 206.247.0.0/16, 207.226.132.0/24, 209.9.211.0/24, 209.9.215.0/24, 210.57.55.0/24, 213.19.144.0/24, 213.19.153.0/24, 213.244.140.0/24, 221.122.88.64/27, 221.122.88.128/25, 221.122.89.128/25, 221.123.139.192/27)
  • allow (TCP 443, TCP 8801-8802, UDP 3478-3479, and UDP 8801-8810) to 2407:30C0::/32, 2600:9000:2600::/48, 2620:123:2000::/40, 2600:9000:2600::/48

 

*If you would like to receive notifications when additional IP ranges are available, please sign up for our IP address changes announcement list.

Please refer to Zoom's firewall rules support article for their list of CDN IP addresses.

 

 

One-Click Firewall Settings

For customers who have firewalls which filter outbound requests--generally hospitals, large practice groups, and other medium to large health care organizations--it is required to implement the below firewall settings prior to using One-Click in either a test or live patient environment. Without implementing these settings, a significant proportion of connections can be expected to fail (however, some connections may still succeed due to pre-existing firewall settings for other applications occurring in the very large Twilio UDP range).

Prior to testing or implementing One-Click, please first verify connectivity from all outbound-filtered client networks to Twilio by running the Twilio Video Diagnostics Test, and confirm that all tests pass from all outbound-filtered networks. If all firewall settings have been implemented but tests do not pass, please download the report results from that page and email it to our support team at [email protected] . 

 

Signaling (for all of the below hosts): TCP 443 (WSS); note that these hosts resolve to both IPv4 and IPv6 addresses

global.vss.twilio.com

us1.vss.twilio.com

us2.vss.twilio.com

sdkgw.us1.twilio.com

 

Media (for all of the below hosts): UDP 3478, UDP 10,000-60,000, TCP 443, TCP 3478, and TCP 5349

34.203.254.0 - 34.203.254.255

54.172.60.0 - 54.172.61.255

34.203.250.0 - 34.203.251.255

3.235.111.128 - 3.235.111.255

34.216.110.128 - 34.216.110.159

54.244.51.0 - 54.244.51.255

44.234.69.0 - 44.234.69.127

 

The above list is sufficient for providers and patients based in the United States. For international endpoints, please see Twilio's IP addresses page.

Note for organizations using Next Generation Firewalls (NGFWs): even if you pass the Twilio Network Test you may need to implement additional settings depending on your network configuration. For example, some NGFWs may identify STUN application packets routing over the UDP port range 10,000-60,000, in which case the full UDP port range needs to be permitted for STUN. NGFWs may require permitting numerous applications over the UDP port range 10,000-60,000, including (depending on the firewall application definitions) twilio, stun, turn, ice, rtcp, rtp-audio, and rtp-base. To determine the correct application-layer configuration, it may be necessary to capture packets destined for the above address ranges, determine what application is identified by the NGFW, and then permit that application over the full UDP range; and, it may be necessary to do this several times as the NGFW may identify subsequent applications as each new one is permitted.

 

Masked Calling Firewall Settings

For customers who have firewalls which filter outbound requests--generally hospitals, large practice groups, and other medium to large health care organizations--it is required to implement the below firewall settings prior to using One-Click in either a test or live patient environment. Without implementing these settings, a significant proportion of connections can be expected to fail (however, some connections may still succeed due to pre-existing firewall settings for other applications occurring in the very large Twilio UDP range).

Prior to testing or implementing Masked Calling, please first verify connectivity from all outbound-filtered client networks to Twilio by running the Twilio Video Diagnostics Test, and confirm that all tests pass from all outbound-filtered networks. (If you will only be using Masked Calling, but not One-Click, you can ignore results for video-related tests.) If all firewall settings have been implemented but tests do not pass, please download the report results from that page and email it to our support team at [email protected] . 

 

Signaling and Media:

  • allow (TCP 443, UDP 10000-60000) to (168.86.128.0/18)

 

If you are operating a restricted network that requires allowing of media IPs, Twilio recommends specifying the edge location gll: UDP 1,024 - 65,535:

54.244.51.0/24

 

 

Note for organizations using Next Generation Firewalls (NGFWs): even if you pass the Twilio Network Test you may need to implement additional settings depending on your network configuration. For example, some NGFWs may identify STUN application packets routing over the UDP port range 10,000-60,000, in which case the full UDP port range needs to be permitted for STUN. NGFWs may require permitting numerous applications over the UDP port range 10,000-60,000, including (depending on the firewall application definitions) twilio, stun, turn, ice, rtcp, rtp-audio, and rtp-base. To determine the correct application-layer configuration, it may be necessary to capture packets destined for the above address ranges, determine what application is identified by the NGFW, and then permit that application over the full UDP range; and, it may be necessary to do this several times as the NGFW may identify subsequent applications as each new one is permitted.

 

This article was last reviewed by our Support team on October 31, 2024.