Firewall configuration for SecureVideo

Support Center > Tips and Settings

Published 12/18/2013 at 6:51pm UTC

Page viewed 41982 times

Details

What firewall changes do I need to make so that my organization can use SecureVideo?

 

Answer

If your organizational firewall(s) implement egress (outbound request) filtering, your IT team will need to add whitelist rules: one set of rules in order to use the SecureVideo application, and then additional whitelist rules specific to the video engine(s) your organization will use with SecureVideo.

 

SecureVideo Application Firewall Settings

The below whitelist rules are required for all organizations using egress (outbound request) filtering regardless of the video engine(s) in use: 

  • Allow outbound TCP 443 to securevideo.com and *.securevideo.com
  • Allow outbound TCP 443 to pubnub.com, *.pubnub.com, *.pndsn.com, *.pubnub.net and *.pubnub.io

Please also ensure that if your organization's browsers are configured to check certificate status online (using OCSP, Chrome CRLSet, or equivalent), that you allow outbound TCP 80 to *.digicert.com.

 

Video Engine Firewall Settings

SecureVideo supports 3 different video engines:

  • Zoom (integrated in 2016)
  • One-Click (integrated in 2020)
  • VSee (integrated in 2013)

If your organization uses egress (outbound request) filtering, please ensure that the firewall settings applicable to the video engine(s) you are using with SecureVideo are implemented prior to testing/using SecureVideo.

Note: all video engines prefer to use UDP by default. While most engines can workaround using TCP, in all cases the call quality will be markedly suboptimal, and will impact the provider/patient experience. In addition to whitelisting the appropriate UDP ports, please be aware that some firewalls have a UDP default timeout. If your calls are consistently being dropped after a specific period of time, this may be happening on your network, and the UDP timeout must be removed or greatly increased for the below UDP ports used by your video engine(s).

 

 

Zoom Firewall Settings

It is functionally mandatory to apply all rules to outbound connections. To avoid TURN relay latency, it is recommended to apply all rules to inbound connections.

  • allow TCP 80 and TCP 443 to (zoom.us, *.zoom.us)
  • allow (TCP 443, TCP 8801-8802, UDP 3478-3479, and UDP 8801-8810) to (3.7.35.0/25, 3.21.137.128/25, 3.22.11.0/24, 3.23.93.0/24, 3.25.41.128/25, 3.25.42.0/25, 3.25.49.0/24, 3.80.20.128/25, 3.96.19.0/24, 3.101.32.128/25, 3.101.52.0/25, 3.104.34.128/25, 3.120.121.0/25, 3.127.194.128/25, 3.208.72.0/25, 3.211.241.0/25, 3.235.69.0/25, 3.235.71.128/25, 3.235.72.128/25, 3.235.73.0/25, 3.235.82.0/23, 3.235.96.0/23, 4.34.125.128/25, 4.35.64.128/25, 8.5.128.0/23, 13.52.6.128/25, 13.52.146.0/25, 13.114.106.166/32, 18.157.88.0/24, 18.205.93.128/25, 20.203.158.80/28, 20.203.190.192/26, 50.239.202.0/23, 50.239.204.0/24, 52.61.100.128/25, 52.197.97.21/32, 52.202.62.192/26, 52.215.168.0/25, 64.69.74.0/24, 64.125.62.0/24, 64.211.144.0/24, 65.39.152.0/24, 69.174.57.0/24, 69.174.108.0/22, 99.79.20.0/25, 101.36.167.0/24, 103.122.166.0/23, 109.94.160.0/24, 109.244.18.0/25, 109.244.19.0/24, 111.33.115.0/25, 115.110.154.192/26, 115.114.56.192/26, 115.114.115.0/26, 115.114.131.0/26, 120.29.148.0/24, 129.151.0.0/19, 129.151.40.0/22, 129.151.48.0/20, 129.159.0.0/20, 129.159.160.0/19, 129.159.208.0/20, 130.61.164.0/22, 134.224.0.0/16, 140.238.128.0/24, 140.238.232.0/22, 144.195.0.0/16, 147.124.96.0/19, 149.137.0.0/17, 150.230.224.0/21, 152.67.20.0/24, 152.67.118.0/24, 152.67.168.0/22, 152.67.180.0/24, 152.67.184.0/22, 152.67.240.0/21, 152.70.224.0/21, 156.45.0.0/17, 158.101.64.0/24, 158.101.184.0/22, 160.1.56.128/25, 161.199.136.0/22, 162.12.232.0/22, 162.255.36.0/22, 165.254.88.0/23, 168.138.16.0/24, 168.138.48.0/24, 168.138.56.0/21, 168.138.72.0/24, 168.138.74.0/25, 168.138.80.0/21, 168.138.96.0/22, 168.138.116.0/22, 168.138.244.0/24, 170.114.0.0/16, 173.231.80.0/20, 192.204.12.0/22, 193.122.16.0/20, 193.122.32.0/20, 193.122.36.0/22, 193.122.208.0/20, 193.122.224.0/20, 193.122.240.0/20, 193.123.0.0/19, 193.123.40.0/21, 193.123.44.0/22, 193.123.128.0/19, 193.123.168.0/21, 193.123.192.0/19, 198.251.128.0/17, 198.251.192.0/22, 202.177.207.128/27, 202.177.213.96/27, 204.80.104.0/21, 204.141.28.0/22, 207.226.132.0/24, 209.9.211.0/24, 209.9.215.0/24, 210.57.55.0/24, 213.19.144.0/24, 213.19.153.0/24, 213.244.140.0/24, 221.122.88.64/27, 221.122.88.128/25, 221.122.89.128/25, 221.123.139.192/27)
  • allow (TCP 443, TCP 8801-8802, UDP 3478-3479, and UDP 8801-8810) to 2620:123:2000::/40

 

 

*If you would like to receive notifications when additional IP ranges are available, please sign up for our IP address changes announcement list.

**Bold-faced IP addresses to be added December 2, 2021.

 

One-Click Firewall Settings

For customers who have firewalls which filter outbound requests--generally hospitals, large practice groups, and other medium to large health care organizations--it is required to implement the below firewall settings prior to using One-Click in either a test or live patient environment. Without implementing these settings, a significant proportion of connections can be expected to fail (however, some connections may still succeed due to pre-existing firewall settings for other applications occurring in the very large Twilio UDP range).

Prior to testing or implementing One-Click, please first verify connectivity from all outbound-filtered client networks to Twilio by running the Twilio Network Test at https://networktest.twilio.com/, and confirm that all tests pass from all outbound-filtered networks. If all firewall settings have been implemented and all tests do not pass, please contact our support team.

Signaling (for all of the below hosts): TCP 443; note that these hosts resolve to both IPv4 and IPv6 addresses

global.vss.twilio.com

us1.vss.twilio.com

us2.vss.twilio.com

sdkgw.us1.twilio.com

 

Media (for all of the below hosts): UDP 3478, UDP 10,000-60,000, TCP 443, TCP 3478, and TCP 5349

34.203.254.0 - 34.203.254.255

54.172.60.0 - 54.172.61.255

34.203.250.0 - 34.203.251.255

3.235.111.128 - 3.235.111.255

34.216.110.128 - 34.216.110.159

54.244.51.0 - 54.244.51.255

44.234.69.0 - 44.234.69.127

 

The above list is sufficient for providers and patients based in the United States. For international endpoints, please see Twilio's IP addresses page.

Note for organizations using Next Generation Firewalls (NGFWs): even if you pass the Twilio Network Test you may need to implement additional settings depending on your network configuration. For example, some NGFWs may identify STUN application packets routing over the UDP port range 10,000-60,000, in which case the full UDP port range needs to be permitted for STUN. NGFWs may require permitting numerous applications over the UDP port range 10,000-60,000, including (depending on the firewall application definitions) twilio, stun, turn, ice, rtcp, rtp-audio, and rtp-base. To determine the correct application-layer configuration, it may be necessary to capture packets destined for the above address ranges, determine what application is identified by the NGFW, and then permit that application over the full UDP range; and, it may be necessary to do this several times as the NGFW may identify subsequent applications as each new one is permitted.

 

VSee Firewall Settings

Please see VSee's Firewall page for up-to-date firewall configuration. VSee has last changed their firewall requirements on June 4, 2021.

 

This article was last reviewed by our Support team on November 3, 2021.