WebRTC is a protocol that has been built into modern browsers like Chrome and Firefox. A number of different protocols are used with each protocol having unique firewall requirements.

Signaling Protocol

For signaling, we use SIP over secure websockets (i.e. websockets with TLS). This traffic is directed towards our media gateways at port TCP/8088 and/or port TCP/8089. You should allow this traffic to leave your network, and any responses to go back.

The endpoint is dynamically provisioned, so the most easy thing to do is to allow traffic to go out at ports 8088 and 8089. If you want to only allow certain IP addresses, please contact our technical support.

NAT Traversal

The WebRTC and SIP protocols need special means to discover the best suitable public IP address. For this the (trickling) ICE protocol is used. This protocol uses STUN on TCP and UDP port 3478 to different public servers. Those ports should be opened up for outgoing and returning traffic. We do not use the TURN protocol.

Media Stream

The signaling protocol will always set up the media stream to originate from the same IP address as the SIP traffic is directed to, so you should open up your firewall for any 'related' incoming traffic (i.e. originating from the same IP address that your SIP traffic was sent to). This is Secure RTP (UDP) traffic originating from ports 10000-20000.

Note that you cannot rely on your firewall leveraging deep packet inspection in order to figure out which ports to open for the media stream: that will not work, because the signaling traffic is TLS encrypted.






Your network

TCP 8088/8089


SIP over Websockets / TLS / HTTP

For SIP signaling between your web browser

and our media gateways

UDP 10000-20000


Your network

Secure RTP

Media streams.

Your network

public internet

TCP/UDP 3478


For determining public IP addresses to help

with NAT traversal

All source-destination tuples should allow return traffic as well.