WebRTC is a protocol that has been built into modern browsers like Chrome and Firefox. A number of different protocols are used with each protocol having unique firewall requirements.
For signaling, we use SIP over secure websockets (i.e. websockets with TLS). This traffic is directed towards our media gateways at port TCP/8088 and/or port TCP/8089. You should allow this traffic to leave your network, and any responses to go back.
The endpoint is dynamically provisioned, so the most easy thing to do is to allow traffic to go out at ports 8088 and 8089. If you want to only allow certain IP addresses, please contact our technical support.
The WebRTC and SIP protocols need special means to discover the best suitable public IP address. For this the (trickling) ICE protocol is used. This protocol uses STUN on TCP and UDP port 3478 to different public servers. Those ports should be opened up for outgoing and returning traffic. We do not use the TURN protocol.
The signaling protocol will always set up the media stream to originate from the same IP address as the SIP traffic is directed to, so you should open up your firewall for any 'related' incoming traffic (i.e. originating from the same IP address that your SIP traffic was sent to). This is Secure RTP (UDP) traffic originating from ports 10000-20000.
Note that you cannot rely on your firewall leveraging deep packet inspection in order to figure out which ports to open for the media stream: that will not work, because the signaling traffic is TLS encrypted.
SIP over Websockets / TLS / HTTP
For SIP signaling between your web browser
and our media gateways
For determining public IP addresses to help
with NAT traversal
All source-destination tuples should allow return traffic as well.