Skip to content
  • There are no suggestions because the search field is empty.

Firewall Configuration for WebRTC Calls (End-User Networks)

This article describes the required firewall configuration for end-users who want to make WebRTC voice calls from our web application.

TrueEngage uses Vonage WebRTC for real-time audio communication. If users are behind a corporate firewall, specific IP addresses, domains, ports, and protocols must be allowed for calls to work correctly.

⚠️ Important
  • This configuration applies to end-user networks (customers, agents, employees).
  • This is NOT a Genesys configuration.
  • These rules are required on the user's corporate firewall.

Symptoms of Missing Firewall Rules

If required firewall rules are blocked, users may experience:

  • Calls that connect but no audio in either direction
  • Calls that never fully connect
  • Calls that immediately drop

Official Vonage Documentation

For the most up-to-date and authoritative requirements, please refer to Vonage’s official documentation: https://api.support.vonage.com/hc/en-us/articles/11117874324508-What-are-the-Vonage-Video-API-network-connectivity-requirements

Required Firewall Rules

1. WebRTC Signaling (Call Setup)

Used to establish and control WebRTC calls. This is the absolute minimum — without TCP 443 open, nothing will work.

Destination Port Protocol Purpose
*.vonage.com 443 TCP (WSS / HTTPS) Signaling & WebSocket connections
*.nexmo.com 443 TCP (WSS / HTTPS) Signaling & WebSocket connections
 

2. STUN / TURN Servers (NAT Traversal and Media Relay)

Required to allow audio to flow through NATs and restrictive firewalls. Vonage uses STUN/TURN for ICE negotiation. All connections are outbound-initiated — no ports need to be permanently open inbound, and there are no port-forwarding requirements.

Minimum
UDP 3478
TURN relay. Required for restricted networks. Without this, media may fail entirely.
 
Recommended
UDP 3478 + TCP 443
TCP 443 as TURN fallback for environments where UDP is heavily restricted.
 
Optimal
UDP 1025 – 65535
Direct peer connections — lowest latency, no relay needed. Best call quality.
 
ℹ️ Note: The client always favours UDP. Even if UDP is blocked by policy, you can expect UDP traffic to be attempted in network traces before falling back to TCP. Opening at least UDP 3478 significantly improves call quality over TCP-only.

3. Media (RTP Audio Streams)

Actual voice traffic is transmitted using RTP over UDP.

Protocol Port Range Direction
UDP 10000 – 50000 Outbound (inbound after outbound request)

Allowed IP Ranges (Primary Subnets)

These subnets cover all Vonage API traffic: HTTP Callbacks, WebHooks, WebSocket connections, SIP, and RTP/Media. Allow both ranges for full coverage.

  • 216.147.0.0/18
  • 168.100.64.0/18
❗ Blocking UDP media traffic (ports 10000–50000) will result in connected calls with no audio.

4. SIP Signaling (Used Internally by Vonage)

Even though the application uses WebRTC in the browser, Vonage uses SIP internally for call routing to Genesys Cloud. The primary subnets above cover SIP traffic, but if your firewall requires specific host-level rules, use the addresses below.

Protocol Port Purpose
UDP 5060 SIP signaling
TCP 5060 SIP signaling
TLS 5061 Encrypted SIP signaling

Specific SIP IP Addresses

Use the primary subnets above where possible. If your platform cannot accept subnet notation, allow the following individual IPs:

  • 216.147.0.1
  • 216.147.0.2
  • 216.147.1.1
  • 216.147.1.2
  • 216.147.2.1
  • 216.147.2.2
  • 216.147.3.1
  • 216.147.3.2
  • 216.147.4.1
  • 216.147.4.2
  • 216.147.5.1
  • 216.147.5.2
ℹ️ It is strongly recommended to allow the primary subnets (216.147.0.0/18 and 168.100.64.0/18) rather than individual IPs, to avoid configuration changes if Vonage adds new addresses in the future.

Quick Reference Summary

Traffic Type Destination Port(s) Protocol
WebRTC Signaling *.vonage.com*.nexmo.com 443 TCP (WSS)
TURN (minimum) 216.147.0.0/18168.100.64.0/18 3478 UDP
TURN (fallback) 216.147.0.0/18168.100.64.0/18 443 TCP
RTP / Media 216.147.0.0/18168.100.64.0/18 10000 – 50000 UDP
SIP Signaling 216.147.0.0/18168.100.64.0/18 5060 / 5061 UDP / TCP / TLS

Important Notes for IT & Security Teams

  • IP ranges are maintained by Vonage and may change over time — the authoritative list is available at: https://api.support.vonage.com/hc/en-us/articles/360035471331

Need Help?

If calls still fail after applying these rules:

  1. Verify that UDP traffic is not blocked or rate-limited
  2. Confirm that outbound rules are applied (inbound is not required)
  3. Contact your network administrator to review firewall logs for dropped packets on the ports above

If needed, our support team can assist in validating the configuration.