Corporate networks, firewalls, and VPN settings

Relevant for institutions that are restricted through firewalls. You can share this page with your IT support.

MeetAnyway partners with Daily for WebRTC-powered live video calls. Daily uses a variety of domains, IP addresses, ports, and protocols to connect calls. If you're trying to make calls to and from a network behind a corporate firewall, or through a VPN, you'll need to make sure you can access the following domains:

  • *.daily.co if possible. If not, you'll need to be able to reach these domains in addition to your account's subdomain.daily.co:
    • [b.daily.co](http://b.daily.co) and [c.daily.co](http://c.daily.co) for javascript, images, sounds, and fonts
    • [gs.daily.co](http://gs.daily.co) for room status updates
  • *.wss.daily.co for SFU media connections. The first hostname will usually resemble an AWS IP, such as ip-172-31-10-133-ec2.wss.daily.co.
  • prod-ks.pluot.blue (a Daily-owned server used for ICE negotiation)
  • *.twilio.com (STUN server/TURN relay for coordinating peer-to-peer calls)
  • *.xirsys.com (STUN server/TURN relay for coordinating peer-to-peer calls)

Additionally, you'll want to make sure you can access *.daily.co on port 443, as it's used for a variety of fallback connection types.

If you have a VPN, Daily calls will have much better quality if you can configure Daily's traffic to bypass it. You can usually do that by configuring split tunneling. You'll at least want to exempt port 443 for the Twilio IP ranges listed below, and possibly for the Xirsys IPs as well. If you can exempt UDP traffic altogether, that's even better.

Twilio's IP ranges: https://www.twilio.com/docs/stun-turn/regions

Xirsys's IP ranges: https://docs.xirsys.com/?pg=ip-whitelist

If you have a firewall, you should allow UDP hole punching, which is essentially the standard behavior for most firewalls. If you're explicitly allowing or denying UDP ports, you'll definitely need to open port 3478 for signaling and media tunneling. You'll also need to open UDP ports 40000-65534 for all hosts in order for peer-to-peer calls to work correctly.

When you're in a call with 4 or fewer people, Daily uses direct peer-to-peer connections for your audio and video for maximum quality. When the fifth person joins, the call automatically switches to routing everyone's audio and video through a centralized Daily server.

To test whether SFU mode resolves a user's connection issues, you can use the setNetworkTopology() method to switch a call to server-based mode.

await callFrame.setNetworkTopology({ topology: 'sfu' });

Content Security Policy (CSP) Directives

If you need to control access to resources with a Content-Security-Policy (CSP) header, the easiest way is to allow all Daily subdomains. For example:

Content-Security-Policy: default-src 'self' *.daily.co;

If you can't use wildcard domains, you can use your Daily subdomain, along with a few specific extra domains that we use for loading resources:

Content-Security-Policy: default-src 'self' yourdomain.daily.co b.daily.co c.daily.co gs.daily.co;