Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0, 4i Edge 5.0, UTM 6.0, 4i Edge 6.0
Last Update: 23 November 2020
This article presents how to optimize audio and video conferencing using firewall rules on the Endian appliance that allow access to them on different TCP and UDP ports.
Scenario: For security reasons, there are situations when certain seemingly functional connections to known video and audio-conferencing platforms (e.g. Microsoft Teams, Zoom, Google Meet, WhatsApp, etc.) does not work without opening certain ports in the firewall, used by the services. In these cases it is necessary to optimize them by adding firewall rules in the GREEN Outgoing traffic area that allow connections with them on different TCP and UDP ports.
Tutorial structure
I would also add that the two solutions for Microsoft Teams and for WhatsApp, both use the same approach (outgoing firewall rules). Depending on the service you need to optimize, you can read the following:
Optimize the connection for Microsoft Teams
The following ports must be allowed to connect to Microsoft Teams:
Destination TCP ports: 80 and 443
Destination UDP ports: 3478, 3479, 3480, 3481
Destination networks: 13.107.64.0/18, 52.112.0.0/14 and 52.120.0.0/14
Note
TCP ports 80 and 443 are already open by default for the GREEN zone for Outgoing traffic in the firewall.
- To add firewall rules for the ports required for Microsoft Teams access Firewall > Outgoing traffic > Add a new firewall rule
- The configuration mode for the firewall rule must contain the following elements, after which it will be clicked Create rule then Apply:
Source: GREEN interface
Destination networks: 13.107.64.0/18, 52.112.0.0/14 and 52.120.0.0/14
Service/Port: User definied
Protocol: UDP
Destination port (one per line): 3478, 3479, 3480, 3481
Action: ALLOW
Remark: Microsoft Teams
Position: First - The result is:
Now you can try the connection with the Microsoft Teams video and audio conferencing platform.
Optimize the connection for WhatsApp
The following ports must be allowed to connect to WhatsApp:
Destination TCP ports: 80 and 443
Destination TCP + UDP ports: 4244, 5222, 5223, 5228, 5242, 59234, 50318, 3478, 45395, 34784, 45395, 50318, 59234
Destination network: RED zone
TCP ports 80 and 443 are already open by default for the GREEN zone for Outgoing traffic in the firewall.
- To add firewall rules for the ports required for WhatsApp access Firewall > Outgoing traffic > Add a new firewall rule
- The configuration mode for the firewall rule must contain the following elements, after which it will be clicked Create rule then Apply:
Source: GREEN interface
Destination networks: RED zone
Service/Port: User definied
Protocol: TCP + UDP
Destination port (one per line): 4244, 5222, 5223, 5228, 5242, 59234, 50318, 3478, 45395, 34784, 45395, 50318, 59234
Action: ALLOW
Remark: WhatsApp
Position: First - The result is:
Now you can try the connection with the WhatsApp platform.
Optimize the connection for Google Meet
To provide high-quality video meetings with Google Meet, you need to set up your network so that Meet can efficiently communicate with the Google infrastructure.
You should:
- Make sure Meet traffic has a short path to the internet.
- Avoid proxies, packet inspection, protocol analyzers, and quality of service (QoS)
- Measure and optimize latency, bandwidth, and your Wi-Fi network.
Update your firewall to allow media traffic to flow to and from your organization. The following ports must be allowed to connect to Google Meet:
For media (audio and video), set up outbound UDP ports 19302–19309
For web traffic and user authentication, use outbound UDP and TCP port 443 (enabled by default in the Endian appliance for GREEN zone)
These IP ranges are used exclusively for Meet to identify video meeting traffic used with your organization’s Google Workspace accounts and to deprioritize Meet traffic from consumer accounts.
Allow access to Meet's media servers using the following set of IP ranges:
IPv4: 74.125.250.0/24
The following IP ranges are used exclusively for media traffic coming from participants who are signed in to a personal Google Account or not signed in to any account.
Allow access to Meet's media servers using the following set of IP ranges:
IPv4: 142.250.82.0/24
Note
TCP ports 80 and 443 are already open by default for the GREEN zone for Outgoing traffic in the firewall.
1. To add firewall rules for the ports required for WhatsApp access Firewall > Outgoing traffic > Add a new firewall rule
2. The configuration mode for the firewall rule must contain the following elements, after which it will be clicked Create rule then Apply:
Source: GREEN interface
Destination networks: 74.125.250.0/24 and 142.250.82.0/24
Service/Port: User definied
Protocol: UDP
Destination port (range): 19302–19309
Action: ALLOW
Remark: Google Meet
Position: First
3. The result is:
Now you can try the connection with the Google Meet platform.
Optimize the connection for Zoom
If your app stays in a "connecting" mode or has timed out due to "Network error, please try again" or "Can't connect to our service, please check your network connection and try again" issues, it could be related to your network connection, network firewall settings, or web security gateway settings.
To configure your network firewall, please see the following section. The following rules in this example should be applied to outbound traffic. Zoom will communicate to the destination port received when the client makes its connection. The firewall should be configured to allow these return connections.
The following ports and destinations must be allowed to connect to Microsoft Teams:
Access the list of IPs and ports here, depending on what you need.
Note
TCP ports 80 and 443 are already open by default for the GREEN zone for Outgoing traffic in the firewall.
- To add firewall rules for the ports required for Zoom, access Firewall > Outgoing traffic > Add a new firewall rule
- The configuration mode for the firewall rule must contain the following elements, after which it will be clicked Create rule then Apply:
Source: GREEN interface
Destination networks: see list here
Service/Port: User definied
Protocol: UDP and / or TCP (see list here)
Destination port (one per line): see list here
Action: ALLOW
Remark: Zoom
Position: First
3. The result is:
Note
This is an example of how to add firewall rules for Zoom communication. In order to have all the functionalities you need to configure the firewall rules using the full list of ports and destinations, depending on what you need. To see the full list of ports and destinations, please click here.
Comments