Network allowlist guide

Corporate networks often use firewalls, web security appliances, deep packet inspection, VPNs, and other tools to protect internal systems. These tools can sometimes interfere with calls by blocking the connections needed for audio, video, and screen sharing. This guide explains how to configure your network to allow calls to work smoothly.

Quick start

If you want to simply know which domains to allow HTTPS traffic on the below list is the current set of wildcard domains

• *.solidroad.com

• *.vapi.ai

• *.daily.co

Advanced network control

For web requests, you’ll need to allow connections to the following hostnames on port 443:

• app.solidroad.com for access to the web UI

• accounts.solidroad.com for sign in

• clerk.solidroad.com for sign in

• api.vapi.ai for phone and video

• *.daily.co for webRTC infrastructure

• *.wss.daily.co, or the sfu servers listed in the IP list (for call signaling)

• b.daily.co and c.daily.co (for accessing provider CDN resources)

• gs.daily.co (dispatch server)

• prod-ks.pluot.blue (ICE negotiation)

There are two kinds of connections that need to happen for a call:

1. Standard client-server web requests

2. Peer-to-peer WebRTC connections to send and receive call media

For more on how different types of WebRTC media connections work, see WebRTC Media Connection Types below.

You’ll need to allow the following connections for WebRTC media:

• STUN: Required for all media connection types. You'll need at least one of these, but we recommend both for the best call experience.

  • stun.cloudflare.com over UDP/3478 and UDP/53

  • *.stun.twilio.com, or at least global.stun.twilio.com; IPs and ports documented here

• UDP direct connection to media servers for the best call quality:

  • *.wss.daily.co over TCP/443 and UDP/40000-49999, or all of the sfu hostnames and port ranges in the IP list

• TURN for relaying media over UDP, TCP, or TLS. You'll need at least one of these, but we recommend both for the best call experience.

  • turn.cloudflare.com over UDP and TCP 3478, UDP/53, TCP/80, TCP/5349, and TCP/TLS 443, documented here

  • *.turn.twilio.com, documented here

Twilio’s TURN server IPs are available from their documentation.

Important Considerations

If your network tools are blocking access to some of those hostnames, your users may see a few different problems:

• They won’t be able to load the call interface at all

• They will load the call interface, but they won’t be able to connect to the call

• They will connect to the call, but they won’t be able to send or receive audio and video

Proxies that decrypt and re-encrypt traffic can break WebRTC, causing users to connect to a call but not be able to send or receive media. Make sure to exclude TURN, STUN, and ICE traffic from inspection.

If you use a VPN, configure it to use split tunneling to bypass the VPN for Daily traffic. This can significantly improve call quality. At a minimum, exempt port 443 for the Twilio IP ranges above. Ideally, exempt UDP traffic altogether.

If you've implemented the recommendations in this guide and you still have some users that have problems connecting, you can use this Network Test page to diagnose connection problems. It will help you pinpoint which connections are failing.