For StarLeaf endpoints to be able to access the StarLeaf platform, certain ports on the public IP addresses of StarLeaf must be reachable for outbound connections through your firewall. It is not necessary to open up any ports for inbound connections. The port requirements are the same for Starleaf app, and most hardware endpoints. StarLeaf Room for Poly requires additional port exceptions. Most firewalls, operating at a normal level of security, already meet these requirements.

In this topic:

Example firewall configuration

Source host Source port Destination host Destination port Description
StarLeaf endpoint requirements Internal StarLeaf endpoint Ephemeral TCP 443 StarLeaf authentication and automatic service discovery
<example> TCP 443 StarLeaf tunnel for registration, provisioning, call signaling, and media
UDP 24704 StarLeaf tunnel for registration, provisioning, call signaling, and media

Outbound port requirements

All StarLeaf endpoints require:

  • TCP port 443

And the following is recommended for best-quality calls, but not required:

  • UDP: one of any of these ports: 24704, 3478, 1194, 500, 123

StarLeaf endpoints always try UDP port 24704 first, and then the others in descending numerical order. You only need to open one UDP port.

StarLeaf endpoints all use TCP for some call control messages, but for call media, StarLeaf endpoints prefer to use UDP if possible because that provides superior call quality. Therefore, a StarLeaf endpoint (both hardware and StarLeaf app) attempts to connect using UDP first. If the UDP connection is not possible, then the connection is an HTTPS connection using port 443.

Browser Click-to-Call (WebRTC)

Browser-based calls require TCP port 443. For best-quality calls, but not required, browser-based calls require UDP media port range:16384-24575.

IP addresses

Your StarLeaf endpoints make outbound connections to only two DNS names. These DNS names resolve to multiple IP addresses for reasons of resilience and redundancy and the actual addresses are subject to change according to the operational requirements of StarLeaf. The two DNS names are:

  • the configuration server that tells an endpoint which StarLeaf organization it belongs to
  • [your organization name] any calls your endpoint makes or receives are tunneled through this host

If the local network to which your endpoints are connected has a very restrictive firewall policy for outbound connections, you might need to whitelist access to these destinations. One indication that you need to do this is that StarLeaf app clients stay fixed on the blue ‘Starting…’ screen or say that they cannot contact the login or config server. Because the actual IP addresses that these DNS names resolve to can change, it is preferable to whitelist them by DNS name. If your firewall can only whitelist numeric IP addresses, you can contact StarLeaf Support who will, upon request, supply complete ranges of possible IP addresses that your StarLeaf organization can use.

StarLeaf Room for Poly

In addition to the port exceptions listed above, StarLeaf Room for Poly must be able to communicate with the following services on port 443:

For more information, refer to Poly documentation .