Firewall configuration for StarLeaf endpoints
Managing Firewall and bandwidthLast updated March 6, 2020
For StarLeaf endpoints to be able to access the StarLeaf platform, certain ports on the public IP addresses of StarLeaf must be reachable for outbound connections through your firewall. It is not necessary to open up any ports for inbound connections. The port requirement is the same regardless of whether you are installing the Starleaf app, or a hardware endpoint. Most firewalls, operating at a normal level of security, already meet these requirements.
|Source host||Source port||Destination host||Destination port||Description|
|StarLeaf endpoint requirements||Internal StarLeaf endpoint||Ephemeral||config.starleaf.com||TCP 443||StarLeaf authentication and automatic service discovery|
|<example>.call.sl||TCP 443||StarLeaf tunnel for registration, provisioning, call signaling, and media|
|UDP 24704||StarLeaf tunnel for registration, provisioning, call signaling, and media|
All StarLeaf endpoints require:
- TCP port 443
And the following is recommended for best-quality calls, but not required:
- UDP: one of any of these ports: 24704, 3478, 1194, 500, 123
StarLeaf endpoints always try UDP port 24704 first, and then the others in descending numerical order. You only need to open one UDP port.
StarLeaf endpoints all use TCP for some call control messages, but for call media, StarLeaf endpoints prefer to use UDP if possible because that provides superior call quality. Therefore, a StarLeaf endpoint (both hardware and StarLeaf app) attempts to connect using UDP first. If the UDP connection is not possible, then the connection is an HTTPS connection using port 443.
Browser-based calls require TCP port 443. For best-quality calls, but not required, browser-based calls require UDP media port range:16384-24575.
Firefox users must have access to this range of UDP ports as, currently, Firefox browser calling does not work with TCP port 443.
Your StarLeaf endpoints make outbound connections to only two DNS names. These DNS names resolve to multiple IP addresses for reasons of resilience and redundancy and the actual addresses are subject to change according to the operational requirements of StarLeaf. The two DNS names are:
- config.starleaf.com the configuration server that tells an endpoint which StarLeaf organization it belongs to
- [your organization name].call.sl any calls your endpoint makes or receives are tunneled through this host
If the local network to which your endpoints are connected has a very restrictive firewall policy for outbound connections, you might need to whitelist access to these destinations. One indication that you need to do this is that StarLeaf app clients stay fixed on the blue ‘Starting…’ screen or say that they cannot contact the login or config server. Because the actual IP addresses that these DNS names resolve to can change, it is preferable to whitelist them by DNS name. If your firewall can only whitelist numeric IP addresses, you can ping the DNS names to find out what the IP addresses are. StarLeaf Support can supply complete ranges of possible IP addresses that your StarLeaf organization can use, upon request.