What are the Vonage Video API network connectivity requirements? What are the Vonage Video API network connectivity requirements?

What are the Vonage Video API network connectivity requirements?

Vonage API Support

Question

What are the minimum network requirements to use the Vonage Video API?

Applies To

  • Vonage Video API
  • Network Requirements
  • Firewall Requirements
  • Proxy Requirements

Answer

There are a number of requirements for Vonage Video API Network access that are detailed below.

Network Protocols

There are three main protocols that will be used when using the Vonage Video API. 

  • WSS (Secure Websockets) -- used for in-call signalling
  • REST / HTTPS -- used for client API, configuration and logging data 
  • SRTP – Secure Real-time Protocol (video and audio media) 
  • STUN / TURN -- Used for NAT traversal of the SRTP media

WSS and REST/HTTPS traffic is very similar to normal web traffic. Unless a network exercises a true default-deny rule, this traffic is typically allowed. If all web traffic is blocked on a network, the customer will need to whitelist Vonage servers on port 443, along with the necessary ports for media data (see below in this document).

Connections are initiated in the outbound direction, there is no requirement for ports to be permanently open inbound, and there are no port forwarding requirements.

Note that the client will always favour a UDP connection, so even if the firewall has been configured to block UDP, you can still expect to see some UDP traffic being attempted in any network traces. 

Optimal Recommended Network Ports 

The following ports can be considered an optimal configuration and typically a domestic firewall will already be configured to allow these ports to be used for outbound initiated traffic. This configuration will give the fastest call setup time and the best quality video. It also allows for peer-to-peer connections in relayed mode.

Protocol  Port(s)
STUN  UDP 3478
TURN UDP  UDP 3478
Media ICE and SRTP  UDP 1025-65535
REST / HTTPS TCP 443
TURN TCP  TCP 443
TURN TLS  TCP 443

 

Recommended Minimal Network Ports

The following ports provide a good balance between good video quality and secure firewall configuration. This is because the video and audio media connection is able to use UDP transport which is more efficient for carrying real-time media compared to TCP.

 

Protocol  Port(s)
STUN  UDP 3478
TURN UDP  UDP 3478
REST / HTTPS TCP 443
TURN TCP  TCP 443
TURN TLS  TCP 443

 

If a web proxy is present on the network it should be transparent and configured to allow this outbound traffic. If necessary you can whitelist by domain (see whitelisting section).

Note that the outbound connection can be limited to Vonage IP addresses as discussed in the whitelisting section.

Minimum Network Ports 

At an absolute minimum, TCP Port 443 is required to be open:

 

Protocol  Port(s)
WSS TCP 443
REST / HTTPS TCP 443
TURN TCP  TCP 443
TURN TLS  TCP 443

 

If you only open this single port then some drawbacks can be expected, namely slower call setup time and potentially lower call quality. This is because TCP is not efficient at carrying real-time media such as audio and video, therefore Vonage highly recommends opening at least 1 UDP port as discussed in the previous section.

UDP is recommended over TCP for better quality audio and video. UDP favours timeliness over reliability, which is consistent with human perceptive preferences, where we can fill in gaps but are sensitive to time-based delays.  If TCP is used the quality degradation will be more noticeable on networks with limited network or high packet loss therefore a high level of attention must be given to ensuring a good quality internet connection with low levels of packet loss and jitter.

If a web proxy is present on the network it should be transparent or it must be configured in the browser/OS for HTTPS connections, and must allow this outbound traffic. If necessary you can whitelist by domain (see whitelisting section).

Note that the outbound connection can be limited to Vonage IP addresses as discussed in the whitelisting section.

Domain Whitelisting and IP Whitelisting

Domain Whitelisting

Customers requiring domain whitelisting on their firewall or web proxy can use the following:

 

On Vonage Video API OpenTok Environment, please allow -

Domains 
*.tokbox.com
*.opentok.com

 

On Vonage Video API Unified Environment, please allow -

Domains 
*.tokbox.com
*.opentok.com
*.vonage.com

 

Vonage is not able to provide a list of server names (i.e. Fully Qualified Domain Names), therefore the use of wildcards is required.

 

IP Address Whitelisting

It is possible for Vonage to supply a complete list of IP addresses of Vonage Video API servers for the purposes of whitelisting these addresses on customer firewalls. This feature is an add-on option on top of our Enterprise Environment. It allows our customers to run all Video API services on dedicated infrastructure based on predictable IP addresses that can be configured on the local firewalls or security infrastructure.

Vonage Video API OpenTok Environment: 

If you have Enterprise Environment and Allowed IPs add-ons enabled on your account, you can find the IP Address list under the Account Settings section. If not, please contact your account manager.

You can use the IP blocks given under 'Global Enterprise Environment IP addresses' for Project configured in Enterprise Environment.

 

If you have Regional Media Zones (RMZ) enabled on your account, you can choose to whitelist only the IP addresses used in that region. Don’t forget to configure your Project to use Regional Media Zones.

           

Vonage Video API Unified Environment:

If you have Video Enterprise Environment and Allowed IPs add-ons enabled on your account, you can find the IP Address list under the Video Add-ons section. If not, please contact your account manager.

Once the addons are added it will be shown as below:

Click on Access allowed IP List, You can use the IP blocks given under 'Global Enterprise Environment IP addresses' for your applications configured in Enterprise Environment.

 

 

If you have Regional Media Zones (RMZ) enabled on your account, you can choose to whitelist only the IP addresses used in that region. Don’t forget to configure your application to use Regional Media Zones.

 

Using China Relay

When using the China Relay service you will additionally need to allow access to the following address:

  • websocketproxy.nexmoproxy.cn

Use of Web Proxies

As a general rule, using the latest versions of the Vonage Video API and latest browsers will produce the best results. Most web proxies are supported in browsers and mobile apps today. If the only way to access the Internet from your network is through a web proxy, then it must be a transparent proxy or it must be configured in the browser/OS for HTTPS connections.

As a general rule, native SDKs support web proxies configured at the OS level but not web proxies requiring authentication.

The client SDKs do not support automatic web proxy configuration via a PAC file.

 

Advanced Networking Options

IP Proxies and Configurable TURN servers

For very restrictive environments it is possible for you to control the flow of signalling and media via servers hosted by you. If these are placed in your company’s DMZ then the clients will not require any internet access at all. Alternatively you can host the components in your cloud and set strict rules in your firewall to allow this traffic to reach your servers only,  instead of Vonage Servers.

Note that both IP Proxy and Configurable TURN require an add-on subscription.

 

Additional Links 

Please find below some additional information on Network and Bandwidth requirements to run a successful Video service: 

What is the minimum bandwidth requirement to use OpenTok?

IP Proxy Server Configuration with AWS

Vonage Video API Unified Environment:

Restricted Network Guidelines

IP Proxy Client Configuration

Configurable TURN

Vonage Video API Opentok Environment: 

Restricted Network Guidelines

IP Proxy Client Configuration

Configurable TURN

How to recognize if I'm using Vonage Video API Unified Environment or Vonage Video API OpenTok environment?