Minimal Firewall Settings for the GoTo App
Learn which minimal firewall and proxy configuration options are required to start a session and use audio, video and screen sharing successfully on our GoTo app (desktop and browser versions).
Version 2.1
Domains
# | Domain | Use | Protocol | Points to IP addresses in |
---|---|---|---|---|
1 | *.goto.com | Main domain | TCP | — |
2 | *.goto-rtc.com | Audio and video servers - uses WebSocket for some connections | UDP/TCP | GoTo/AWS |
3 | *.jive.com | General connections used by GoToConnect | UDP/TCP | — |
4 | *.getgo.com | Various services | TCP | AWS |
5 | *.gotomeeting.com | Various services | TCP | GoTo/AWS |
6 | *.logmeininc.com | Authentication (critical) | — | AWS |
7 | *.expertcity.com | Audio and screen sharing servers | TCP | GoTo |
# | Domain | Use | Protocol | Points to IP addresses in |
---|---|---|---|---|
1 | *.gototraining.com | Central domain (required for GoTo Training only) | TCP | GoTo |
2 | *.firebase.app | Editor for creating polls, can be launched in-session | TCP | |
3 | apis.google.com | Google drive sharing | TCP | |
4 | *.youtube.com *.googlevideo.com | YouTube video sharing | TCP |
Configuration scenarios
The following scenarios are provided by the GoTo Engineering team. Choose the option best suited for your needs (Each option is detailed below this list):
- Traffic in case of no restrictions — Recommended for best performance
- UDP over TURN — Recommended for best performance
- TCP 3478 / 443 over TURN
- TCP 443 over TURN — Most restricted in call quality due to things such as deep packet inspection
Traffic in case of no restrictions
In this configuration, common to a typical home user, UDP traffic to the port range 45000-49999 and TCP traffic to port 443 is not restricted. The destination IP ranges are large and housed in the AWS address space, so it is not useful to run restrictions based on the IP ranges. This setup will also deliver the shortest delays and best error correction in the case of packet loss compared to the scenarios below. However, it requires an unrestricted firewall setup that relies on stateful inspection to open inbound UDP ports as needed. All traffic is initiated from inside the GoTo client network out.

UDP over TURN
Protocol | DST Port | DST Addr | Action |
---|---|---|---|
UDP | 3478 | Choose from the following:
|
Allow |
TCP | 443 | All | Allow |
All | All | All | Block |

TCP 3478 / 443 over TURN
In this configuration, TCP is used to transport media to the TURN server. Behind the TURN server, UDP is used towards the GoTo infrastructure. Since TURN servers are in the same geolocation as the user, this helps mitigate some of the drawbacks of TCP over long distances. However, it is not as efficient with handling packet loss as UDP is, which means that you can expect a higher amount of dropped audio and a higher delay compared to the above configuration. Whether the TCP 443 traffic is sent through a proxy, or not, is up to your discretion.
Protocol | DST Port | DST Addr | Action |
---|---|---|---|
TCP | 3478 | turn-networks (see above) | Allow |
TCP | 443 | All | Allow |
All | All | All | Block |

TCP 443 over TURN
This is the most restricted scenario. You may or may not run the TCP 443 traffic through a proxy. Doing so will add additional latency to the connection. It also requires a performant proxy to handle the high amount of traffic, especially for video.
Protocol | DST Port | DST Addr | Action |
---|---|---|---|
TCP | 443 | All | Allow |
All | All | All | Block |

Proxy configuration notes
- If your proxy is performing deep packet inspection (DPI), please be sure that all domains listed above are allow listed. DPI can impact the initial TLS connection and slow down media streams due to processing delays.
- It's less of a problem to have DPI in the path for the signaling connections if you have the media sent via UDP. The only potential issue with this is certificate mismatch, which should not happen with modern proxies.
- GoTo generally uses the configured proxy from the operating system. If a proxy is configured, all TCP traffic will be routed through it. GoTo will nevertheless try to establish UDP connections for media. It is only when these fail that TCP media connections over the proxy will be used.
- In order to send GoTo traffic to a specific proxy different from the one for other traffic, you can use a standard proxy.pac file based on the DNS domains listed above.