product icon

Minimal Firewall Settings for the GoTo App

Learn which minimal firewall and proxy configuration options are required to start a session and use audio, video and screen sharing successfully on our GoTo app (desktop and browser versions).

Topics in this article:

Version 2.1

Domains

There are several domains used by GoTo, but not all are needed for running meetings. The following lists of domains are essential for running your meetings and thus will need to be added to your allow-list:
Essential DNS domains
# Domain Use Protocol Points to IP addresses in
1 *.goto.com Main domain TCP
2 *.goto-rtc.com Audio and video servers - uses WebSocket for some connections UDP/TCP GoTo/AWS
3 *.jive.com General connections used by GoToConnect UDP/TCP
4 *.getgo.com Various services TCP AWS
5 *.gotomeeting.com Various services TCP GoTo/AWS
6 *.logmeininc.com Authentication (critical) AWS
7 *.expertcity.com Audio and screen sharing servers TCP GoTo
Additional domains required for GoTo Training
# Domain Use Protocol Points to IP addresses in
1 *.gototraining.com Central domain (required for GoTo Training only) TCP GoTo
2 *.firebase.app Editor for creating polls, can be launched in-session TCP Google
3 apis.google.com Google drive sharing TCP Google
4 *.youtube.com *.googlevideo.com YouTube video sharing TCP Google
Note: Since the signaling is always handled through port 443 TCP, we recommend that you exclude the above domains from any kind of traffic interception. Routing them through an https proxy usually works, but deep packet inspection may either break the certificate chain for the TLS setup or delay packets to the point that quality will suffer.

Configuration scenarios

The following scenarios are provided by the GoTo Engineering team. Choose the option best suited for your needs (Each option is detailed below this list):

  • Traffic in case of no restrictions — Recommended for best performance
  • UDP over TURN — Recommended for best performance
  • TCP 3478 / 443 over TURN
  • TCP 443 over TURN — Most restricted in call quality due to things such as deep packet inspection

Traffic in case of no restrictions

In this configuration, common to a typical home user, UDP traffic to the port range 45000-49999 and TCP traffic to port 443 is not restricted. The destination IP ranges are large and housed in the AWS address space, so it is not useful to run restrictions based on the IP ranges. This setup will also deliver the shortest delays and best error correction in the case of packet loss compared to the scenarios below. However, it requires an unrestricted firewall setup that relies on stateful inspection to open inbound UDP ports as needed. All traffic is initiated from inside the GoTo client network out.

UDP over TURN

In this configuration, all media traffic is sent through a GoTo TURN server using UDP. Traffic to TCP 443 is solely used for signaling, which is why routing it through an https proxy will not impact performance.
Remember: If you use https filtering, make sure the domains listed above are excluded from deep packet inspection, otherwise there might be connection issues due to modified certificates.
Here are the firewall settings needed:
Protocol DST Port DST Addr Action
UDP 3478 Choose from the following:
  • All
  • turn-networks — Use if you want to restrict UDP traffic to the networks GoTo runs their TURN servers on:
    • 68.64.0.0/19
    • 173.199.0.0/18
    • 78.108.124.0/23
    • 202.173.24.0/21
    • 23.239.224.0/19
 Allow
TCP 443 All Allow
All All All Block

TCP 3478 / 443 over TURN

In this configuration, TCP is used to transport media to the TURN server. Behind the TURN server, UDP is used towards the GoTo infrastructure. Since TURN servers are in the same geolocation as the user, this helps mitigate some of the drawbacks of TCP over long distances. However, it is not as efficient with handling packet loss as UDP is, which means that you can expect a higher amount of dropped audio and a higher delay compared to the above configuration. Whether the TCP 443 traffic is sent through a proxy, or not, is up to your discretion.

Protocol DST Port DST Addr Action
TCP 3478 turn-networks (see above) Allow
TCP 443 All Allow
All All All Block

TCP 443 over TURN

This is the most restricted scenario. You may or may not run the TCP 443 traffic through a proxy. Doing so will add additional latency to the connection. It also requires a performant proxy to handle the high amount of traffic, especially for video.

Protocol DST Port DST Addr Action
TCP 443 All Allow
All All All Block

Proxy configuration notes

  • If your proxy is performing deep packet inspection (DPI), please be sure that all domains listed above are allow listed. DPI can impact the initial TLS connection and slow down media streams due to processing delays.
  • It's less of a problem to have DPI in the path for the signaling connections if you have the media sent via UDP. The only potential issue with this is certificate mismatch, which should not happen with modern proxies.
  • GoTo generally uses the configured proxy from the operating system. If a proxy is configured, all TCP traffic will be routed through it. GoTo will nevertheless try to establish UDP connections for media. It is only when these fail that TCP media connections over the proxy will be used.
  • In order to send GoTo traffic to a specific proxy different from the one for other traffic, you can use a standard proxy.pac file based on the DNS domains listed above.